13-15
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Chapter 13 User Databases
Windows User Database
If the authentication protocol used is EAP-TLS, by default, Cisco Secure ACS
submits the username to Windows in UPN format; however, you can configure
Cisco Secure ACS to strip from the username all characters after and including
the last “at” character (@). For more information, see
EAP-TLS Domain
Stripping, page 13-16
.
For all other authentication protocols that it can support with Windows databases,
Cisco Secure ACS submits to Windows the username stripped of all characters
after and including the last “at” character (@). This behavior allows for usernames
that contain an “at” character. For example:
•
If the username received is [email protected], Cisco Secure ACS
submits to Windows an authentication request containing the username
cyril.yang.
•
If the username received is cyril.yang@[email protected],
Cisco Secure ACS submits to Windows an authentication request containing
the username cyril.yang@central-office.
Note
Cisco Secure ACS cannot tell the difference between a non-domain-qualified
username that contains an “at” character and a UPN username; all usernames
containing an “at” character that are not preceded by a “backslash” character are
submitted to Windows with the final “at” character and the characters that follow
it removed. Users with “at” characters in their usernames must either submit the
username in UPN format or in a domain-qualified format.
EAP and Windows Authentication
This section provides information about Windows-specific EAP features that you
can configure on the Windows User Database Configuration page.
This section contains the following topics:
•
EAP-TLS Domain Stripping, page 13-16
•
Machine Authentication, page 13-16
•
Machine Access Restrictions, page 13-19
•
Microsoft Windows and Machine Authentication, page 13-20
•
Enabling Machine Authentication, page 13-22