Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1027
Views
0
Helpful
3
Replies

Cisco AP's and VoIP phones using Certificates with ISE 2.4

Go to solution
mitchp75
Level 1
Level 1

‎01-22-2019 05:26 PM

I'm trying to find good documentation around how to configure ISE and the Switch and/or a WLC to authenticate a Cisco AP using the Manufacture Installed Certificate on the AP and not MAB. Is there a best practice or any experiences others can share? Equally important I want to do the same thing with Cisco Phones, is there anything different there?

 

Thanks, 

 

Mitch

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Nidhi
Cisco Employee
Cisco Employee

‎01-22-2019 08:19 PM

2 ways to go about this. 

You can have a copy of root CA certificate that signed the phone certificate in ISE and have a policy in ISE to validate the attributes in certificate to authorize the phone. 

Secondly, you can enable 802.1x on phone. by default, I believe its not enabled. Add the certificate in trusted certificate store.

Create certificate authentication profile (CAP) to check for CN ( Administration- Identity Management- external identity store) and then create identity sequence and reference the CAP created in screen below. You can then create a 802.1x authentication policy to check for certificate fileds. 

EAP-TLS authentication for WLC is explained here-https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/213543-configure-eap-tls-flow-with-ise.html 

 

voip.png

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Nidhi
Cisco Employee
Cisco Employee

‎01-22-2019 08:19 PM

2 ways to go about this. 

You can have a copy of root CA certificate that signed the phone certificate in ISE and have a policy in ISE to validate the attributes in certificate to authorize the phone. 

Secondly, you can enable 802.1x on phone. by default, I believe its not enabled. Add the certificate in trusted certificate store.

Create certificate authentication profile (CAP) to check for CN ( Administration- Identity Management- external identity store) and then create identity sequence and reference the CAP created in screen below. You can then create a 802.1x authentication policy to check for certificate fileds. 

EAP-TLS authentication for WLC is explained here-https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/213543-configure-eap-tls-flow-with-ise.html 

 

voip.png

0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎01-22-2019 08:53 PM

Hi,

For MIC with ISE authentication, check these two videos which are very
useful. They cover what you are looking for and more :)

http://www.labminutes.com/wl0006_wlc_access_point_authentication_1
http://www.labminutes.com/wl0006_wlc_access_point_authentication_2

For Phones, here is a good resource.

https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html

**** Please remember to rate useful posts

0 Helpful

Go to solution
mitchp75
Level 1
Level 1
In response to Mohammed al Baqari

‎02-07-2019 07:37 AM

We were able to get the Cisco VoIP phone to authenticate via 8021.x EAP-TLS by swapping Certs for each system: Importing the Call Manager Certificate into the ISE trusted store, providing the ISE Certificate to the Call Manager which then gets pushed to the phone. 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents