I need some help with the configuration of a wireless solution that includes an ACS and in which the authentication is based in an NDS database.
As I have seen in Cisco documents, the only authentication methods supported by NDS databases, are EAP-GTC, EAP-TLS and EAP-FAST Phase Two.
I have discarded EAP-GTC (the customer doesn't have a token server and so) and EAP-TLS (we don't want certificates to be used). So the only method we can use is EAP-FAST.
And here is my problem, NDS database doesn't support EAP-FAST Phase Zero, so it's necesary to manually provide the PAC. Is this correct? It's necesary to provide every client with a different PAC? How can I configure this?
Has anybody configured a deployment like the one I describe here?
Phase zero is optional and PACs can be manually provided to end-user clients. (See Manual PAC Provisioning.) You control whether ACS supports phase zero by checking the Allow automatic PAC provisioning check box in the Global Authentication Configuration page.
For the further details for the PAC and configuration follow the URL :
You could install Free Radius for eDir (NDS). As long as the customer has already deployed Universal Password, Free Radius can then provide PEAP-MSCHAPv2.
There are a couple of alternatives to ACS, Ignition being one of them, that can also talk with eDir and provide PEAP-MSCHAPv2 support, again assuming the customer has deployed Novell's Universal Password.