Eap and windows authentication, Eap and – Cisco 3.3 User Manual

Page 499

Advertising
background image

13-15

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Chapter 13 User Databases

Windows User Database

If the authentication protocol used is EAP-TLS, by default, Cisco Secure ACS
submits the username to Windows in UPN format; however, you can configure
Cisco Secure ACS to strip from the username all characters after and including
the last “at” character (@). For more information, see

EAP-TLS Domain

Stripping, page 13-16

.

For all other authentication protocols that it can support with Windows databases,
Cisco Secure ACS submits to Windows the username stripped of all characters
after and including the last “at” character (@). This behavior allows for usernames
that contain an “at” character. For example:

If the username received is [email protected], Cisco Secure ACS
submits to Windows an authentication request containing the username
cyril.yang.

If the username received is cyril.yang@[email protected],
Cisco Secure ACS submits to Windows an authentication request containing
the username cyril.yang@central-office.

Note

Cisco Secure ACS cannot tell the difference between a non-domain-qualified
username that contains an “at” character and a UPN username; all usernames
containing an “at” character that are not preceded by a “backslash” character are
submitted to Windows with the final “at” character and the characters that follow
it removed. Users with “at” characters in their usernames must either submit the
username in UPN format or in a domain-qualified format.

EAP and Windows Authentication

This section provides information about Windows-specific EAP features that you
can configure on the Windows User Database Configuration page.

This section contains the following topics:

EAP-TLS Domain Stripping, page 13-16

Machine Authentication, page 13-16

Machine Access Restrictions, page 13-19

Microsoft Windows and Machine Authentication, page 13-20

Enabling Machine Authentication, page 13-22

Advertising