topic Re: 684510397 - UCM\\ Enable 802.1x\CAPF\phone not working\reference:684325552 in Network Access Control

684510397 - UCM\\ Enable 802.1x\CAPF\phone not working\reference:684325552

mumustha — Wed, 30 May 2018 02:27:35 GMT

While authenticating phones signed by a CA-Signed CAPF, ISE fails to authenticate the phones with the error being, "client certificate is missing the complete chain".

On extracting the client certificate form the ISE pcaps, we observed the whole chain to be present in the certificate. However, the client complained that the Intermediate CA is not valid for the selected purpose, "This certificate does not appear to be valid for the selected purpose" (Attached as Client certificate)

On observing the logs it displays that, "Crypto,2018-05-22 02:36:24,630,DEBUG,0x7f67fae65700,NIL-CONTEXT,Crypto::Result=0,

CryptoLib.CSSL.x509ExceptionCallback - problematic certificate issuer=", which is followed by the Intermediate CA Subject.

All the certificates are enabled to perform server and client authentication. However, I observed that the Root CA had the key usage as "non-repudiation" as one of the attributes.

Could someone share a document or shed some light into the parameters that are required for the root certificates for a successful authentication of the client.

Re: 684510397 - UCM\\ Enable 802.1x\CAPF\phone not working\reference:684325552

ognyan.totev — Wed, 30 May 2018 03:23:15 GMT

First you must be sure that all certificate from chain are inserted in Ise side . They are Cisco manufecturing . Cisco Capf certificate from call manager and cisco root Ca again from call manager. In mine lab we make even old phones like model 7911 to work with capf. You must configure authentication for them to use X509 .pki and subject alternative name contains exact you Capf -3557766 . This is the exact same number by exported from call manager certificate.One more thin when you go to phone are you sure LSC is installed on it ??

Re: 684510397 - UCM\\ Enable 802.1x\CAPF\phone not working\reference:684325552

mumustha — Wed, 30 May 2018 04:09:41 GMT

Thank you for your response Ognyan.

They had the LSC that was directly signed by CAPF ( without being signed by CA) and that worked.

They have LSC installed and have followed the below document :

https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html#pgfId-38…

When trying to authenticate using certificate, ISE radius live logs show error as, "12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain".

Re: 684510397 - UCM\\ Enable 802.1x\CAPF\phone not working\reference:684325552

ognyan.totev — Wed, 30 May 2018 04:34:23 GMT

Thats what i told you . You missed to import one of certificates in ise side. And please be sure you enable cisco manufaturing ca in ise . In Ise 2.2 the certificate is there but is not enable.

Re: 684510397 - UCM\\ Enable 802.1x\CAPF\phone not working\reference:684325552

ognyan.totev — Wed, 30 May 2018 05:12:39 GMT

I worked on same guide and all working well. This is mine certificate from call manager :

Without it they never work

Re: 684510397 - UCM\\ Enable 802.1x\CAPF\phone not working\reference:684325552

mumustha — Wed, 30 May 2018 07:08:02 GMT

The Root and the intermediate CA of client is present on ISE. Is there any other certificate we need to install in ISE?

Re: 684510397 - UCM\\ Enable 802.1x\CAPF\phone not working\reference:684325552

ognyan.totev — Wed, 30 May 2018 07:18:17 GMT

Yes there is as i told you before

This 3 plus CAPF certificate from call manager imported in trusted store .As i show you before mine is this CAPF

Your maybe different but start is always same .

Re: 684510397 - UCM\\ Enable 802.1x\CAPF\phone not working\reference:684325552

mumustha — Thu, 31 May 2018 04:43:45 GMT

All the certificates are already present on ISE including the CAPF certificate. They had been working with old certs. Is there a document that describes the key usage and other components required for the root-CA ?

Re: 684510397 - UCM\\ Enable 802.1x\CAPF\phone not working\reference:684325552

ognyan.totev — Fri, 01 Jun 2018 08:33:13 GMT

Here you are

https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html

Re: 684510397 - UCM\\ Enable 802.1x\CAPF\phone not working\reference:684325552

mumustha — Fri, 01 Jun 2018 09:04:18 GMT

Thank you.

however, this is the link I have referred in the second thread. This doc does not mention the attributes required for the Root certificate.

Re: 684510397 - UCM\\ Enable 802.1x\CAPF\phone not working\reference:684325552

ognyan.totev — Fri, 01 Jun 2018 09:08:33 GMT

Yes there it is i try show you:

This is for ACS but it is almost same for ISE

Re: 684510397 - UCM\\ Enable 802.1x\CAPF\phone not working\reference:684325552

mumustha — Fri, 01 Jun 2018 09:22:26 GMT

Thank you for the images.

however, they are looking for the attributes the certificate should be signed with. For example, the fields to be populated in the Key usage, SN and likewise

Re: 684510397 - UCM\\ Enable 802.1x\CAPF\phone not working\reference:684325552

ognyan.totev — Fri, 01 Jun 2018 09:30:04 GMT

Yes they are you must create certificate profile like this and use it in policy sets for authentication

Re: 684510397 - UCM\\ Enable 802.1x\CAPF\phone not working\reference:684325552

ognyan.totev — Mon, 04 Jun 2018 12:33:22 GMT

Are you resolve your problem ???

Re: 684510397 - UCM\\ Enable 802.1x\CAPF\phone not working\reference:684325552

mumustha — Tue, 05 Jun 2018 02:06:10 GMT

Not yet Ognyan,

When CAPF is self signed they are getting it to work. The issues arise when the CAPF is signed by the root CA and the Root and Intermediate CA is present in ISE trusted store.

As mentioned when the question was posted, the set up seems to be fine. However, ISE complains that the certificate is problematic and we are looking for a document that explains the attributes/fields required by the Root CA.

Re: 684510397 - UCM\\ Enable 802.1x\CAPF\phone not working\reference:684325552

mumustha — Wed, 06 Jun 2018 01:18:06 GMT

The below document was shared with the customer : https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/212214-Tech-Note-on-CAPF-Certificate-Signed-by.html

Re: 684510397 - UCM\\ Enable 802.1x\CAPF\phone not working\reference:684325552

hslai — Sat, 16 Jun 2018 21:50:41 GMT

I found an on-going ISE ESC case on this. Please continue with that case as this appears needing deep debugging to sort it out. Also see Requirements for CA to Interoperate with Cisco ISE in ISE compatibility guide.

Re: 684510397 - UCM\\ Enable 802.1x\CAPF\phone not working\reference:684325552

mumustha — Sun, 17 Jun 2018 08:47:58 GMT

thank you for your inputs

Re: 684510397 - UCM\\ Enable 802.1x\CAPF\phone not working\reference:684325552

vakolkargugg — Thu, 14 Nov 2019 08:10:01 GMT

I am facing similar issue - Did anyone get this working?