Technical Tip: Domain name stripping behavior for proxy authentication
Description
Since the release of FortiOS 6.2, the FortiOS proxy daemon (WAD) will strip domain names from usernames when domain is specified with backslash (DOMAIN\username).
This behavior allows matching of locally defined users before contacting remote authentication servers.
As a consequence of this behavior, the domain name is stripped from event logs, traffic logs as well as from RADIUS Access-Request and Accounting messages.
Example for illustration.
This article shows that when a user 'OS\denmark.user1' authenticates on explicit proxy, the domain name is stripped out completely.
Solution
In cases where the domain name needs to be preserved in forward traffic logs and RADIUS messages, the users will need to specify the username with forward slash (DOMAIN/username) or in UPN format (username@DOMAIN).
Example for illustration:
This example shows that when the same user 'Denmark.User1' authenticates as 'OS/denmark.user1' or 'denmark.user1@OS', the domain name is preserved in the firewall user list, forward traffic logs, RADIUS messages, etc.
Since the release of FortiOS 6.2, the FortiOS proxy daemon (WAD) will strip domain names from usernames when domain is specified with backslash (DOMAIN\username).
This behavior allows matching of locally defined users before contacting remote authentication servers.
As a consequence of this behavior, the domain name is stripped from event logs, traffic logs as well as from RADIUS Access-Request and Accounting messages.
Example for illustration.
This article shows that when a user 'OS\denmark.user1' authenticates on explicit proxy, the domain name is stripped out completely.
| Proxy Authentication Form | Resulting Proxy User List | Resulting Firewall User List | Resulting Forward Traffic Log |
 |  |  |  |
Solution
In cases where the domain name needs to be preserved in forward traffic logs and RADIUS messages, the users will need to specify the username with forward slash (DOMAIN/username) or in UPN format (username@DOMAIN).
Example for illustration:
This example shows that when the same user 'Denmark.User1' authenticates as 'OS/denmark.user1' or 'denmark.user1@OS', the domain name is preserved in the firewall user list, forward traffic logs, RADIUS messages, etc.
| Proxy Authentication Form | Resulting Proxy User List | Resulting Firewall User List | Resulting Forward Traffic Log |
|
 |
 |
 |
 |
|
 |
 |
 |
 |