cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
181
Views
0
Helpful
4
Replies
Enthusiast

Domain Stripping

Hello,

I would like to know what the effect will be if I type Dummy in both the Identity prefix and suffix strip fields of AD in Cisco ISE. Does it mean that no stripping will be done?

Thanks

 

 

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

That is correct.  Unless your

That is correct.  Unless your domain name is Dummy.  The word Dummy was placed in the fields as a placeholder and unless it matches a domain string for your company, not stripping will occur.  See this thread for Domain Stripping details:

 

https://supportforums.cisco.com/discussion/12023306/strip-multiple-domain-used-username-ad-integration-cisco-ise

 

Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.

Charles Moreton

View solution in original post

Cisco Employee

No, the placeholder will not

No, the placeholder will not add the logical OR to the domain stripping, but it should be implied by adding the domain (@domain.com) to the stripping field.  This should allow your users to log in with either method.

In ISE 1.2, Domain Stripping is basic, yet functional:

 

In ISE 1.3, you have MUCH more control over the authentication behaviors and stripping methods allowed:

So if you have a Service Contract, you can upgrade to 1.3 to get even more functionality of this aspect.  Although 1.2 might be serviceable for your needs.

 

The External_Roam will need to be created as a new Compound Condition:

https://supportforums.cisco.com/sites/default/files/attachments/discussion/radius2.png

 


I hope this helps.

 

Charles Moreton

View solution in original post

4 REPLIES 4
Cisco Employee

That is correct.  Unless your

That is correct.  Unless your domain name is Dummy.  The word Dummy was placed in the fields as a placeholder and unless it matches a domain string for your company, not stripping will occur.  See this thread for Domain Stripping details:

 

https://supportforums.cisco.com/discussion/12023306/strip-multiple-domain-used-username-ad-integration-cisco-ise

 

Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.

Charles Moreton

View solution in original post

Enthusiast

Thanks for the prompt

Thanks for the prompt response. So if I want AD to strip OR not strip (Please note the logical OR), then I use the placeholder Dummy? What I mean is that a user can type either his name or full UPN and still get authenticated. If I don't enable the prefix and suffix, does that mean the user can only specify his username without the @domain.

 
Also I have defined a Radius Server Sequence, called External_Roam and I want to use it in a Authroization compound condition list called Via_External_Roam. Do I say Network Access:UseCase Equals External_Roam 
 
Many Thanks
Cisco Employee

No, the placeholder will not

No, the placeholder will not add the logical OR to the domain stripping, but it should be implied by adding the domain (@domain.com) to the stripping field.  This should allow your users to log in with either method.

In ISE 1.2, Domain Stripping is basic, yet functional:

 

In ISE 1.3, you have MUCH more control over the authentication behaviors and stripping methods allowed:

So if you have a Service Contract, you can upgrade to 1.3 to get even more functionality of this aspect.  Although 1.2 might be serviceable for your needs.

 

The External_Roam will need to be created as a new Compound Condition:

https://supportforums.cisco.com/sites/default/files/attachments/discussion/radius2.png

 


I hope this helps.

 

Charles Moreton

View solution in original post

Highlighted
Enthusiast

Super!!!!Many thanks

Super!!!!

Many thanks