Guest

Cisco IOS Software Releases 12.2 Special and Early Deployments

radius-server domain-stripping Enhancements

  • Viewing Options

  • PDF (210.6 KB)
  • Feedback
Radius-Server Domain-Stripping Enhancements

Table Of Contents

Radius-Server Domain-Stripping Enhancements

Feature Overview

Benefits

Related Documents

Supported Platforms

Supported Standards, MIBs, and RFCs

Configuration Tasks

Configuring Right-to-Left Support

Configuring Delimiter Support

Verifying Right-to-Left and Delimiter Configurations

Configuration Examples

Right-to-Left Configuration Example

Delimiter Character Set Example

Command Reference

radius-server domain-stripping


Radius-Server Domain-Stripping Enhancements


Feature History

Release
Modification

12.2(15)B

This feature was introduced on the Cisco 7200 series and Cisco 7400 ASR.


This document describes the Radius-Server Domain-Stripping Enhancements feature in Cisco IOS Release 12.2(15)B. It includes the following sections:

Feature Overview

Supported Platforms

Supported Standards, MIBs, and RFCs

Configuration Tasks

Configuration Examples

Command Reference

Feature Overview

The Radius-Server Domain-Stripping Enhancements feature introduces two new configuration options to the radius-server domain-stripping command—the right-to-left and delimiter options.

Before this feature, whenever the radius-server domain-stripping command was enabled, the authentication, authorization, and accounting (AAA) username format "user@company.com" could be sent to remote RADIUS servers only in the reformatted username "user." (That is, the reformatted username was formed from the original string but terminated at the first "@" character going from left to right.) This functionality limited the choice of usernames if there were more than one "@" character within the string. It also limited the domain delimiter to the "@" character because any other possible characters (such as the "%" character) could not be used. The right-to-left and delimiter options address these limitations in the following ways:

The right-to-left option parses the username in the reverse direction (from right to left) so that the username "user@company.com" can also be sent in AAA requests.

The delimiter option configures a combination of characters (@, $,%, /, -, and \) to be the set if domain delimiter characters.


Note Any of domain delimiters in the configured subset can be recognized, but whichever character comes first when searching the original username string is recognized first.


Benefits

This feature introduces support for the following two variations of a AAA username:

The right-to-left option, which configures a username with multiple domain delimiters

The delimiter option, which configures a username with domain delimiters other than the "@" character.

Related Documents

For information on additional RADIUS commands and RADIUS configurations tasks, refer to the following documents:

The chapter "Configuring RADIUS" in the Cisco IOS Security Configuration Guide, Release 12.2

The chapter "RADIUS Commands" in the Cisco IOS Security Command Reference, Release 12.2

For information on enabling VRF-aware domain-stripping, refer to the following document:

Per VRF AAA, Cisco IOS feature module Release 12.2(4)B

Supported Platforms

Cisco 7200 series

Cisco 7400 series

Availability of Cisco IOS Software Images

Platform support for particular Cisco IOS software releases is dependent on the availability of the software images for those platforms. Software images for some platforms may be deferred, delayed, or changed without prior notice. For updated information about platform support and availability of software images for each Cisco IOS software release, refer to the online release notes or, if supported, Cisco Feature Navigator.

Supported Standards, MIBs, and RFCs

Standards

None

MIBs

None

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://tools.cisco.com/ITDIT/MIBS/servlet/index

If Cisco MIB Locator does not support the MIB information that you need, you can also obtain a list of supported MIBs and download MIBs from the Cisco MIBs page at the following URL:

http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml

To access Cisco MIB Locator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:

http://www.cisco.com/register

RFCs

None

Configuration Tasks

See the following sections for configuration tasks for the Radius-Server Domain-Stripping Enhancements feature. Each task in the list is identified as either required or optional.

Configuring Right-to-Left Support (required)

Configuring Delimiter Support (required)

Verifying Right-to-Left and Delimiter Configurations (optional)

Configuring Right-to-Left Support

To enable the right-to-left option to support a username with multiple domain delimiters, use the following command in global configuration mode:

Command
Purpose

Router (config)# radius-server domain-stripping [right-to-left] [vrf vrf-name]

Enables domain-stripping.

right-to-left—Parses the username in reverse direction (from right to left).

vrf vrf-name—Specifies the per-VRF configuration.

Note This option works for VRF users and non-VRF users.

Note This option works independently from the delimiter option.


Configuring Delimiter Support

To enable the delimiter option to support a username with domain delimiters other than the "@" character, use the following command in global configuration mode:

Command
Purpose

Router (config)# radius-server domain-stripping [right-to-left] [vrf vrf-name]

Enables domain-stripping.

delimiter string1[string2... string7]—Configures a character or combination of characters to be the domain delimiter character set. Available character options are @, #, $,%, /, -, and \.

vrf vrf-name—Specifies the per-VRF configuration.

Note This option works for VRF users and non-VRF users.

Note This option works independently from the right-to-left option.


Verifying Right-to-Left and Delimiter Configurations

To verify feature functionality, use the following command in EXEC mode:

Command
Purpose

Router# debug radius

Checks whether the reformatted username attribute is sent to the RADIUS server in authentication and accounting requests.


Configuration Examples

This section provides the following configuration examples:

Right-to-Left Configuration Example

Delimiter Character Set Example

Right-to-Left Configuration Example

The following example shows a configuration that strips the domain name from the VRF "abc" and strips the domain name from right to left for the non-VRF and VRF "def." In this example, VRF "abc" has the original username "user1@abc.com.@isp.net," and the reformatted version "user1" will be used in requests that are sent to RADIUS servers. The non-VRF has the username "user2@isp.com@isp.net," and the reformatted version "user2@isp.com" will be used. VRF "def" has the original format "user3@def.com@isp.net," and the reformatted version "user3@def.com" will be used.

radius-server domain-stripping vrf abc
radius-server domain-stripping right-to-left
radius-server domain-stripping right-to-left vrf def

Delimiter Character Set Example

The following example shows a configuration that strips the domain name from the VRF "abc," strips the domain name from VRF "def" at the "%" string, and strips the domain name from the VRF "ghi" from right to left at the delimiter character set @, $, /:

radius-server domain-stripping vrf abc
radius-server domain-stripping delimiter % vrf def
radius-server domain-stripping right-to-left delimiter @$/ vrf ghi

After the domain stripping is complete, the corresponding usernames are sent to the RADIUS server as described in Table 1.

Table 1 radius-server domain-stripping Reformatted Username Examples

Original Username
Reformatted Username

user1@abc.com@isp.net%mfxxx

user1

user1@def.com@isp.net%mfxxx

user1@def.com@isp.net

user1@ghi.com@isp.net%mfxxx

user1@ghi.com


Command Reference

This section documents a new command. All other commands used with this feature are documented in the Cisco IOS Release 12.2 command reference publications.

radius-server domain-stripping

radius-server domain-stripping

To enable domain stripping, use the radius-server domain-stripping command in global configuration mode. To remove this command from your configuration, use the no form of this command.

radius-server domain-stripping [right-to-left] [delimiter string1, [string2... string7]] [vrf vrf-name]

no radius-server domain-stripping [right-to-left] [delimiter string1, [string2... string7]] [vrf vrf-name]

Syntax Description

right-to-left

(Optional) Parses the username in reverse direction (from right to left).

delimiter string1, [string2... string7]

(Optional) Configures a character or combination of characters to be the domain delimiter character set. Available character options are @, #, $,%, /, -, and \.

Note Do not put the \ string as the final character unless it is the only character string being used.

vrf vrf-name

(Optional) Specifies the per-VRF configuration.


Defaults

RADIUS server domain-stripping is not configured.

The username is parsed from left to right.

The default delimiter string is @.

Command Modes

Global configuration

Command History

Release
Modification

12.2(2)DD

This command was introduced.

12.2(4)B

This command was integrated into Cisco IOS Release 12.2(4)B.

12.2(15)B

The right-to-left and delimiter string1, [string2... string7] options were added.


Usage Guidelines

Use the radius-server domain-stripping command to strip or truncate the domain from a username. For example, if the username is user1@cisco.com and the radius-server domain-stripping command is configured, only "user1" is sent out as the username.

When the right-to-left keyword is configured, the username is parsed in the reverse direction. For example, if this keyword is not enabled, "user" is the only available username for user@company.com@isp.net. However, if this keyword is enabled, the username "user@company.com." can also be sent in authentication, authorization, and accounting (AAA) requests.

When the delimiter string1, [string2... string7] option is configured, a character set of domain delimiters is configured in the username. Any of domain delimiters in the configured subset can be recognized, but whichever character comes first when searching the original username string is recognized first.

The right-to-left and delimiter keywords work for VRF and non-VRF users. Also, each keyword works independently of each other.

When the vrf vrf-name option is configured, domain stripping applies only to the specified VRF.

Examples

The following example shows a configuration that strips the domain name from the VRF "abc" and strips the domain name from right to left for the non-VRF and VRF "def." In this example, VRF "abc" has the original username "user1@abc.com.@isp.net," and the reformatted version "user1" will be used in requests that are sent to RADIUS servers. The non-VRF has the username "user2@isp.com@isp.net," and the reformatted version "user2@isp.com" will be used. VRF "def" has the original format "user3@def.com@isp.net," and the reformatted version "user3@def.com" will be used.

radius-server domain-stripping vrf abc
radius-server domain-stripping right-to-left
radius-server domain-stripping right-to-left vrf def

The following example shows a configuration that strips the domain name from the VRF "abc," strips the domain name from VRF "def" at the "%" string, and strips the domain name from the VRF "ghi" from right to left at the delimiter character set @, $, /:

radius-server domain-stripping vrf abc
radius-server domain-stripping delimiter % vrf def
radius-server domain-stripping right-to-left delimiter @$/ vrf ghi

After the domain stripping is complete, the corresponding usernames are sent to the RADIUS server as follows:

Original Username
Reformatted Username

user1@abc.com@isp.net%mfxxx

user1

user1@def.com@isp.net%mfxxx

user1@def.com@isp.net

user1@ghi.com@isp.net%mfxxx

user1@ghi.com