Hide Navigation Pane
Show Navigation Pane
Feedback
Download
SHA1
Setting Up Domain Name and Realm Name Usage
To provide flexibility in how the router handles different types of usernames, the software lets you specify the part of a username to use as the domain name, how the domain name is designated, and how the router parses names. It also allows you to set whether or not the router strips the domain name from the username before it sends the username to the RADIUS server.
By default, the router parses usernames as follows:
realmName/personalName@domainName
The string to the left of the forward slash (/) is the realm name, and the string to the right of the at-symbol (@) is the domain name. For example, in the username juniper/jill@abc.com, juniper is the realm name and abc.com is the domain name.
The router allows you to:
- Use the realm name as the domain name.
- Use delimiters other than / to designate the realm name.
- Use delimiters other than @ to designate the domain name.
- Use either the domain or the realm as the domain name when the username contains both a realm and domain name.
- Change the direction in which the router searches for the domain name or the realm name.
To provide these features, the router allows you to specify delimiters for the domain name and realm name. You can use up to eight one-character delimiters each for domain and realm names. The router also lets you specify how it parses usernames to determine which part of a username to use as the domain name.
Using the Realm Name as the Domain Name
Typically, a realm appears before the user field and is separated with the / character; for example, usEast/jill@abc.com. To use the realm name usEast rather than abc.com as the domain name, set the realm name delimiter to /. For example:
This command causes the router to use the string to the left of the / as the domain name. If the realm name delimiter is null (the default), the router will not search for the realm name.
Using Delimiters Other Than @
You can set up the router to recognize delimiters other than @ to designate the domain name. Suppose there are two users: bob@abc.com and pete!xyz.com, and you want to use both of their domain names. In this case you would set the domain name delimiter to @ and !. For example:
Using Either the Domain or the Realm as the Domain Name
If the username contains both a realm name and a domain name delimiter, you can use either the domain name or the realm name as the domain name. As previously mentioned, the router treats usernames with multiple delimiters as though the realm name is to the left of the realm delimiter and the domain name is to the right of the domain delimiter.
If you set the parse order to:
- domain-first—The router searches for a domain name first. For example, for username usEast/lori@abc.com, the domain name is abc.com.
- realm-first—The router searches for a realm name first and uses the realm name as the user’s domain name. For username usEast/lori@abc.com, the domain is usEast.
For example, if you set the delimiter for the realm name to / and set the delimiter for the domain name to @, the router parses the realm first by default. The username usEast/lori@abc.com results in a domain name of usEast. To cause the parsing to return abc.com as the domain, enter the aaa parse-order domain-first command.
Specifying the Domain Name or Realm Name Parse Direction
You can specify the direction—either left to right or right to left—in which the router performs the parsing operation when identifying the realm name or domain name. This feature is particularly useful if the username contains nested realm or domain names. For example, for a username of userjohn@abc.com@xyz.com, you can identify the domain as either abc.com@xyz.com or as xyz.com, depending on the parse direction that you specify.
You use either the left-to-right or right-to-left keywords with one of the following keywords to specify the type of search and parsing that the router performs:
- domainName—The router searches for the next domain delimiter value in the direction specified. When it reaches a delimiter, the router uses anything to the right of the delimiter as the domain name. Domain parsing is from right to left by default.
- realmName—The router searches for the next realm delimiter value in the direction specified. When it reaches a delimiter, the router uses anything to the left of the delimiter as the realm name. Realm parsing is from left to right by default.
- Examplehost1(config)#aaa parse-direction domainName left-to-right
Stripping the Domain Name
The router provides feature that strips the domain name from the username before it sends the name to the RADIUS server in an Access-Request message. You can enable or disable this feature using the strip-domain command.
By default, the domain name is the text after the last @ character. However, if you changed the domain name parsing using the aaa delimiter, aaa parse-order, or aaa parse direction commands, the router strips the domain name and delimiter that result from the parsing.
aaa delimiter
- Use to configure delimiters for the domain and realm names.
Specify one of the following keywords:
- domainName—Configures domain name delimiters. The default domain name delimiter is @.
- realmName—Configures realm name delimiters. The default realm name delimiter is NULL (no character). In this case, realm parsing is disabled (having no delimiter disables realm parsing).
- You can specify up to eight delimiters each for domain name and realm name.
- Examplehost1(config)#aaa delimiter domainName @*/
- Use the no version to return to the default.
- See aaa delimiter
aaa parse-direction
- Use to specify the direction the router uses to parse
the username for the domain or realm name.
- domainName—Specifies that the domain name is parsed. The router performs domain parsing from right to left by default.
- realmName—Specifies that the realm name is parsed. The router performs realm parsing from left to right by default.
- left-to-right—Router searches from the left-most character. When the router reaches a realm delimiter, it uses anything to the left of the delimiter as the domain. When the router reaches a domain delimiter, it uses anything to the right of the delimiter as the domain.
- right-to-left—Router searches from the right-most character. When the router reaches a realm delimiter, it uses anything to the left of the delimiter as the domain. When the router reaches a domain delimiter, it uses anything to the right of the delimiter as the domain.
- Examplehost1(config)#aaa parse-direction domainName left-to-right
- Use the no version to return to the default: right-to-left parsing for domain names and left-to-right parsing for realm names.
- See aaa parse-direction
aaa parse-order
- Use to specify which part of a username the router uses
as the domain name. If a user’s name contains both a realm name
and a domain name, you can configure the router to use either name
as the domain name.
- domain-first—Router searches for a domain name first. When the router reaches a domain delimiter, it uses anything to the right of the delimiter as the domain name. For example, if the username is usEast/lori@abc.com, the domain name is abc.com. If the router does not find a domain name, it then searches for a realm name if the realm delimiter is specified.
- realm-first—Router searches for a realm name first. When the router reaches a realm delimiter, it uses anything to the left of the delimiter as the domain. For example, if the username is usEast/lori@abc.com, the domain name is usEast. If no realm name is found, the router searches for a domain name.
- Examplehost1(config)#aaa parse-order domain-first
- Use the no version to return to the default, realm first.
- See aaa parse-order
strip-domain
- Use to strip the domain name from the username before sending an access-request message to the RADIUS server.
- By default, the domain name is the text after the last @ character. However, if you change the domain name parsing by using the aaa delimiter, aaa parse-order, or parse-direction command, the router strips the domain name and delimiter that result from the parsing.
- To stop stripping the username, use the disable keyword.
- Examplehost1(config)#aaa domain-map xyz.com host1(config-domain-map)#strip-domain enable
- Use the no version to return to the default, disabled.
- See strip-domain
Domain Name and Realm Name Examples
This section provides examples of possible domain or realm name results that you might obtain, depending on the commands and options you specify. This example uses the following username:
The router is configured with the following commands:
Table 3 shows the username and domain name that result from the parsing action of the various commands.
Table 3: Username and Domain Name Examples
Command | Resulting Username | Resulting Domain Name |
|---|---|---|
aaa parse-order realm-first | userjohn@abc.com@xyz.com | usEast |
aaa parse-order domain-first | userjohn@abc.com | xyz.com |
aaa parse-direction domainName right-to-left | userjohn@abc.com | xyz.com |
aaa parse-direction domainName left-to-right | userjohn | abc.com@xyz.com |
aaa parse-direction realmName right-to-left | userjohn@abc.com@xyz.com | usEast |
aaa parse-direction realmName left-to-right | userjohn@abc.com@xyz.com | usEast |
