cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

126
Views
0
Helpful
3
Replies
Beginner

Cisco AP's and VoIP phones using Certificates with ISE 2.4

I'm trying to find good documentation around how to configure ISE and the Switch and/or a WLC to authenticate a Cisco AP using the Manufacture Installed Certificate on the AP and not MAB. Is there a best practice or any experiences others can share? Equally important I want to do the same thing with Cisco Phones, is there anything different there?

 

Thanks, 

 

Mitch

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Cisco AP's and VoIP phones using Certificates with ISE 2.4

2 ways to go about this. 

You can have a copy of root CA certificate that signed the phone certificate in ISE and have a policy in ISE to validate the attributes in certificate to authorize the phone. 

Secondly, you can enable 802.1x on phone. by default, I believe its not enabled. Add the certificate in trusted certificate store.

Create certificate authentication profile (CAP) to check for CN ( Administration- Identity Management- external identity store) and then create identity sequence and reference the CAP created in screen below. You can then create a 802.1x authentication policy to check for certificate fileds. 

EAP-TLS authentication for WLC is explained here-https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/213543-configure-eap-tls-flow-with-ise.html 

 

voip.png

3 REPLIES 3
Cisco Employee

Re: Cisco AP's and VoIP phones using Certificates with ISE 2.4

2 ways to go about this. 

You can have a copy of root CA certificate that signed the phone certificate in ISE and have a policy in ISE to validate the attributes in certificate to authorize the phone. 

Secondly, you can enable 802.1x on phone. by default, I believe its not enabled. Add the certificate in trusted certificate store.

Create certificate authentication profile (CAP) to check for CN ( Administration- Identity Management- external identity store) and then create identity sequence and reference the CAP created in screen below. You can then create a 802.1x authentication policy to check for certificate fileds. 

EAP-TLS authentication for WLC is explained here-https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/213543-configure-eap-tls-flow-with-ise.html 

 

voip.png

VIP Advisor

Re: Cisco AP's and VoIP phones using Certificates with ISE 2.4

Hi,

For MIC with ISE authentication, check these two videos which are very
useful. They cover what you are looking for and more :)

http://www.labminutes.com/wl0006_wlc_access_point_authentication_1
http://www.labminutes.com/wl0006_wlc_access_point_authentication_2

For Phones, here is a good resource.

https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html

**** Please remember to rate useful posts

Highlighted
Beginner

Re: Cisco AP's and VoIP phones using Certificates with ISE 2.4

We were able to get the Cisco VoIP phone to authenticate via 8021.x EAP-TLS by swapping Certs for each system: Importing the Call Manager Certificate into the ISE trusted store, providing the ISE Certificate to the Call Manager which then gets pushed to the phone.