Domain Name and Realm Name Overview

Using the Realm Name as the Domain Name

Typically, a realm appears before the user field and is separated with the / character; for example, usEast/jill@abc.com. To use the realm name usEast rather than abc.com as the domain name, set the realm name delimiter to /. For example:

This command causes the router to use the string to the left of the / as the domain name. If the realm name delimiter is null (the default), the router will not search for the realm name.

Using Delimiters Other Than @

You can set up the router to recognize delimiters other than @ to designate the domain name. Suppose there are two users: bob@abc.com and pete!xyz.com, and you want to use both of their domain names. In this case you would set the domain name delimiter to @ and !. For example:

Using Either the Domain or the Realm as the Domain Name

If the username contains both a realm name and a domain name delimiter, you can use either the domain name or the realm name as the domain name. As previously mentioned, the router treats usernames with multiple delimiters as though the realm name is to the left of the realm delimiter and the domain name is to the right of the domain delimiter.

If you set the parse order to:

• domain-first—The router searches for a domain name first. For example, for username usEast/lori@abc.com, the domain name is abc.com.
• realm-first—The router searches for a realm name first and uses the realm name as the user’s domain name. For username usEast/lori@abc.com, the domain is usEast.

For example, if you set the delimiter for the realm name to / and set the delimiter for the domain name to @, the router parses the realm first by default. The username usEast/lori@abc.com results in a domain name of usEast. To cause the parsing to return abc.com as the domain, enter the aaa parse-order domain-first command.

Specifying the Domain Name or Realm Name Parse Direction

You can specify the direction—either left to right or right to left—in which the router performs the parsing operation when identifying the realm name or domain name. This feature is particularly useful if the username contains nested realm or domain names. For example, for a username of userjohn@abc.com@xyz.com, you can identify the domain as either abc.com@xyz.com or as xyz.com, depending on the parse direction that you specify.

You use either the left-to-right or right-to-left keywords with one of the following keywords to specify the type of search and parsing that the router performs:

• domainName—The router searches for the next domain delimiter value in the direction specified. When it reaches a delimiter, the router uses anything to the right of the delimiter as the domain name. Domain parsing is from right to left by default.
• realmName—The router searches for the next realm delimiter value in the direction specified. When it reaches a delimiter, the router uses anything to the left of the delimiter as the realm name. Realm parsing is from left to right by default.
• Example
  host1(config)#aaa parse-direction domainName left-to-right

Stripping the Domain Name

The router provides feature that strips the domain name from the username before it sends the name to the RADIUS server in an Access-Request message. You can enable or disable this feature using the strip-domain command.

By default, the domain name is the text after the last @ character. However, if you changed the domain name parsing using the aaa delimiter, aaa parse-order, or aaa parse direction commands, the router strips the domain name and delimiter that result from the parsing.

Stripping the Domain Name Per Virtual Router

The aaa domain-map command maps a domain name to a virtual router. It determines the authentication and accounting access for all subscribers belonging to a particular domain. However, if a subscriber profile is configured for a virtual router using the ppp authentication command, the authentication for the virtual router configured at the profile level takes priority over the one configured at the domain level. If multiple profiles from the same domain are being used, the subscribers may end up in different virtual routers for authentication.

In such a scenario, you can use the aaa strip-domain command to strip a part of the user name of the subscriber. The resulting user name is then used as the new user name for that subscriber for RADIUS authentication and accounting.

Note: The aaa strip-domain command can be configured on non-default virtual routers only.

Subscriber User Name for RID, CoA Requests, and Lawful Intercepts When Strip Domain Is Enabled

When strip domain is enabled for a virtual router, the user name used to identify the subscriber session for RADIUS Initiated Disconnect (RID), Change of Authorization (CoA), and lawful intercepts requests is the same as the subscriber user name sent to RADIUS server for authentication.

For example, if a subscriber with user name user1@123.com$test1 has a resulting user name of user1@123.com due to the strip domain configuration, then the user name for all the incoming RID and CoA requests and the lawful intercept requests is user1@123.com.

This new user name, which has been used for RADIUS server authentication, is used for displaying subscriber information using show subscribers and logout subscribers commands.

Using the Strip Domain Functionality Per Virtual Router When Strip Domain Is Enabled for an AAA Domain Map

When strip domain is enabled for an AAA domain map using the strip-domain enable command in the Domain Map Configuration mode, the strip domain configured for a virtual router may cause the user name stripping to happen twice depending on the configuration.

For example, consider a subscriber with user name user1@test.com$test1$test2. Consider the following configurations for a domain map:

The following has also been configured on the non-default virtual router:

In this example, when the domain name is stripped for the subscriber with user name user1@test.com$test1$test2, the resulting string that is sent for RADIUS authentication is user1. Thus, when strip domain is configured for a domain map as well as a non-default virtual router, depending on the configurations, the domain name may get stripped twice, once at the virtual router level and then at the domain map level.

In order to prevent the domain name from being stripped twice for the same subscriber, you must ensure that the strip domain functionality is configured appropriately for the domain map and for the non-default virtual router.

Redirected Authentication When Strip Domain Is Enabled

Strip domain configured on a virtual router does not work in case of a redirected authentication. In an authentication redirection, the RADIUS server sends an access-accept message for a subscriber from the virtual router on which the subscriber is already authenticated.

For example, on a virtual router vr1, we have configured the aaa strip-domain. A subscriber with user name user1@123.com is already authenticated on vr1 using the RADIUS server authentication. Now, if you send an access request message trying to authenticate the same subscriber on vr1, the access request message carries the original user name, user1@123.com, and renders strip domain ineffective during authentication redirection.