Domain Name and Realm Name Overview

To provide flexibility in how the router handles different types of usernames, the software lets you specify the part of a username to use as the domain name, how the domain name is designated, and how the router parses names. It also allows you to set whether or not the router strips the domain name from the username before it sends the username to the RADIUS server.

By default, the router parses usernames as follows:

realmName/personalName@domainName

The string to the left of the forward slash (/) is the realm name, and the string to the right of the at-symbol (@) is the domain name. For example, in the username juniper/jill@abc.com, juniper is the realm name and abc.com is the domain name.

The router allows you to:

To provide these features, the router allows you to specify delimiters for the domain name and realm name. You can use up to eight one-character delimiters each for domain and realm names. The router also lets you specify how it parses usernames to determine which part of a username to use as the domain name.

The following sections describe domain name and realm name:

Using the Realm Name as the Domain Name

Typically, a realm appears before the user field and is separated with the / character; for example, usEast/jill@abc.com. To use the realm name usEast rather than abc.com as the domain name, set the realm name delimiter to /. For example:

host1(config)#aaa delimiter realmName /

This command causes the router to use the string to the left of the / as the domain name. If the realm name delimiter is null (the default), the router will not search for the realm name.

Using Delimiters Other Than @

You can set up the router to recognize delimiters other than @ to designate the domain name. Suppose there are two users: bob@abc.com and pete!xyz.com, and you want to use both of their domain names. In this case you would set the domain name delimiter to @ and !. For example:

host1(config)#aaa delimiter domainName @!

Using Either the Domain or the Realm as the Domain Name

If the username contains both a realm name and a domain name delimiter, you can use either the domain name or the realm name as the domain name. As previously mentioned, the router treats usernames with multiple delimiters as though the realm name is to the left of the realm delimiter and the domain name is to the right of the domain delimiter.

If you set the parse order to:

For example, if you set the delimiter for the realm name to / and set the delimiter for the domain name to @, the router parses the realm first by default. The username usEast/lori@abc.com results in a domain name of usEast. To cause the parsing to return abc.com as the domain, enter the aaa parse-order domain-first command.

Specifying the Domain Name or Realm Name Parse Direction

You can specify the direction—either left to right or right to left—in which the router performs the parsing operation when identifying the realm name or domain name. This feature is particularly useful if the username contains nested realm or domain names. For example, for a username of userjohn@abc.com@xyz.com, you can identify the domain as either abc.com@xyz.com or as xyz.com, depending on the parse direction that you specify.

You use either the left-to-right or right-to-left keywords with one of the following keywords to specify the type of search and parsing that the router performs:

Stripping the Domain Name

The router provides a feature that strips the domain name from the username before it sends the username to the RADIUS server in an Access-Request message. You can enable or disable this feature by using the strip-domain command.

The router does not permanently remove the domain name from the username of the subscriber. Instead, the router blocks the domain name from being sent in the Access-Request message, thereby retaining the domain name. So the output of the show subscribers command always displays the complete username, including the domain name (if available), of the subscriber regardless of the status of the strip domain feature.

By default, the domain name is the text after the last @ character. However, if you changed the domain name parsing using the aaa delimiter, aaa parse-order, or aaa parse direction commands, the router strips the domain name and delimiter that result from the parsing.

Stripping the Domain Name Per Virtual Router

The aaa domain-map command maps a domain name to a virtual router. It determines the authentication and accounting access for all subscribers belonging to a particular domain. However, if a subscriber profile is configured for a virtual router using the ppp authentication command, the authentication for the virtual router configured at the profile level takes priority over the one configured at the domain level. If multiple profiles from the same domain are being used, the subscribers may end up in different virtual routers for authentication.

In such a scenario, you can use the aaa strip-domain command to strip a part of the username of the subscriber. The resulting username is then used as the new username for that subscriber for RADIUS authentication and accounting.

The router does not permanently remove the domain name from the username of the subscriber. Instead, the router blocks the domain name from being sent in the Access-Request message, thereby retaining the domain name. So the output of the show subscribers command always displays the complete username, including the domain name (if available), of the subscriber regardless of the status of the strip domain feature.

Note:

  • The aaa strip-domain command can be configured on nondefault virtual routers only.
  • When you execute the show subscribers and logout subscribers commands with the username keyword, you must specify the complete username, including the domain name (if available), of the subscriber regardless of the status of the strip domain feature on a virtual router or AAA domain map.

Subscriber Username for RID, COA Requests, and Lawful Intercepts When Strip Domain Is Enabled

When strip domain is enabled for a virtual router, the username used to identify the subscriber session for RADIUS Initiated Disconnect (RID), Change of Authorization (COA), and lawful intercepts requests is the same as the subscriber username sent to the RADIUS server for authentication.

For example, if a subscriber with the username user1@123.com$test1 has a resulting username of user1@123.com due to the strip domain configuration, then the username for all the incoming RID and COA requests and the lawful intercept requests is user1@123.com.

Using the Strip Domain Functionality Per Virtual Router When Strip Domain Is Enabled for an AAA Domain Map

When strip domain is enabled for an AAA domain map using the strip-domain enable command in Domain Map Configuration mode, the strip domain configured for a virtual router may cause the username stripping to happen twice depending on the configuration.

For example, consider a subscriber with the username user1@test.com$test1$test2. Consider the following configurations for a domain map:

host1(config)#aaa domain-map test2host1(config-domain-map)#strip-domain enable

The following has also been configured on the nondefault virtual router:

host1(config)#aaa strip-domain enablehost1(config)#aaa strip-domain delimiter domainname $

In this example, when the domain name is stripped for the subscriber with the username user1@test.com$test1$test2, the resulting string that is sent for RADIUS authentication is user1. Thus, when strip domain is configured for a domain map as well as a nondefault virtual router, depending on the configurations, the domain name may be stripped twice: once at the virtual router level and then at the domain map level.

To prevent the domain name from being stripped twice for the same subscriber, you must ensure that the strip domain functionality is configured appropriately for the domain map and for the nondefault virtual router.

Redirected Authentication When Strip Domain Is Enabled

Strip domain configured on a virtual router does not work in case of a redirected authentication. In a redirected authentication, the RADIUS server sends an Access-Accept message for a subscriber from the virtual router on which the subscriber is already authenticated.

For example, on virtual router vr1, the aaa strip-domain is configured. A subscriber with the username user1@123.com is already authenticated on vr1 using the RADIUS server authentication. Now, if you send an Access-Request message to authenticate the same subscriber on vr1, the Access-Request message carries the original username, user1@123.com, and renders strip domain ineffective during redirected authentication.

Related Documentation