Solved: Super!!!!Many thanks

grabonlee · ‎11-17-2014

Hello,

I would like to know what the effect will be if I type Dummy in both the Identity prefix and suffix strip fields of AD in Cisco ISE. Does it mean that no stripping will be done?

Thanks

Charlie Moreton · ‎11-17-2014

That is correct. Unless your domain name is Dummy. The word Dummy was placed in the fields as a placeholder and unless it matches a domain string for your company, not stripping will occur. See this thread for Domain Stripping details:

https://supportforums.cisco.com/discussion/12023306/strip-multiple-domain-used-username-ad-integration-cisco-ise

Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question. Otherwise, feel free to post follow-up questions.

Charles Moreton

View solution in original post

Charlie Moreton · ‎11-17-2014

No, the placeholder will not add the logical OR to the domain stripping, but it should be implied by adding the domain (@domain.com) to the stripping field. This should allow your users to log in with either method.

In ISE 1.2, Domain Stripping is basic, yet functional:

In ISE 1.3, you have MUCH more control over the authentication behaviors and stripping methods allowed:

So if you have a Service Contract, you can upgrade to 1.3 to get even more functionality of this aspect. Although 1.2 might be serviceable for your needs.

The External_Roam will need to be created as a new Compound Condition:

https://supportforums.cisco.com/sites/default/files/attachments/discussion/radius2.png

I hope this helps.

Charles Moreton

View solution in original post

Charlie Moreton · ‎11-17-2014

That is correct. Unless your domain name is Dummy. The word Dummy was placed in the fields as a placeholder and unless it matches a domain string for your company, not stripping will occur. See this thread for Domain Stripping details:

https://supportforums.cisco.com/discussion/12023306/strip-multiple-domain-used-username-ad-integration-cisco-ise

Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question. Otherwise, feel free to post follow-up questions.

Charles Moreton

grabonlee · ‎11-17-2014

Thanks for the prompt response. So if I want AD to strip OR not strip (Please note the logical OR), then I use the placeholder Dummy? What I mean is that a user can type either his name or full UPN and still get authenticated. If I don't enable the prefix and suffix, does that mean the user can only specify his username without the @domain.

Also I have defined a Radius Server Sequence, called External_Roam and I want to use it in a Authroization compound condition list called Via_External_Roam. Do I say Network Access:UseCase Equals External_Roam

Many Thanks

Charlie Moreton · ‎11-17-2014

No, the placeholder will not add the logical OR to the domain stripping, but it should be implied by adding the domain (@domain.com) to the stripping field. This should allow your users to log in with either method.

In ISE 1.2, Domain Stripping is basic, yet functional:

In ISE 1.3, you have MUCH more control over the authentication behaviors and stripping methods allowed:

So if you have a Service Contract, you can upgrade to 1.3 to get even more functionality of this aspect. Although 1.2 might be serviceable for your needs.

The External_Roam will need to be created as a new Compound Condition:

https://supportforums.cisco.com/sites/default/files/attachments/discussion/radius2.png

I hope this helps.

Charles Moreton

grabonlee · ‎11-17-2014

Super!!!!

Many thanks