I'm doing a lab using Cisco ACS 4.1 LEAP Proxy RADIUS External User Databaser, and works fine but I don't understand why. So, I don't know if it's a stable solution.
I have the following scenario:
802.1x Wired Port Access Control
Cisco ACS 4.1
External User Database
LEAP Proxy RADIUS
MS-CHAPv1 user + MPPE MS Extension
I'm using the native WinXP SP2 802.1x supplicant client (EAP-MSCHAPv2), to link a Cisco 3640 FE port protected by dot1x. The IOS is configured to authenticate with a Cisco ACS 4.1, where I'm created a user that use as External User Database a LEAP Proxy RADIUS, with destination a Freeradius in the Backend.
Then, I configured the Freeradius to authenticate the user using MSCHAPv1 (+ MS-CHAP-MPPE-Keys with the use_mppe parameter option set in the config). And it works!
So, my question are:
1) Does the Cisco ACS LEAP Proxy RADIUS feature work also with PEAPv0?
3) Does the ACS internally translate the MSCHAPv2 challenge response to a MSCHAPv1 challenge response? Are they compatible?
2) Is this a stable solution?