Joe, Thanks for the reply. I am guessing you are not using PEAP-MSCHAPv2 is that correct? I have just come across the following from Cisco :
CSCuc52361 Bug Details ISE should allow domain modification/stripping for AD external store Symptom: Currently ISE does not allow modifying the domain name before authentication when the external identity store used is AD. This is a problem in an environment like Eduroam where the specification enforces a particular username format (user@realm). Generally the username stored in the AD UPN field is not in the same format as the one supplied for authentication. It would be good to allow the modification of the AD username prior to authentication, or at least support suffix/prefix stripping, since this would be sufficient for local domain authentication (this would still break cross forest). Conditions: Trying to modify the domain name of the user before AD authentication. Workaround: Use LDAP for basic stripping (Does not currently work for MSCHAPv2) Thanks, Curtis ________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv [[email protected]] on behalf of Joe Roth [[email protected]] Sent: Tuesday, August 13, 2013 6:58 PM To: [email protected] Subject: Re: [WIRELESS-LAN] ISE as RADIUS server with eduroam Curtis, We are not using eduroam but we are a cisco ISE user. When you connect to AD via LDAP in ISE I believe that you can accomplish what you are looking to do. If you create a new LDAP identity source look under the directory structure tab. You can strip the subject name based on a dividing character. You can leave your current AD identity source in place and add the LDAP one as well, they will run side by side. On Tue, Aug 13, 2013 at 7:05 PM, Curtis K. Larsen (UIT-Network) <[email protected]<mailto:[email protected]>> wrote: Hello, I am just wondering if anyone on the list that participates in eduroam uses ISE for RADIUS. We are playing with ISE, and finding difficulty getting it to strip off the realm suffix before authenticating against AD. I can't imagine there isn't a way to do this since I assume that would prevent any eduroam customers from using ISE as their primary RADIUS server. Hopefully we are just missing something simple. Let me know. Thanks, Curtis Larsen University of Utah Network Engineer ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- Joe Roth Networking Group Binghamton University Ph. 607-777-7528 Fax 607-777-4009 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
