Authenticating Cisco IP Phones using ISE and 802.1X

Bobby Stojceski — Mon, 11 Mar 2019 06:42:36 GMT

I have seen a few others ask similar questions but no answers seem to have been posted.

How do you configure ISE 2.0 to authenticate a Cisco IP Phone that has the MIC and LSC certificates installed? I have already done the export of certificates from CUCM and import into ISE, but I just cannot get the Authentication Rule/s right. The phone is enabled for 802.1X and certificate, and switch is doing it's job as I see the RADIUS logs both in ISE and the switch showing the failures.

What identity store does a Cisco IP Phone use to authenticate itself against in ISE? Surely every phone doesn't need to be added into ISE ahead of time (hundreds or thousands)? The failure I get is ISE unable to match the user in any identity store.

There doesn't seem to be any guides available to help here other than old ACS guides.

I see there are prebuilt Authorization rules in ISE for Cisco IP Phones but I can't get far enough for the device to authenticate let alone hit the Authorization rule.

Can anyone help?

Thank you.

If you are using EAP-TLS,

jan.nielsen — Wed, 27 Apr 2016 20:18:51 GMT

If you are using EAP-TLS, your authentication rules, need to select a certificate profile and an identity store, for EAP-TLS it will use the cert profile for auhthentication. It will still try to get AD groups for the CN/SAN name of your MIC/LSC cert, but it shouldn't fail authentication.

This thread also has some info :

https://supportforums.cisco.com/discussion/10952961/8021x-phone-authentication-eap-tls-mic-only

topic If you are using EAP-TLS, in Network Access Control

Authenticating Cisco IP Phones using ISE and 802.1X

If you are using EAP-TLS,