https://community.checkpoint.com/t5/SASE-and-Remote-Access/Strip-domain-part-from-username-in-Endpoint-Connect/m-p/110805#M9166 <P>Hello</P><P>One of our customer uses AD authentication when using remote access with Endpoint Connect. In the Endpoint Connect client, we are entering this AD username and password and this is working fine. The username is in the format:&nbsp;<EM>username</EM>.</P><P>But now, a second authentication step is needed with RADIUS and the RADIUS server requires the username to be in the pre-Windows 2000 format. So <EM>domain\username</EM>. We have configured the New Login Options feature within SmartConsole.</P><P>In this new setup, AD authentication works fine because the gateways recognizes the username by the entered username. But the second authentication step fails because the RADIUS server expects&nbsp;<EM>domain\username</EM> but just receives&nbsp;<EM>username.</EM></P><P>If we enter <EM>domain\username</EM> in the Endpoint Connect client we get an unkown user right away.</P><P>Can we strip the domain part of the username entered in Endpoint Connect so Check Point recognizes the user, but send the complete name (including the domain) to the RADIUS server? Has anyone ever done this before?</P><P>Thanks for any help.</P><P>Regards,<BR />Martijn</P> Mon, 15 Feb 2021 10:57:38 GMT Martijn 2021-02-15T10:57:38Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Strip-domain-part-from-username-in-Endpoint-Connect/m-p/110805#M9166 <P>Hello</P><P>One of our customer uses AD authentication when using remote access with Endpoint Connect. In the Endpoint Connect client, we are entering this AD username and password and this is working fine. The username is in the format:&nbsp;<EM>username</EM>.</P><P>But now, a second authentication step is needed with RADIUS and the RADIUS server requires the username to be in the pre-Windows 2000 format. So <EM>domain\username</EM>. We have configured the New Login Options feature within SmartConsole.</P><P>In this new setup, AD authentication works fine because the gateways recognizes the username by the entered username. But the second authentication step fails because the RADIUS server expects&nbsp;<EM>domain\username</EM> but just receives&nbsp;<EM>username.</EM></P><P>If we enter <EM>domain\username</EM> in the Endpoint Connect client we get an unkown user right away.</P><P>Can we strip the domain part of the username entered in Endpoint Connect so Check Point recognizes the user, but send the complete name (including the domain) to the RADIUS server? Has anyone ever done this before?</P><P>Thanks for any help.</P><P>Regards,<BR />Martijn</P> Mon, 15 Feb 2021 10:57:38 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Strip-domain-part-from-username-in-Endpoint-Connect/m-p/110805#M9166 Martijn 2021-02-15T10:57:38Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Strip-domain-part-from-username-in-Endpoint-Connect/m-p/110806#M9167 <P>Out of interest what is the Radius server, is it NPS or something else?</P> <P>A lot of radius servers support the concept of domain / realm stripping or normalisation for these types of scenarios.</P> Mon, 15 Feb 2021 11:15:29 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Strip-domain-part-from-username-in-Endpoint-Connect/m-p/110806#M9167 Chris_Atkinson 2021-02-15T11:15:29Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Strip-domain-part-from-username-in-Endpoint-Connect/m-p/110807#M9168 <P>Chris,</P><P>Customer uses Safenet.&nbsp;</P><P>I also believe customer has several AD domains and several LDAP Account Unit objects and users are unique.<BR />Maybe Safenet needs the domain part to search the correct domain.</P><P>Regards,<BR />Martijn</P> Mon, 15 Feb 2021 11:38:54 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Strip-domain-part-from-username-in-Endpoint-Connect/m-p/110807#M9168 Martijn 2021-02-15T11:38:54Z