Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


Radius Proxy for EAP-TLS

Can anyone explain how the proxy for EAP-TLS is supported in CSACS?

I think the SAN feild is used for the proxy distribution table but even if this is correct what about the certificate authority. Who does what in terms of certificates etc?

I have to impliment this quite soon because the ACS release notes say it is supported and unbelievably an end user has read them. ;-)

reload in 25 years


there is a configuration guide available at

"Cisco Secure ACS for Windows v3.2 With EAP-TLS Machine Authentication"

which should answer your questions.

Hope this helps


Thanks but I coulf not see any reference to proxy support in that document.

I have experience of configuring EAP-TLS. However in this case I want to proxy the authentication to another radius server (ACS or ISA)

I am unsure how to set up the CA chain. i.e. Is the primary ACS radius server going to be the issuing CA or is it the secondary. I hope that the secondary is just a proxy radius server that uses a back end username database such as MS AD and that the name is stripped from the certificate at the primary.

I am open to more suggestions thanks. ;-)

reload in 25 years

I have completed the project now. The way the proxy finds the information is that it reads the certificate details and then uses the CN information to decide on the target radius server. It does not have to have the EAP type configured or be part of the certificate chain. I did not get a chance to see if it uses the SAN feild before the CN feild. The latter would be usefull with user (not machine) certificates ecause there tends not to be delimiting information in the CN with MS enterprise CA certificates. Stand Alone MS CA allows user to put any info in the CN but AD needs Enterprise CA for proper CA intergration and autoenrollment.

reload in 25 years
Recognize Your Peers
Content for Community-Ad

ISE Webinars

Did you miss a previous ISE webinar?

CiscoISE YouTube Channel