Radius-Server Domain-Stripping Enhancements Feature History Release Modification 12.2(15)B This feature was introduced on the Cisco 7200 series and Cisco 7400 ASR. This document describes the Radius-Server Domain-Stripping Enhancements feature in Cisco IOS Release 12.2(15)B. It includes the following sections: • Feature Overview, page 1 • Supported Platforms, page 2 • Supported Standards, MIBs, and RFCs, page 2 • Configuration Tasks, page 3 • Configuration Examples, page 4 • Command Reference, page 5 Feature Overview The Radius-Server Domain-Stripping Enhancements feature introduces two new configuration options to the radius-server domain-stripping command—the right-to-left and delimiter options. Before this feature, whenever the radius-server domain-stripping command was enabled, the authentication, authorization, and accounting (AAA) username format “[email protected]” could be sent to remote RADIUS servers only in the reformatted username “user.” (That is, the reformatted username was formed from the original string but terminated at the first “@” character going from left to right.) This functionality limited the choice of usernames if there were more than one “@” character within the string. It also limited the domain delimiter to the “@” character because any other possible characters (such as the “%” character) could not be used. The right-to-left and delimiter options address these limitations in the following ways: • The right-to-left option parses the username in the reverse direction (from right to left) so that the username “[email protected]” can also be sent in AAA requests. • The delimiter option configures a combination of characters (@, $,%, /, -, and \) to be the set if domain delimiter characters. Note Any of domain delimiters in the configured subset can be recognized, but whichever character comes first when searching the original username string is recognized first. Cisco IOS Release 12.2(15)B 1 Radius-Server Domain-Stripping Enhancements Supported Platforms Benefits This feature introduces support for the following two variations of a AAA username: • The right-to-left option, which configures a username with multiple domain delimiters • The delimiter option, which configures a username with domain delimiters other than the “@” character. Related Documents For information on additional RADIUS commands and RADIUS configurations tasks, refer to the following documents: • The chapter “Configuring RADIUS” in the Cisco IOS Security Configuration Guide, Release 12.2 • The chapter “RADIUS Commands” in the Cisco IOS Security Command Reference, Release 12.2 For information on enabling VRF-aware domain-stripping, refer to the following document: • Per VRF AAA, Cisco IOS feature module Release 12.2(4)B Supported Platforms • Cisco 7200 series • Cisco 7400 series Availability of Cisco IOS Software Images Platform support for particular Cisco IOS software releases is dependent on the availability of the software images for those platforms. Software images for some platforms may be deferred, delayed, or changed without prior notice. For updated information about platform support and availability of software images for each Cisco IOS software release, refer to the online release notes or, if supported, Cisco Feature Navigator. Supported Standards, MIBs, and RFCs Standards None MIBs None To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://tools.cisco.com/ITDIT/MIBS/servlet/index Cisco IOS Release 12.2(15)B 2 Radius-Server Domain-Stripping Enhancements Configuration Tasks If Cisco MIB Locator does not support the MIB information that you need, you can also obtain a list of supported MIBs and download MIBs from the Cisco MIBs page at the following URL: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml To access Cisco MIB Locator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to [email protected]. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL: http://www.cisco.com/register RFCs None Configuration Tasks See the following sections for configuration tasks for the Radius-Server Domain-Stripping Enhancements feature. Each task in the list is identified as either required or optional. • Configuring Right-to-Left Support (required) • Configuring Delimiter Support (required) • Verifying Right-to-Left and Delimiter Configurations (optional) Configuring Right-to-Left Support To enable the right-to-left option to support a username with multiple domain delimiters, use the following command in global configuration mode: Command Purpose Router (config)# radius-server domain-stripping [right-to-left] [vrf vrf-name] Enables domain-stripping. • right-to-left—Parses the username in reverse direction (from right to left). • vrf vrf-name—Specifies the per-VRF configuration. Note This option works for VRF users and non-VRF users. Note This option works independently from the delimiter option. Cisco IOS Release 12.2(15)B 3 Radius-Server Domain-Stripping Enhancements Configuration Examples Configuring Delimiter Support To enable the delimiter option to support a username with domain delimiters other than the “@” character, use the following command in global configuration mode: Command Purpose Router (config)# radius-server domain-stripping [right-to-left] [vrf vrf-name] Enables domain-stripping. • delimiter string1[string2... string7]—Configures a character or combination of characters to be the domain delimiter character set. Available character options are @, #, $,%, /, -, and \. • vrf vrf-name—Specifies the per-VRF configuration. Note This option works for VRF users and non-VRF users. Note This option works independently from the right-to-left option. Verifying Right-to-Left and Delimiter Configurations To verify feature functionality, use the following command in EXEC mode: Command Purpose Router# debug radius Checks whether the reformatted username attribute is sent to the RADIUS server in authentication and accounting requests. Configuration Examples This section provides the following configuration examples: • Right-to-Left Configuration Example • Delimiter Character Set Example Right-to-Left Configuration Example The following example shows a configuration that strips the domain name from the VRF “abc” and strips the domain name from right to left for the non-VRF and VRF “def.” In this example, VRF “abc” has the original username “[email protected][email protected],” and the reformatted version “user1” will be used in requests that are sent to RADIUS servers. The non-VRF has the username “[email protected]@isp.net,” and the reformatted version “[email protected]” will be used. VRF “def” has the original format “[email protected]@isp.net,” and the reformatted version “[email protected]” will be used. radius-server domain-stripping vrf abc radius-server domain-stripping right-to-left radius-server domain-stripping right-to-left vrf def Cisco IOS Release 12.2(15)B 4 Radius-Server Domain-Stripping Enhancements Command Reference Delimiter Character Set Example The following example shows a configuration that strips the domain name from the VRF “abc,” strips the domain name from VRF “def” at the “%” string, and strips the domain name from the VRF “ghi” from right to left at the delimiter character set @, $, /: radius-server domain-stripping vrf abc radius-server domain-stripping delimiter % vrf def radius-server domain-stripping right-to-left delimiter @$/ vrf ghi After the domain stripping is complete, the corresponding usernames are sent to the RADIUS server as described in Table 1. Table 1 radius-server domain-stripping Reformatted Username Examples Original Username Reformatted Username [email protected]@isp.net%mfxxx user1 [email protected]@isp.net%mfxxx [email protected]@isp.net [email protected]@isp.net%mfxxx [email protected] Command Reference This section documents a new command. All other commands used with this feature are documented in the Cisco IOS Release 12.2 command reference publications. • radius-server domain-stripping Cisco IOS Release 12.2(15)B 5 Radius-Server Domain-Stripping Enhancements radius-server domain-stripping radius-server domain-stripping To enable domain stripping, use the radius-server domain-stripping command in global configuration mode. To remove this command from your configuration, use the no form of this command. radius-server domain-stripping [right-to-left] [delimiter string1, [string2... string7]] [vrf vrf-name] no radius-server domain-stripping [right-to-left] [delimiter string1, [string2... string7]] [vrf vrf-name] Syntax Description right-to-left (Optional) Parses the username in reverse direction (from right to left). delimiter string1, [string2... string7] (Optional) Configures a character or combination of characters to be the domain delimiter character set. Available character options are @, #, $,%, /, -, and \. Note vrf vrf-name Defaults Do not put the \ string as the final character unless it is the only character string being used. (Optional) Specifies the per-VRF configuration. RADIUS server domain-stripping is not configured. The username is parsed from left to right. The default delimiter string is @. Command Modes Global configuration Command History Release Modification 12.2(2)DD This command was introduced. 12.2(4)B This command was integrated into Cisco IOS Release 12.2(4)B. 12.2(15)B The right-to-left and delimiter string1, [string2... string7] options were added. Usage Guidelines Use the radius-server domain-stripping command to strip or truncate the domain from a username. For example, if the username is [email protected] and the radius-server domain-stripping command is configured, only “user1” is sent out as the username. When the right-to-left keyword is configured, the username is parsed in the reverse direction. For example, if this keyword is not enabled, “user” is the only available username for [email protected]@isp.net. However, if this keyword is enabled, the username “[email protected].” can also be sent in authentication, authorization, and accounting (AAA) requests. When the delimiter string1, [string2... string7] option is configured, a character set of domain delimiters is configured in the username. Any of domain delimiters in the configured subset can be recognized, but whichever character comes first when searching the original username string is recognized first. Cisco IOS Release 12.2(15)B 6 Radius-Server Domain-Stripping Enhancements radius-server domain-stripping The right-to-left and delimiter keywords work for VRF and non-VRF users. Also, each keyword works independently of each other. When the vrf vrf-name option is configured, domain stripping applies only to the specified VRF. Examples The following example shows a configuration that strips the domain name from the VRF “abc” and strips the domain name from right to left for the non-VRF and VRF “def.” In this example, VRF “abc” has the original username “[email protected][email protected],” and the reformatted version “user1” will be used in requests that are sent to RADIUS servers. The non-VRF has the username “[email protected]@isp.net,” and the reformatted version “[email protected]” will be used. VRF “def” has the original format “[email protected]@isp.net,” and the reformatted version “[email protected]” will be used. radius-server domain-stripping vrf abc radius-server domain-stripping right-to-left radius-server domain-stripping right-to-left vrf def The following example shows a configuration that strips the domain name from the VRF “abc,” strips the domain name from VRF “def” at the “%” string, and strips the domain name from the VRF “ghi” from right to left at the delimiter character set @, $, /: radius-server domain-stripping vrf abc radius-server domain-stripping delimiter % vrf def radius-server domain-stripping right-to-left delimiter @$/ vrf ghi After the domain stripping is complete, the corresponding usernames are sent to the RADIUS server as follows: Original Username Reformatted Username [email protected]@isp.net%mfxxx user1 [email protected]@isp.net%mfxxx [email protected]@isp.net [email protected]@isp.net%mfxxx [email protected] Cisco IOS Release 12.2(15)B 7 Radius-Server Domain-Stripping Enhancements radius-server domain-stripping Cisco IOS Release 12.2(15)B 8
© Copyright 2026 Paperzz