beautypg.com

Domain-qualified usernames, Upn usernames – Cisco 3.3 User Manual

Page 498

background image

Chapter 13 User Databases

Windows User Database

13-14

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Note

If your Domain List contains domains and your Windows SAM or Active
Directory user databases are configured to lock out users after a number of failed
attempts, users can be inadvertently locked out because Cisco Secure ACS tries
each domain in the Domain List explicitly, resulting in failed attempts for
identical usernames that reside in different domains.

Domain-Qualified Usernames

The most reliable method of authenticating users against a specific domain is to
require users to submit the domains they should be authenticated against along
with their usernames. Authentication of a domain-qualified username is directed
to a specific domain rather than depending upon Windows to attempt
authentication with the correct domain or upon using the Domain List to direct
Cisco Secure ACS to submit the username repeatedly in a domain-qualified
format.

Domain-qualified usernames have the following format:

DOMAIN

\

user

For example, the domain-qualified username for user Mary Smith (msmith) in
Domain10 would be Domain10\msmith.

For usernames containing an “at” character, such as cyril.yang@central-office,
using a domain-qualified username format is required. For example,
MAIN\cyril.yang@central-office. If a username containing an “at” character is
received in a non-domain-qualified format, Cisco Secure ACS perceives it as a
username in UPN format. For more information, see

UPN Usernames,

page 13-14

.

UPN Usernames

Cisco Secure ACS supports authentication of usernames in User Principal Name
(UPN) format, such as [email protected] or
cyril.yang@[email protected].