01-22-2019 05:26 PM
I'm trying to find good documentation around how to configure ISE and the Switch and/or a WLC to authenticate a Cisco AP using the Manufacture Installed Certificate on the AP and not MAB. Is there a best practice or any experiences others can share? Equally important I want to do the same thing with Cisco Phones, is there anything different there?
Thanks,
Mitch
Solved! Go to Solution.
01-22-2019 08:19 PM
2 ways to go about this.
You can have a copy of root CA certificate that signed the phone certificate in ISE and have a policy in ISE to validate the attributes in certificate to authorize the phone.
Secondly, you can enable 802.1x on phone. by default, I believe its not enabled. Add the certificate in trusted certificate store.
Create certificate authentication profile (CAP) to check for CN ( Administration- Identity Management- external identity store) and then create identity sequence and reference the CAP created in screen below. You can then create a 802.1x authentication policy to check for certificate fileds.
EAP-TLS authentication for WLC is explained here-https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/213543-configure-eap-tls-flow-with-ise.html
01-22-2019 08:19 PM
2 ways to go about this.
You can have a copy of root CA certificate that signed the phone certificate in ISE and have a policy in ISE to validate the attributes in certificate to authorize the phone.
Secondly, you can enable 802.1x on phone. by default, I believe its not enabled. Add the certificate in trusted certificate store.
Create certificate authentication profile (CAP) to check for CN ( Administration- Identity Management- external identity store) and then create identity sequence and reference the CAP created in screen below. You can then create a 802.1x authentication policy to check for certificate fileds.
EAP-TLS authentication for WLC is explained here-https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/213543-configure-eap-tls-flow-with-ise.html
01-22-2019 08:53 PM
02-07-2019 07:37 AM
We were able to get the Cisco VoIP phone to authenticate via 8021.x EAP-TLS by swapping Certs for each system: Importing the Call Manager Certificate into the ISE trusted store, providing the ISE Certificate to the Call Manager which then gets pushed to the phone.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide