Re: [WIRELESS-LAN] Eduroam authentication question with AD

[Dennis Xu]

Thanks Trent for the information but the solution from the link below does not 
work with MS-CHAPV2 authentication. 

Below is from my TAC case note:
-----------------------
Hello Dennis,
        Following up from our phone call earlier.  There is a defect 
documenting the fact that we do not clearly indicate that RADIUS proxy 
suffix/prefix stripping doesn't work with MS-CHAPv2 here: CSCta08626.  I've 
updated that and attached it to your case.  Enhancement request CSCts11726 is 
for adding the ability into the AD configuration in ACS.  That is the ID you'll 
want to pass along to your account team so they can communicate it via a 
Product Enhancement Request (PERS) to the developers.
-----------------------

Too bad Cisco only fixed this for ISE, but not for ACS5.  

---
Dennis Xu, MASc, CCIE #13056
Analyst 3, Network Infrastructure
Computing and Communications Services(CCS)
University of Guelph

519-824-4120 Ext 56217
d...@uoguelph.ca 
www.uoguelph.ca/ccs

----- Original Message -----
From: "Trent Hurt" <trent.h...@louisville.edu>
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Sent: Thursday, September 3, 2015 4:36:40 PM
Subject: Re: [WIRELESS-LAN] Eduroam authentication question with AD

http://www.my80211.com/home/2011/11/8/cisco-acs-5x-radius-proxy-server-to-strip-prefix-or-suffix-u.html



-----Original Message-----
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Dennis Xu
Sent: Thursday, September 03, 2015 4:24 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Eduroam authentication question with AD

We have one issue with eduroam and AD authentication. We authenticate eduroam 
users to Active Directory using PEAP-mschap-v2. The issue relies at our AD 
domain name which is a sub domain called cfs.uoguelph.ca. If users try to login 
with username use...@uoguelph.ca, the authentication will fail as the domain 
name does not match. We had to strip the "@uoguelph.ca" suffix on our ACS 4.2 
to make it work but the same suffix stripping functionality does not exist in 
ACS 5.x so we have to find other alternatives. I would to know if it is a 
common issue in universities that the AD domain does not match the main domain? 
If you have the same issue, what are your solutions? Thanks.

---
Dennis Xu, MASc, CCIE #13056
Analyst 3, Network Infrastructure
Computing and Communications Services(CCS) University of Guelph

519-824-4120 Ext 56217
d...@uoguelph.ca
www.uoguelph.ca/ccs

**********
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at 
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_groups_&d=AwICaQ&c=SgMrq23dbjbGX6e0ZsSHgEZX6A4IAf1SO3AJ2bNrHlk&r=rtlMYUF4nwLIYnoG0qXTf9aFc5RLK7DMyf8lTMu__vs&m=ZGNGEwI7MuX6ZYb8zI2OPHTjBPbrVb6lKgssAE646gU&s=0jLcqQro-UDEbuxgwokCI63P6yj9DcGA3-grmtL4vX4&e=
 .

**********
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.