I have switch configured for 802.1x. It ask ACS4.2 (thru radius) which have locally defined user. And it works fine. (i've earlier generated certifikate and enabled PEAP).
But i do not have users configured on ACS but on RSA Token Server. ACS ask RSA (using radius) for users which it do not have locally.
And this solution works fine for my VPN connections.
But it does not work for 802.1x with PEAP.
After ACS receives request from switch (MS-PEAP type) for user which is not defined locally it does not forward this request to external database.
Why ? For user defined locally it works fine.