I'm running my primary authentication against OCSP checks and extracting the values of the CN and OU fields of the CERT to determine what role a user will be dropped in to.It's working great.
I have a Cisco ACS 5.7 setup as a RADIUS Server sitting behind my MAG2600s for second authentication.
The authentication is working as expected, but I can't get the 'password prompt' pushed through the pulse client and force the user to change their password when logging in for the first time. After speaking with Cisco, the ACS pushes the prompts through with MS-CHAP. I don't think my MAG2600 supports MS,-CHAP.