The issue is due to the presence of Cisco bug ID CSCeg01533.
When Protected Extensible Authentication Protocol (PEAP) Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) authentication is used with two CiscoSecure ACS for Windows servers with one server acting as a proxy server that strips the realm, the authentication can fail. This issue is first seen with CiscoSecure ACS for Windows version 3.2.3.
What is PEAP?
Protected Extensible Authentication Protocol (PEAP) belongs to the family of Extensible Authentication Protocol (EAP) protocols. PEAP uses Transport Layer Security (TLS) in order to create an encrypted channel between an authenticating PEAP client and a PEAP authenticator, such as RADIUS server.
PEAP does not specify an authentication method, but provides additional security for other EAP authentication protocols, such as EAP-MS-CHAP v2, that can operate through the TLS encrypted channel provided by PEAP. PEAP is used as an authentication method for 802.1X wireless client computers, but is not supported for virtual private network (VPN) or other remote access clients.
The workaround for this issue is to not strip the realm and configure the end server accordingly. This bug is fixed in CiscoSecure ACS for Windows version 4.0(1.27).
In order to download CiscoSecure ACS for Windows version 4.0(1.27), open a service requestwith Cisco Technical Support.