I. Generally, users enter the domain like username@domainname and password
1. In interface mode, configure the force domain tage
The user name (username@domainname) sent to radius keeps consistent, but the authentication policy uses that in authentication domain configured for interface. The users accessed belong to force authentication domain, and they could be checked by display access-user command; if it is configured, they could be processed in accordance with the roaming tag, and the user name keeps consistent;
2. Turn on the switch of roaming domain (enabled by default) in interface mode:
Resolve the roam-character of user name which is defaulted to “：”; abstract the domain name before roaming character in user name for authentication;
The user name keeps consistent when sending to radius like username@domainname: roamdomain; another case is the domain name entered by the user does not exist, and the user will be authenticated in the authentication domain configured for the interface, so the user name is not changed yet when sending it to radius; if the switch of roaming is not turned on, the detection will not be performed on roaming characters, and the relevant domains will not be found, resulting in failure to access network.
3. In the interface mode, shut down the switch of roaming, without configuration of force
At this point, if the corresponding domain name is not found, it will get offline, sending CUT packet to CM;
Summary: If the user has entered the domain name, the priority of force is higher than that of roaming, although the user name keeps consistent;
II. The user does not enter the domain name (the default authentication domain under the interface is default1, and default pre-authentication domain is default0)
1. Non-roaming and non-force
Authenticate the user according to the policies under default authentication domain (default-domain authentication <authendomain>) the configured for the interface; additionally, the user name will be added a domain name, then sending to radius, like username@authendomain
Similar to Step 1
By default, the default authentication domain under the interface is identical to that of roaming (default1)Summary: in the case that no domain name is entered by a user, it is defaulted to add default1 before sending to radius, but if the interface is configured with authentication domain, its name will be the basis of analysis and it will be reported to radius.