Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1267
Views
0
Helpful
1
Replies

Migrating EAP-MSCHPv2 to EAP-TLS

Patrick Colbeck
Level 3
Level 3

‎10-26-2012 02:15 AM - edited ‎03-10-2019 07:43 PM

Hi

I have a customer who has deployed ACS for 802.1x against active directory for their wired Cisco switch infrastructure using EAP-MSCHAPv2. Now they would like to change to EAP-TLS but if they just switch the client PCs would be locked out and could get a certificate pushed out to them from AD.

Can ACS be set to allow both autentication methods during the migration phase ? I know it supports negotiation of the EAP type but its a while since I played with ACS and dont have one to hand to try it with.

Thanks

Labels:
0 Helpful
1 Reply 1

Tarik Admani
VIP Alumni
VIP Alumni

‎10-26-2012 12:20 PM

By default ACS has peap and eap-tls authentication enabled and is part of the proposed eap types. Just remember that the certificate will have to uploaded to the ACS trusted certificate store, and once you configure the certificate authentication profile, you can map that into a Identity Sequence store, so that ACS will check the cert, and if one isnt provided it can fall back to password authenticate against AD.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful
Customers Also Viewed These Support Documents