11-17-2014 07:04 AM - edited 03-10-2019 10:11 PM
Hello,
I would like to know what the effect will be if I type Dummy in both the Identity prefix and suffix strip fields of AD in Cisco ISE. Does it mean that no stripping will be done?
Thanks
Solved! Go to Solution.
11-17-2014 07:29 AM
That is correct. Unless your domain name is Dummy. The word Dummy was placed in the fields as a placeholder and unless it matches a domain string for your company, not stripping will occur. See this thread for Domain Stripping details:
Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question. Otherwise, feel free to post follow-up questions.
Charles Moreton
11-17-2014 08:30 AM
No, the placeholder will not add the logical OR to the domain stripping, but it should be implied by adding the domain (@domain.com) to the stripping field. This should allow your users to log in with either method.
In ISE 1.2, Domain Stripping is basic, yet functional:
In ISE 1.3, you have MUCH more control over the authentication behaviors and stripping methods allowed:
So if you have a Service Contract, you can upgrade to 1.3 to get even more functionality of this aspect. Although 1.2 might be serviceable for your needs.
The External_Roam will need to be created as a new Compound Condition:
https://supportforums.cisco.com/sites/default/files/attachments/discussion/radius2.png
I hope this helps.
Charles Moreton
11-17-2014 07:29 AM
That is correct. Unless your domain name is Dummy. The word Dummy was placed in the fields as a placeholder and unless it matches a domain string for your company, not stripping will occur. See this thread for Domain Stripping details:
Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question. Otherwise, feel free to post follow-up questions.
Charles Moreton
11-17-2014 07:55 AM
Thanks for the prompt response. So if I want AD to strip OR not strip (Please note the logical OR), then I use the placeholder Dummy? What I mean is that a user can type either his name or full UPN and still get authenticated. If I don't enable the prefix and suffix, does that mean the user can only specify his username without the @domain.
11-17-2014 08:30 AM
No, the placeholder will not add the logical OR to the domain stripping, but it should be implied by adding the domain (@domain.com) to the stripping field. This should allow your users to log in with either method.
In ISE 1.2, Domain Stripping is basic, yet functional:
In ISE 1.3, you have MUCH more control over the authentication behaviors and stripping methods allowed:
So if you have a Service Contract, you can upgrade to 1.3 to get even more functionality of this aspect. Although 1.2 might be serviceable for your needs.
The External_Roam will need to be created as a new Compound Condition:
https://supportforums.cisco.com/sites/default/files/attachments/discussion/radius2.png
I hope this helps.
Charles Moreton
11-17-2014 09:02 AM
Super!!!!
Many thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide