Table Of Contents
Radius-Server Domain-Stripping Enhancements
Supported Standards, MIBs, and RFCs
Configuring Right-to-Left Support
Verifying Right-to-Left and Delimiter Configurations
Right-to-Left Configuration Example
Delimiter Character Set Example
radius-server domain-stripping
Radius-Server Domain-Stripping Enhancements
Feature History
Release Modification12.2(15)B
This feature was introduced on the Cisco 7200 series and Cisco 7400 ASR.
This document describes the Radius-Server Domain-Stripping Enhancements feature in Cisco IOS Release 12.2(15)B. It includes the following sections:
•Supported Standards, MIBs, and RFCs
Feature Overview
The Radius-Server Domain-Stripping Enhancements feature introduces two new configuration options to the radius-server domain-stripping command—the right-to-left and delimiter options.
Before this feature, whenever the radius-server domain-stripping command was enabled, the authentication, authorization, and accounting (AAA) username format "user@company.com" could be sent to remote RADIUS servers only in the reformatted username "user." (That is, the reformatted username was formed from the original string but terminated at the first "@" character going from left to right.) This functionality limited the choice of usernames if there were more than one "@" character within the string. It also limited the domain delimiter to the "@" character because any other possible characters (such as the "%" character) could not be used. The right-to-left and delimiter options address these limitations in the following ways:
•The right-to-left option parses the username in the reverse direction (from right to left) so that the username "user@company.com" can also be sent in AAA requests.
•The delimiter option configures a combination of characters (@, $,%, /, -, and \) to be the set if domain delimiter characters.
Note Any of domain delimiters in the configured subset can be recognized, but whichever character comes first when searching the original username string is recognized first.
Benefits
This feature introduces support for the following two variations of a AAA username:
•The right-to-left option, which configures a username with multiple domain delimiters
•The delimiter option, which configures a username with domain delimiters other than the "@" character.
Related Documents
For information on additional RADIUS commands and RADIUS configurations tasks, refer to the following documents:
•The chapter "Configuring RADIUS" in the Cisco IOS Security Configuration Guide, Release 12.2
•The chapter "RADIUS Commands" in the Cisco IOS Security Command Reference, Release 12.2
For information on enabling VRF-aware domain-stripping, refer to the following document:
•Per VRF AAA, Cisco IOS feature module Release 12.2(4)B
Supported Platforms
•Cisco 7200 series
•Cisco 7400 series
Availability of Cisco IOS Software Images
Platform support for particular Cisco IOS software releases is dependent on the availability of the software images for those platforms. Software images for some platforms may be deferred, delayed, or changed without prior notice. For updated information about platform support and availability of software images for each Cisco IOS software release, refer to the online release notes or, if supported, Cisco Feature Navigator.
Supported Standards, MIBs, and RFCs
Standards
None
MIBs
None
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
http://tools.cisco.com/ITDIT/MIBS/servlet/index
If Cisco MIB Locator does not support the MIB information that you need, you can also obtain a list of supported MIBs and download MIBs from the Cisco MIBs page at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
To access Cisco MIB Locator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:
RFCs
None
Configuration Tasks
See the following sections for configuration tasks for the Radius-Server Domain-Stripping Enhancements feature. Each task in the list is identified as either required or optional.
•Configuring Right-to-Left Support (required)
•Configuring Delimiter Support (required)
•Verifying Right-to-Left and Delimiter Configurations (optional)
Configuring Right-to-Left Support
To enable the right-to-left option to support a username with multiple domain delimiters, use the following command in global configuration mode:
Configuring Delimiter Support
To enable the delimiter option to support a username with domain delimiters other than the "@" character, use the following command in global configuration mode:
Verifying Right-to-Left and Delimiter Configurations
To verify feature functionality, use the following command in EXEC mode:
Command PurposeRouter# debug radius
Checks whether the reformatted username attribute is sent to the RADIUS server in authentication and accounting requests.
Configuration Examples
This section provides the following configuration examples:
•Right-to-Left Configuration Example
•Delimiter Character Set Example
Right-to-Left Configuration Example
The following example shows a configuration that strips the domain name from the VRF "abc" and strips the domain name from right to left for the non-VRF and VRF "def." In this example, VRF "abc" has the original username "user1@abc.com.@isp.net," and the reformatted version "user1" will be used in requests that are sent to RADIUS servers. The non-VRF has the username "user2@isp.com@isp.net," and the reformatted version "user2@isp.com" will be used. VRF "def" has the original format "user3@def.com@isp.net," and the reformatted version "user3@def.com" will be used.
radius-server domain-stripping vrf abcradius-server domain-stripping right-to-leftradius-server domain-stripping right-to-left vrf defDelimiter Character Set Example
The following example shows a configuration that strips the domain name from the VRF "abc," strips the domain name from VRF "def" at the "%" string, and strips the domain name from the VRF "ghi" from right to left at the delimiter character set @, $, /:
radius-server domain-stripping vrf abcradius-server domain-stripping delimiter % vrf defradius-server domain-stripping right-to-left delimiter @$/ vrf ghiAfter the domain stripping is complete, the corresponding usernames are sent to the RADIUS server as described in Table 1.
Command Reference
This section documents a new command. All other commands used with this feature are documented in the Cisco IOS Release 12.2 command reference publications.
•radius-server domain-stripping
radius-server domain-stripping
To enable domain stripping, use the radius-server domain-stripping command in global configuration mode. To remove this command from your configuration, use the no form of this command.
radius-server domain-stripping [right-to-left] [delimiter string1, [string2... string7]] [vrf vrf-name]
no radius-server domain-stripping [right-to-left] [delimiter string1, [string2... string7]] [vrf vrf-name]
Syntax Description
Defaults
RADIUS server domain-stripping is not configured.
The username is parsed from left to right.
The default delimiter string is @.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the radius-server domain-stripping command to strip or truncate the domain from a username. For example, if the username is user1@cisco.com and the radius-server domain-stripping command is configured, only "user1" is sent out as the username.
When the right-to-left keyword is configured, the username is parsed in the reverse direction. For example, if this keyword is not enabled, "user" is the only available username for user@company.com@isp.net. However, if this keyword is enabled, the username "user@company.com." can also be sent in authentication, authorization, and accounting (AAA) requests.
When the delimiter string1, [string2... string7] option is configured, a character set of domain delimiters is configured in the username. Any of domain delimiters in the configured subset can be recognized, but whichever character comes first when searching the original username string is recognized first.
The right-to-left and delimiter keywords work for VRF and non-VRF users. Also, each keyword works independently of each other.
When the vrf vrf-name option is configured, domain stripping applies only to the specified VRF.
Examples
The following example shows a configuration that strips the domain name from the VRF "abc" and strips the domain name from right to left for the non-VRF and VRF "def." In this example, VRF "abc" has the original username "user1@abc.com.@isp.net," and the reformatted version "user1" will be used in requests that are sent to RADIUS servers. The non-VRF has the username "user2@isp.com@isp.net," and the reformatted version "user2@isp.com" will be used. VRF "def" has the original format "user3@def.com@isp.net," and the reformatted version "user3@def.com" will be used.
radius-server domain-stripping vrf abcradius-server domain-stripping right-to-leftradius-server domain-stripping right-to-left vrf defThe following example shows a configuration that strips the domain name from the VRF "abc," strips the domain name from VRF "def" at the "%" string, and strips the domain name from the VRF "ghi" from right to left at the delimiter character set @, $, /:
radius-server domain-stripping vrf abcradius-server domain-stripping delimiter % vrf defradius-server domain-stripping right-to-left delimiter @$/ vrf ghiAfter the domain stripping is complete, the corresponding usernames are sent to the RADIUS server as follows:
Original Username Reformatted Usernameuser1@abc.com@isp.net%mfxxx
user1
user1@def.com@isp.net%mfxxx
user1@def.com@isp.net
user1@ghi.com@isp.net%mfxxx
user1@ghi.com