Stripping the Domain Name

The router provides feature that strips the domain name from the username before it sends the name to the RADIUS server in an Access-Request message. You can enable or disable this feature using the strip-domain command.

By default, the domain name is the text after the last @ character. However, if you changed the domain name parsing using the aaa delimiter, aaa parse-order, or aaa parse direction commands, the router strips the domain name and delimiter that result from the parsing.

aaa delimiter

• Use to configure delimiters for the domain and realm names. Specify one of the following keywords:
  • domainName—Configures domain name delimiters. The default domain name delimiter is @.
  • realmName—Configures realm name delimiters. The default realm name delimiter is NULL (no character). In this case, realm parsing is disabled (having no delimiter disables realm parsing).
• You can specify up to eight delimiters each for domain name and realm name.
• Example

  host1(config)#aaa delimiter domainName @*/

• Use the no version to return to the default.
• See aaa delimiter

aaa parse-direction

• Use to specify the direction the router uses to parse the username for the domain or realm name.
  • domainName—Specifies that the domain name is parsed. The router performs domain parsing from right to left by default.
  • realmName—Specifies that the realm name is parsed. The router performs realm parsing from left to right by default.
  • left-to-right—Router searches from the left-most character. When the router reaches a realm delimiter, it uses anything to the left of the delimiter as the domain. When the router reaches a domain delimiter, it uses anything to the right of the delimiter as the domain.
  • right-to-left—Router searches from the right-most character. When the router reaches a realm delimiter, it uses anything to the left of the delimiter as the domain. When the router reaches a domain delimiter, it uses anything to the right of the delimiter as the domain.
• Example

  host1(config)#aaa parse-direction domainName left-to-right

• Use the no version to return to the default: right-to-left parsing for domain names and left-to-right parsing for realm names.
• See aaa parse-direction

aaa parse-order

• Use to specify which part of a username the router uses as the domain name. If a user’s name contains both a realm name and a domain name, you can configure the router to use either name as the domain name.
  • domain-first—Router searches for a domain name first. When the router reaches a domain delimiter, it uses anything to the right of the delimiter as the domain name. For example, if the username is usEast/lori@abc.com, the domain name is abc.com. If the router does not find a domain name, it then searches for a realm name if the realm delimiter is specified.
  • realm-first—Router searches for a realm name first. When the router reaches a realm delimiter, it uses anything to the left of the delimiter as the domain. For example, if the username is usEast/lori@abc.com, the domain name is usEast. If no realm name is found, the router searches for a domain name.
• Example

  host1(config)#aaa parse-order domain-first

• Use the no version to return to the default, realm first.
• See aaa parse-order

strip-domain

• Use to strip the domain name from the username before sending an access-request message to the RADIUS server.
• By default, the domain name is the text after the last @ character. However, if you change the domain name parsing by using the aaa delimiter, aaa parse-order, or parse-direction command, the router strips the domain name and delimiter that result from the parsing.
• To stop stripping the username, use the disable keyword.
• Example

  host1(config)#aaa domain-map xyz.com

  host1(config-domain-map)#strip-domain enable

• Use the no version to return to the default, disabled.
• See strip-domain

Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice.