our situation is following:
we have an ACS 5.3 wich holds the user DB for our WLAN. Access-Requests come either from internal access points or proxied from an external Radius (eduroam).
In these proxied requests the username contains a realm (@company.com).
Now ACS seems not be able to strip the realm from the inner identity so the user cannot be found in the DB.
I tried it with PEAP-MSCHAPv2.
Is it generally possible for ACS to treat usernames with realm?
Do I have to enter the usernames with realm in the internal user DB?
What EAP method is the best for this?
I read about EAP-TTLS can use the outer identity just for routing and the inner identity for authentication (my idea was outer=anonymous@company.com and inner=<username_without_realm>) - but ACS rejects the request with
"11512 Extracted EAP-Response/NAK packet requesting to use unsupported EAP protocol; EAP-negotiation failed"
Does ACS 5.3 support EAP-TTLS? (the documentation is not quite clear at this point - first they mention EAP-TTLS later just EAP-TLS)
I'm getting more and more confused.
I would be glad if someone could help.