https://community.cisco.com/t5/network-access-control/authenticate-cisco-ip-phone-to-ise-using-mic-certificate/m-p/3184155#M555608 <P>Hello,</P><P>&nbsp;</P><P>I am trying to authenticate our IP Phones using the built in MIC certificate. &nbsp;I am unable to find documentation on how to acheve this with ISE. &nbsp;I found an older ACS document, but I find that there are many aspects that are different.</P><P>&nbsp;</P><P>I have installed the CAP-RTP certs from our CUCM servers into the Trusted store in ISE.</P><P>&nbsp;</P><P>I have an authentication policy that allows wired 802.1x and EAP-TLS, and an authorization policy that allows EAP-TLS and a certificate with a subject that starts with CP-. &nbsp;Could the Authentication policy be incorrectly setup?</P><P>&nbsp;</P><P>I get a 12514 error stating that there is an unknown CA in the client cert chain. &nbsp;The documentation states that you need to have the two Cisco CA certs, and they are installed in ISE, however the older ones are disabled. &nbsp;Could this be part of the issue? &nbsp;Is there any harm in enabling them?</P><P>&nbsp;</P><P>Thanks,</P><P>Dan.</P> Fri, 21 Feb 2020 18:34:07 GMT dan.letkeman 2020-02-21T18:34:07Z https://community.cisco.com/t5/network-access-control/authenticate-cisco-ip-phone-to-ise-using-mic-certificate/m-p/3184155#M555608 <P>Hello,</P><P>&nbsp;</P><P>I am trying to authenticate our IP Phones using the built in MIC certificate. &nbsp;I am unable to find documentation on how to acheve this with ISE. &nbsp;I found an older ACS document, but I find that there are many aspects that are different.</P><P>&nbsp;</P><P>I have installed the CAP-RTP certs from our CUCM servers into the Trusted store in ISE.</P><P>&nbsp;</P><P>I have an authentication policy that allows wired 802.1x and EAP-TLS, and an authorization policy that allows EAP-TLS and a certificate with a subject that starts with CP-. &nbsp;Could the Authentication policy be incorrectly setup?</P><P>&nbsp;</P><P>I get a 12514 error stating that there is an unknown CA in the client cert chain. &nbsp;The documentation states that you need to have the two Cisco CA certs, and they are installed in ISE, however the older ones are disabled. &nbsp;Could this be part of the issue? &nbsp;Is there any harm in enabling them?</P><P>&nbsp;</P><P>Thanks,</P><P>Dan.</P> Fri, 21 Feb 2020 18:34:07 GMT https://community.cisco.com/t5/network-access-control/authenticate-cisco-ip-phone-to-ise-using-mic-certificate/m-p/3184155#M555608 dan.letkeman 2020-02-21T18:34:07Z https://community.cisco.com/t5/network-access-control/authenticate-cisco-ip-phone-to-ise-using-mic-certificate/m-p/3184919#M555609 Hi <BR /><BR />Can you share the complete config you've done on ise? <BR />You're missing a trusted CA from CUCM. Have you exported all those certificates: Cisco_Root_CA_2048, Cisco_Manufacturing_CA, CAP-RTP-001, and CAP-RTP-002 ?<BR />And imported them into ISE?<BR /><BR /> Sat, 16 Sep 2017 01:50:53 GMT https://community.cisco.com/t5/network-access-control/authenticate-cisco-ip-phone-to-ise-using-mic-certificate/m-p/3184919#M555609 Francesco Molino 2017-09-16T01:50:53Z https://community.cisco.com/t5/network-access-control/authenticate-cisco-ip-phone-to-ise-using-mic-certificate/m-p/3185081#M555610 <P>I had to enable the older Cisco Root certs that were installed on ISE. &nbsp; By default only the two newer Cisco Root certs are enabled.</P> Sat, 16 Sep 2017 23:38:30 GMT https://community.cisco.com/t5/network-access-control/authenticate-cisco-ip-phone-to-ise-using-mic-certificate/m-p/3185081#M555610 dan.letkeman 2017-09-16T23:38:30Z https://community.cisco.com/t5/network-access-control/authenticate-cisco-ip-phone-to-ise-using-mic-certificate/m-p/3356731#M555611 <P>Dan,</P> <P>&nbsp;</P> <P>Was that all you had to do? Also, can you share the screenshot of the policy you created on ISE? I am getting ready to do a similar deployment.</P> <P>&nbsp;</P> <P>Thank you,</P> <P>&nbsp;</P> <P>Francisco Padron.</P> Wed, 28 Mar 2018 14:13:36 GMT https://community.cisco.com/t5/network-access-control/authenticate-cisco-ip-phone-to-ise-using-mic-certificate/m-p/3356731#M555611 fpadron 2018-03-28T14:13:36Z https://community.cisco.com/t5/network-access-control/authenticate-cisco-ip-phone-to-ise-using-mic-certificate/m-p/3356799#M555612 <P>Here you go.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Phone.png" style="width: 752px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/9514iBCB3D8AA9CFED767/image-size/large?v=v2&amp;px=999" role="button" title="Phone.png" alt="Phone.png" /></span></P> Wed, 28 Mar 2018 15:09:15 GMT https://community.cisco.com/t5/network-access-control/authenticate-cisco-ip-phone-to-ise-using-mic-certificate/m-p/3356799#M555612 dan.letkeman 2018-03-28T15:09:15Z https://community.cisco.com/t5/network-access-control/authenticate-cisco-ip-phone-to-ise-using-mic-certificate/m-p/3357003#M555613 <P>HI,</P> <P>Your policy looks ok.</P> <P>Just do a capture on ISE (host SWITCH_IP) and check in wireshark the phone cert. (it will not be that hard to see)</P> <P>&nbsp;</P> <P>Thanks,</P> <P>Octavian</P> Wed, 28 Mar 2018 19:36:22 GMT https://community.cisco.com/t5/network-access-control/authenticate-cisco-ip-phone-to-ise-using-mic-certificate/m-p/3357003#M555613 Octavian Szolga 2018-03-28T19:36:22Z