To configure a network access server (NAS) to strip suffixes, or to strip both suffixes and prefixes from the username before
forwarding the username to the remote TACACS+ server, use the tacacs-server domain-stripping command in global configuration mode. To disable a stripping configuration, use the no form of this command.
tacacs-server domain-stripping [ [right-to-left] [prefix-delimiter character [character2 . . . character7]] [delimiter character [character2 . . . character7]] | strip-suffix suffix] [vrf vrf-name]
no tacacs-server domain-stripping [ [right-to-left] [prefix-delimiter character [character2 . . . character7]] [delimiter character [character2 . . . character7]] | strip-suffix suffix] [vrf vrf-name]
Syntax Description
right-to-left
|
(Optional) Specifies that the NAS will apply the stripping configuration at the first delimiter found when parsing the full
username from right to left. The default is for the NAS to apply the stripping configuration at the first delimiter found
when parsing the full username from left to right.
|
prefix-delimiter
character
[character2 ...character7 ]
|
(Optional) Enables prefix stripping and specifies the character or characters that will be recognized as a prefix delimiter.
Valid values for the character argument are @, /, $, %, \, #, and -. Multiple characters can be entered without intervening spaces. Up to seven characters
can be defined as prefix delimiters, which is the maximum number of valid characters. If a \ is entered as the final or only
value for the character argument, it must be entered as \\. No prefix delimiter is defined by default.
|
delimiter
character
[character2 ...character7 ]
|
(Optional) Specifies the character or characters that will be recognized as a suffix delimiter. Valid values for the character argument are @, /, $, %, \, #, and -. Multiple characters can be entered without intervening spaces. Up to seven characters
can be defined as suffix delimiters, which is the maximum number of valid characters. If a \ is entered as the final or only
value for the character argument, it must be entered as \\. The default suffix delimiter is the @ character.
|
strip-suffix
suffix
|
(Optional) Specifies a suffix to strip from the username.
|
vrf
vrf-name
|
(Optional) Restricts the domain stripping configuration to a Virtual Private Network (VPN) routing and forwarding (VRF) instance.
The vrf-name argument specifies the name of a VRF.
|
Command Default
Stripping is disabled. The full username is sent to the TACACS+ server.
Command Modes
Global configuration (config)
Command History
Release
|
Modification
|
12.4(4)T
|
This command was introduced.
|
12.2(33)SRE
|
This command was integrated into Cisco IOS Release 12.2(33)SRE.
|
XE 2.5
|
This command was integrated into Cisco IOS Release XE 2.5.
|
Usage Guidelines
Use the tacacs-server domain-stripping command to configure the NAS to strip the domain from a username before forwarding the username to the TACACS+ server. If
the full username is user1@cisco.com, enabling the tacacs-server domain-stripping command results in the username "user1" being forwarded to the TACACS+ server.
Use the right-to-left keyword to specify that the username should be parsed for a delimiter from right to left, rather than from left to right.
This allows strings with two instances of a delimiter to strip the username at either delimiter. For example, if the username
is user@cisco.com@cisco.net, the suffix could be stripped in two ways. The default direction (left to right) would result
in the username "user" being forwarded to the TACACS+ server. Configuring the right-to-left keyword would result in the username "user@cisco.com" being forwarded to the TACACS+ server.
Use the prefix-delimiter keyword to enable prefix stripping and to specify the character or characters that will be recognized as a prefix delimiter.
The first configured character that is parsed will be used as the prefix delimiter, and any characters before that delimiter
will be stripped.
Use the delimiter keyword to specify the character or characters that will be recognized as a suffix delimiter. The first configured character
that is parsed will be used as the suffix delimiter, and any characters after that delimiter will be stripped.
Use strip-suffix suffix to specify a particular suffix to strip from usernames. For example, configuring the tacacs-server domain-stripping strip-suffix cisco.net command would result in the username user@cisco.net being stripped, while the username user@cisco.com will not be stripped.
You may configure multiple suffixes for stripping by issuing multiple instances of the tacacs-server domain-stripping command. The default suffix delimiter is the @ character.
