Guest

Preview Tool

Cisco Bug: CSCsg37835 - ACS: authentication failed when username in UPN format

Last Modified

Mar 12, 2016

Products (1)

  • Cisco Secure Access Control Server for Windows

Known Affected Releases

4.1(1.18) 4.2(0.1)

Description (partial)

Symptom:
While authenticating against ACS using MS-CHAP related protocols (as MS-PEAP) and PAP, and username presents in UPN format (e.g username@domain.com). 
Authentication fails due to incorrect domain stripping. Such happens in situation when user information in active directory presents in such way:
user windows logon name is :
user1011@fakedomain.com 
pre-2000 name (SAM):
rootmix2\user101

Here it is possible to see that UPN username part is different from SAM

Steps to reproduce:
1) Create MS-PEAP enviroment
2) Configure user in AD as specified above 
3) Try to authenticate, while providing username in UPN format (user1011@fakedomain.com)
4) Authentication will fail.

Conditions:
SAM username different from UPN username.
Applies to PAP/CHAP and possible to EAP-FAST authentications
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.