Cisco Support Community
Community Member

Radius Proxy for EAP-TLS

Can anyone explain how the proxy for EAP-TLS is supported in CSACS?

I think the SAN feild is used for the proxy distribution table but even if this is correct what about the certificate authority. Who does what in terms of certificates etc?

I have to impliment this quite soon because the ACS release notes say it is supported and unbelievably an end user has read them. ;-)

reload in 25 years

Re: Radius Proxy for EAP-TLS


there is a configuration guide available at

"Cisco Secure ACS for Windows v3.2 With EAP-TLS Machine Authentication"

which should answer your questions.

Hope this helps


Community Member

Re: Radius Proxy for EAP-TLS

Thanks but I coulf not see any reference to proxy support in that document.

I have experience of configuring EAP-TLS. However in this case I want to proxy the authentication to another radius server (ACS or ISA)

I am unsure how to set up the CA chain. i.e. Is the primary ACS radius server going to be the issuing CA or is it the secondary. I hope that the secondary is just a proxy radius server that uses a back end username database such as MS AD and that the name is stripped from the certificate at the primary.

I am open to more suggestions thanks. ;-)

reload in 25 years
Community Member

Re: Radius Proxy for EAP-TLS

I have completed the project now. The way the proxy finds the information is that it reads the certificate details and then uses the CN information to decide on the target radius server. It does not have to have the EAP type configured or be part of the certificate chain. I did not get a chance to see if it uses the SAN feild before the CN feild. The latter would be usefull with user (not machine) certificates ecause there tends not to be delimiting information in the CN with MS enterprise CA certificates. Stand Alone MS CA allows user to put any info in the CN but AD needs Enterprise CA for proper CA intergration and autoenrollment.

reload in 25 years
CreatePlease to create content