Hello,
I'm working on a limited 802.1x rollout, and was hoping to use Cisco ACS server as my RADIUS server / Authentication Server.
Initial testing went fine using more basic EAP mechanisms, however when we started trying to use EAP-TLS, we ran into some problems. From what I can see in the Cisco ACS documentation, it's almost as if the ACS server requires an AD to talk to for authentication to complete - it can't simply rely on the a valid cert for authentication. Am I correct in understanding this? Unfortunately, the machines involved in this limited rollout have access to PKI infrastructure and a CA, but are not AD members - possibly an unusual set of circumstances.
Two questions, assuming this reliance on an AD is real, and not just us misunderstanding what we're seeing:
1 - Is this reliance on having an AD part of the IEEE EAP-TLS standard? This is the first I've seen of a requirement for a directory such as this in my readings about EAP-TLS.2 - If not, does anyone know of a product (maybe Steel-Belted RADIUS?) that doesn't have this requirement and can do the auth based solely on the validity of the cert?
Cheers for any help, Mike