I have some 7841 IP Phones which authenticate over 802.1X (EAP-TLS with the Manufactured Installed Certificate with FreeRadius).
Now we bought some additional ones which do not work with the same config.
I realized that the "old" ones have V03 at the end and the "new" ones V04. So what is the difference in that, that authentication
does not work for the same type of phone?
When you say they don't work, are you referring to dot1x authentication failing. Can you confirm that the certificate on the new phones is having the same details as the old phones.
Also, what error do you see on the Radius server?
I guess the new phones have other root certificates?
I have trusted the Cisco Root CA and the Cisco Manufaturing CA which seems enough for the old phones. I found some hints that there are also a CAP-RTP-001 and a CAP-RTP-002 certificate to trust. But as our CallManager is outsourced I don't know where to get these certs. I haven't found them online to download.
CMPlatform -> Security -> Certificate Monitor. I've got ones in both Callmanager-trust and CAPF-Trust
Can you tell me what you did to get this to work, please?. Working with my local 802.1x guru, we failed to get this to work. (We were following advise from TAC but we weren't 100% convinced TAC were correct....)
I set up FreeRadius to do EAP-TLS (no special config), and included the Cisco Root CAs in the CA_fie. Feel free to contact for any more questions.