topic Migrating EAP-MSCHPv2 to EAP-TLS in Network Access Control

Migrating EAP-MSCHPv2 to EAP-TLS

Patrick Colbeck — Mon, 11 Mar 2019 02:43:36 GMT

I have a customer who has deployed ACS for 802.1x against active directory for their wired Cisco switch infrastructure using EAP-MSCHAPv2. Now they would like to change to EAP-TLS but if they just switch the client PCs would be locked out and could get a certificate pushed out to them from AD.

Can ACS be set to allow both autentication methods during the migration phase ? I know it supports negotiation of the EAP type but its a while since I played with ACS and dont have one to hand to try it with.

Thanks

Migrating EAP-MSCHPv2 to EAP-TLS

Tarik Admani — Fri, 26 Oct 2012 19:20:48 GMT

By default ACS has peap and eap-tls authentication enabled and is part of the proposed eap types. Just remember that the certificate will have to uploaded to the ACS trusted certificate store, and once you configure the certificate authentication profile, you can map that into a Identity Sequence store, so that ACS will check the cert, and if one isnt provided it can fall back to password authenticate against AD.

Thanks,

Tarik Admani
*Please rate helpful posts*