Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1728
Views
0
Helpful
3
Replies

Radius Proxy for EAP-TLS

rchester
Level 1
Level 1

‎01-07-2006 03:47 AM - edited ‎03-10-2019 02:25 PM

Can anyone explain how the proxy for EAP-TLS is supported in CSACS?

I think the SAN feild is used for the proxy distribution table but even if this is correct what about the certificate authority. Who does what in terms of certificates etc?

I have to impliment this quite soon because the ACS release notes say it is supported and unbelievably an end user has read them. ;-)

reload in 25 years
Labels:
0 Helpful
3 Replies 3

mheusinger
Level 10
Level 10

‎01-07-2006 09:34 AM

Hello,

there is a configuration guide available at

"Cisco Secure ACS for Windows v3.2 With EAP-TLS Machine Authentication"

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0ea.shtml

which should answer your questions.

Hope this helps

Martin

0 Helpful

rchester
Level 1
Level 1
In response to mheusinger

‎01-08-2006 07:51 AM

Thanks but I coulf not see any reference to proxy support in that document.

I have experience of configuring EAP-TLS. However in this case I want to proxy the authentication to another radius server (ACS or ISA)

I am unsure how to set up the CA chain. i.e. Is the primary ACS radius server going to be the issuing CA or is it the secondary. I hope that the secondary is just a proxy radius server that uses a back end username database such as MS AD and that the name is stripped from the certificate at the primary.

I am open to more suggestions thanks. ;-)

reload in 25 years
0 Helpful

rchester
Level 1
Level 1

‎01-25-2006 02:10 AM

I have completed the project now. The way the proxy finds the information is that it reads the certificate details and then uses the CN information to decide on the target radius server. It does not have to have the EAP type configured or be part of the certificate chain. I did not get a chance to see if it uses the SAN feild before the CN feild. The latter would be usefull with user (not machine) certificates ecause there tends not to be delimiting information in the CN with MS enterprise CA certificates. Stand Alone MS CA allows user to put any info in the CN but AD needs Enterprise CA for proper CA intergration and autoenrollment.

reload in 25 years
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents