Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1748
Views
0
Helpful
7
Replies

7841 Phone and 802.1X

Christian Boesch
Level 1
Level 1

‎08-20-2015 12:18 AM - last edited on ‎03-25-2019 08:36 PM by Community Manager

Hi,

I have some 7841 IP Phones which authenticate over 802.1X (EAP-TLS with the Manufactured Installed Certificate with FreeRadius).

Now we bought some additional ones which do not work with the same config.

I realized that the "old" ones have V03 at the end and the "new" ones V04. So what is the difference in that, that authentication

does not work for the same type of phone?

 

Regards,

Chris

Labels:
0 Helpful
7 Replies 7

Mohammed al Baqari
Level 11
Level 11

‎08-20-2015 02:56 AM

Hi,

 

When you say they don't work, are you referring to dot1x authentication failing. Can you confirm that the certificate on the new phones is having the same details as the old phones.

 

Also, what error do you see on the Radius server?

0 Helpful

Christian Boesch
Level 1
Level 1
In response to Mohammed al Baqari

‎08-24-2015 06:18 AM

Hi Mohammed,

I guess the new phones have other root certificates?

I have trusted the Cisco Root CA and the Cisco Manufaturing CA which seems enough for the old phones. I found some hints that there are also a CAP-RTP-001 and a CAP-RTP-002 certificate to trust. But as our CallManager is outsourced I don't know where to get these certs. I haven't found them online to download.

chris

0 Helpful

Gordon Ross
Level 9
Level 9
In response to Christian Boesch

‎08-24-2015 07:14 AM

CMPlatform -> Security -> Certificate Monitor. I've got ones in both Callmanager-trust and CAPF-Trust

 

GTG

Please rate all helpful posts.
0 Helpful

Christian Boesch
Level 1
Level 1
In response to Gordon Ross

‎08-24-2015 11:26 PM

As our Callmanager is outsourced and 3rd party hosted, I'm not able to access these certs. Can you post them or send them by email?

0 Helpful

Gordon Ross
Level 9
Level 9
In response to Christian Boesch

‎08-25-2015 12:35 AM

Your CUCM Administrator should be able to email them to you.

 

GTG

Please rate all helpful posts.
0 Helpful

Gordon Ross
Level 9
Level 9

‎08-24-2015 07:15 AM

Can you tell me what you did to get this to work, please?. Working with my local 802.1x guru, we failed to get this to work. (We were following advise from TAC but we weren't 100% convinced TAC were correct....)

 

GTG

Please rate all helpful posts.
0 Helpful

Christian Boesch
Level 1
Level 1
In response to Gordon Ross

‎08-24-2015 11:23 PM

I set up FreeRadius to do EAP-TLS (no special config), and included the Cisco Root CAs in the CA_fie. Feel free to contact for any more questions.

 

0 Helpful
Customers Also Viewed These Support Documents