Note
|
Issuing the tacacs-server domain-stripping strip-suffix suffix command disables the capacity to strip suffixes from all domains. Both the suffix delimiter and the suffix must match for
the suffix to be stripped from the full username. The default suffix delimiter of @ will be used if you do not specify a different
suffix delimiter or set of suffix delimiters using the delimiter keyword.
|
Note
|
Issuing the no tacacs-server host command reconfigures the TACACS server host information. You can view the contents of the current running configuration file
using the show running-config command.
|
To apply a domain-stripping configuration only to a specified VRF, use the vrf vrf-name option.
The interactions between the different types of domain stripping configurations are as follows:
-
You may configure only one instance of the tacacs-server domain-stripping [right-to-left ] [prefix-delimiter character [character2 ...character7 ]] [delimiter character [character2 ...character7 ]] command.
-
You may configure multiple instances of the tacacs-server domain-stripping [right-to-left ] [prefix-delimiter character [character2 ...character7 ]] [delimiter character [character2 ...character7 ]] [vrf vrf-name ] command with unique values for vrf vrf-name .
-
You may configure multiple instances of the tacacs-server domain-stripping strip-suffix suffix [vrf per-vrf ] command to specify multiple suffixes to be stripped as part of a global or per-VRF ruleset.
-
Issuing any version of the tacacs-server domain-stripping command automatically enables suffix stripping using the default delimiter character @ for that ruleset, unless a different
delimiter or set of delimiters is specified.
-
Configuring a per-suffix stripping rule disables generic suffix stripping for that ruleset. Only suffixes that match the configured
suffix or suffixes will be stripped from usernames.
Examples
The following example shows how to configure the router to parse the username from right to left and set the valid suffix
delimiter characters as @, \, and $. If the full username is cisco/user@cisco.com$cisco.net, the username "cisco/user@cisco.com"
will be forwarded to the TACACS+ server because the $ character is the first valid delimiter encountered by the NAS when parsing
the username from right to left.
tacacs-server domain-stripping right-to-left delimiter @\$
The following example shows how to configure the router to strip the domain name from usernames only for users associated
with the VRF instance named abc. The default suffix delimiter @ will be used for generic suffix stripping.
tacacs-server domain-stripping vrf abc
The following example shows how to enable prefix stripping using the character / as the prefix delimiter. The default suffix
delimiter character @ will be used for generic suffix stripping. If the full username is cisco/user@cisco.com, the username
"user" will be forwarded to the TACACS+ server.
tacacs-server domain-stripping prefix-delimiter /
The following example shows how to enable prefix stripping, specify the character / as the prefix delimiter, and specify the
character # as the suffix delimiter. If the full username is cisco/user@cisco.com#cisco.net, the username "user@cisco.com"
will be forwarded to the TACACS+ server.
tacacs-server domain-stripping prefix-delimiter / delimiter #
The following example shows how to enable prefix stripping, configure the character / as the prefix delimiter, configure the
characters $, @, and # as suffix delimiters, and configure per-suffix stripping of the suffix cisco.com. If the full username
is cisco/user@cisco.com, the username "user" will be forwarded to the TACACS+ server. If the full username is cisco/user@cisco.com#cisco.com,
the username "user@cisco.com" will be forwarded.
tacacs-server domain-stripping prefix-delimiter / delimiter $@#
tacacs-server domain-stripping strip-suffix cisco.com
The following example shows how to configure the router to parse the username from right to left and enable suffix stripping
for usernames with the suffix cisco.com. If the full username is cisco/user@cisco.net@cisco.com, the username "cisco/user@cisco.net"
will be forwarded to the TACACS+ server. If the full username is cisco/user@cisco.com@cisco.net, the full username will be
forwarded.
tacacs-server domain-stripping right-to-left
tacacs-server domain-stripping strip-suffix cisco.com
The following example shows how to configure a set of global stripping rules that will strip the suffix cisco.com using the
delimiter @, and a different set of stripping rules for usernames associated with the VRF named myvrf:
tacacs-server domain-stripping strip-suffix cisco.com
!
tacacs-server domain-stripping prefix-delimiter # vrf myvrf
tacacs-server domain-stripping strip-suffix cisco.net vrf myvrf