Eap-tls domain stripping, Machine authentication, Machine – Cisco 3.3 User Manual
Page 500: Eap-tls domain
Chapter 13 User Databases
Windows User Database
13-16
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
EAP-TLS Domain Stripping
If you use Windows Active Directory to authenticate users with EAP-TLS,
Cisco Secure ACS enables you to strip the domain name from the username stored
in the Subject Alternative Name field of the user certificate. Performing domain
name stripping can speed EAP-TLS authentication when the domain that must
authenticate a user is not the domain represented in the SAN field.
For example, a user’s SAN field may contain “[email protected]” but
jsmith may need to authenticate using the domain controller for a subdomain
named “engineering”. Stripping “@corporation.com” from the username
eliminates the needless attempt at authenticating jsmith against the
corporation.com domain controller. Without stripping the domain name, only
after jsmith cannot be found in corporation.com will Cisco Secure ACS use the
Domain List and find the user in the engineering domain. The additional delay
could be several seconds. For more information about the Domain List, see
Non-domain-qualified Usernames, page 13-13
You can enable EAP-TLS domain name stripping on the Windows User Database
Configuration page.
Note
EAP-TLS domain name stripping operates independently of support for
UPN-formatted usernames. For information about support for Windows
authentication of UPN-formatted usernames, see
Machine Authentication
Cisco Secure ACS supports the authentication of computers running Microsoft
Windows operating systems that support EAP computer authentication, such as
Windows XP with Service Pack 1. Machine authentication, also called computer
authentication, allows networks services only for computers known to Active
Directory. This is especially useful for wireless networks, where unauthorized
users outside the physical premises of your workplace can access your wireless
access points.