MY80211
INTEL WIRELESS
CCIE Wireless V3
Cisco Wireless
Wired Stuff
CCIE Wireless v2
WiFi Tablet Corner
My80211 Projects
WiFi Tools
CWNP or BUST Blogs!
My80211 White Papers (Coming Soon!)

Cisco Wireless Compatibility Matrix (Nov. 2011)

Podcasts / Videos

My80211 Videos

Cisco: 802 11 frames with Cisco VIP George Stefanick

Fluke Networks: Minimize Wi Fi Network Downtime

Aruba: Packets never lie: An in-depth overview of 802.11 frames

ATM15 Ten Talk “Wifi drivers and devices”

Houston Methodist Innovates with Wireless Technology

Bruce Frederick Antennas (1/2)

 

Bruce Frederick dB,dBi,dBd (2/2)

Cisco AP Group Nugget

Info
Revolution WiFi Capacity Planner

Blogroll Call
Cerification Guides and Books
IEEE 802.11 STANDARDS
Anchor / Office Extends Ports

 

Peek Inside Cisco's Gear

See inside Cisco's latest wireless gear!

2.4 GHz Channel Overlap

EXAMPLE 1  

EXAMPLE 2

EXAMPLE 3  

CWSP RELEASE DATE 2/08/2010
  • CWSP Certified Wireless Security Professional Official Study Guide: Exam PW0-204
    CWSP Certified Wireless Security Professional Official Study Guide: Exam PW0-204
    by David D. Coleman, David A. Westcott, Bryan E. Harkins, Shawn M. Jackman

    Shawn Jackman (Jack) CWNE#54 is a personal friend and has been a mentor to me for many years.  I've had the pleasure and opportunity to work with Jack for 4 years. Jack is a great teacher who takes complex 802.11 standards and breaks them down so almost anyone can understand the concept at hand. I'm excited for you brother. Great job and job well done! Put another notch in the belt!

IEEE 802.11a/g/n Reference Sheet

 

LWAPP QoS Packet Tagging

 

 

Interference Types

BLUETOOTH
 

Microwave Oven
 

Cordless Phone

JAMMER!
 

Tuesday
Nov082011

Cisco ACS 5.x - Radius Proxy Server to strip prefix or suffix 'user@domain'

DateTuesday, November 8, 2011 at 4:36PM

The purpose of this document is to strip the domain from users that authenticate with the format: username@domain in ACS 5.x.

Wireless supplicants sometimes present the user creditials in different formats. One such device is the Motorola handhelds. They present the user ID as 'user@domain' to the radius server who then sends this to the AD server. In some cases if you didnt use a FQDN as your domain name (in the handheld) and you were on ACS 4.x it would still authenticate. ACS 4.x would strip this suffix and present the raw ID to AD.

But ACS 5.x doesnt do this easily. You actually have to create a PROXY ACS inside your ACS server. There is no easy check box to strip the prefix or the suffix in ACS 5.x.

If you use LDAP, different sorry. You have the option to strip both with a simple check box under external / ldap section of ACS 5.x.. Below is a document I received from Cisco TAC showing how to strip the prefix and or suffix in ACS 5.x within a ACS proxy.

 

RADIUS PROXY SERVER

Configure the ACS server as a network device and choose as the authentication option Radius.

 

Define the ACS server as an External Radius server under Network Resources. The external radius server on this case is the ACS itself.

 

Create a new access service and point the new policy to use the Radius Proxy service type.

 

 

Once the access service is enable configure the advance options of the new service selection rule to strip the domain after the @.

 

Go to service selection rule and create a new rule pointing to the Proxy Radius Server created previously and include a compound condition as follows:

 

With the previous configuration when we use the username@domain the user is able to authenticate because check the first rule pointing to the proxy radius server which is set up to strip the domian.

When the ACS first receives the request and strips the domain part from the username, the server will Proxy the request to itself in which case the ACS will act as a AAA client striping the domain and showing the passed authentication as follows:

 

On the previous screenshot you can see that once the ACS strips the domain is going to hit the second access service rule which just accept the radius request that does not contain any UPN format.

AuthorGeorge | CommentPost a Comment |