cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
13521
Views
0
Helpful
23
Replies

802.1x EAP-TLS with Cisco IP-Phone on MS NPS

sebastiangille
Level 1
Level 1

Hi,

does anybody get 802.1x - EAP-TLS with IP-Phones ( e.g. 7962G ) on Microsoft NPS up and running?

With ACS it is not a problem at all.

thx

Sebastian

23 Replies 23

jomcgaug
Level 4
Level 4

Hi Sebastian,

The biggest issue I've seen with Microsoft and 802.1x is CSCsr71675.

Basically Mircosoft only allows a 20 character user name.  The user name of the phone comes in the following format.

CP-7961G-GW-SEP001E7AC40641

This exceeds the 20 character limit and causes it to fail.  If that can be changed on the Mircosoft side then you shouldn't have any issues.  Make sure the firmware on the phones is on the latest and greatest as well.

John

timohaas
Level 1
Level 1

Hi Sebastian

we have the same problem - actually the username isn´t the problem - we changed that..

The problem we weren´t able to solve is the certificate schema from the nps - the nps expects to have a SAN (subject alternative name) in the cert from the phone. But the cert for the phone is issued by the cucm and does not have that information field written.

we do not have a solution - looking forward to get input from you and maybe we can find a solution together.

Timo

Hi,

why is the username not a problem, did you fixed that?

I think about to use an ACS for Phone and forward the authentication traffic for Computer by ACS  to NPS, i'm not sure if that operates together.

Hi again,

you can change the username which is used internal in the MS checking with a wildcard-match and replacement at NPS.

If you like to now more - privat message with your mail contact and we will get in touch and i send some screenshots..

Hi all !

Have you solved this problem (LSC certificate )? I am facing the same problem and I did not find the solution yet.

This is the last e-mail that Microsoft TAC has sent to the customer:

====================================================================================

As per the discussion, we need to engage Vendor on the case to find out why the CRL Distribution Point (CDP) and AIA paths are missing from the certificate. Ideally CDP contains that Revocation List of the certificates and AIA is used for building the certificate chain.

"Please find below some more information about the same from Microsoft TechNet Article :

CRL Distribution Points : This extension contains one or more URLs where the issuing CA’s base certificate revocation list (CRL) is published. If revocation checking is enabled, an application will use the URL to retrieve an updated version of the CRL. URLs can use HTTP, LDAP or File.

Authority Information Access : This extension contains one or more URLs where the issuing CA’s certificate is published. An application uses the URL when building a certificate chain to retrieve the CA certificate if it does not exist in the application’s certificate cache."

=====================================================================================

Tks for your help !!!!!!!

Luis

bj howell
Level 1
Level 1

I've managed to figure out the regular expression that you can use to replace the Cisco username with a service account with some help from a friend of mine. Under Connection Request Policies, go to the policy you created to authenticate your phones right click > Properties > Settings  Tab select Attribute. Go to the drop down to the right select User-Name and click add. Once the Attribute Manipulation Rule window opens put CP-7945G-SEP\w{12} under Find: and in the Replace with: field add your username.

We have exactly the same scenario and facing the same problem and I would be very happy to find a solution.

Sadly the phone doesn't seem tu support scep to aquire a certificate from our own (internal) ca.

Kind Regarda
René

I did it another way and use for phone dot1x only ACS and for machine dot1x ACS and Windows 2008 R2 as CA.

It was the best way in my case.

So i could authenticate the phone and the machine(PC,Laptop e.g.) with eap-tls without any problems.

The phone gets the lsc over the CAPF from CUCM, import the CUCM certs in the ACS certificate store and the phone authenticate within the ACS.

the machine gets his certificate from the Windows CA, import the root cert to acs, manual create a ACS cert signing request to the Windows CA and bind the result cert in the acs.

Now all requests, phone and machine,will pass the ACS.

Hi Sebastian,

 

I have been searching the forums for hours and I have finally come across what i am looking. From what you are saying if I am trying to have 802.1x authentication for both the laptop users and Cisco ip phones, the best method is by using the ACS. We were able to get the laptops authenticated with nps but the phones are another issue since they connect on the same port as the laptops. 

I have to present a solution for 802.1x for a customer that has a converged VoIP network, can i safely advise that the nps will not work if  they want a certificate based authentication for both ip phones and clients?

Hi,

i never tried it with nps on Win 2008 a second time.

I will take a shot with NPS on Windows 2012 in the near future.

As far as i can tell, it works perfect with ACS or ISE and Windows CA

Hello everyone,

 

I can asure you, that NPS will _NOT_ work with Cisco IP-Phones! You have to use ACS, ISE oder another radius server (like Aruba Clearpass or Freeradius). But Microsoft NPS (I testen NPS on Server 2012 R2) is a nogo. NPS & Clients (Laptop, Smartphones, ...) work perfectly fine (for example with a Windows CA). But not with IP-Phones. The reason for that is that the Cisco certificates for the IP-Phones are missing two attributes which are mandatory for NPS. I have filed a feature defect report with Cisco (Call Manager 10.5), but I don't know if they will fix this.

I also wrote a blog post about this subject (in german). The conclusion is: If you want/need to use EAP-TLS for both phones and other clients you have to use a full blown radius server (like the ones I already mentioned).

 

Best regards,

René

 

Thanks Rene/Sebastian for your prompt and detailed response on the topic. I can now move forward with creating a new solution with Cisco ACS for this deployment to work.

 

Again thanks

Hi Rene/Sebastian,

 

I have one further question, for a phone to use certification based authentication using the LSC certificate, will i need usb tokens for the CUCM to generate a certificate? And can i use an external CA signed certificate for instance microsoft CA? I am seeing mixed information on the guides....Can you provide guidance?

I have to provide a solution moving forward and i want to have a good working design for 802.1x authentication using certficates for both clients and ip phones.

Sorry, I forgot to add one additional information!

Microsoft NPS works fine if you use the MIC certificates! If you use Call Manager 10 or higher you don't need the usb tokens anymore to issue lsc certificates. You let your (root or intermediate) CA sign the Call Manager capf certificate. That's it. After that you can issue lsc certificates for your phones from Call Manager.

If I remember correctly, the usb tokens are solely used (nowadays) for voice encryption. But maybe I'am wrong here and there is no use for them in Call Manager 10 and above. It's been six months since we implemented all of this...

 

Best regards,

René