08-18-2011 06:01 AM - edited 03-16-2019 06:33 AM
Hi,
does anybody get 802.1x - EAP-TLS with IP-Phones ( e.g. 7962G ) on Microsoft NPS up and running?
With ACS it is not a problem at all.
thx
Sebastian
08-23-2011 12:48 PM
Hi Sebastian,
The biggest issue I've seen with Microsoft and 802.1x is CSCsr71675.
Basically Mircosoft only allows a 20 character user name. The user name of the phone comes in the following format.
CP-7961G-GW-SEP001E7AC40641
This exceeds the 20 character limit and causes it to fail. If that can be changed on the Mircosoft side then you shouldn't have any issues. Make sure the firmware on the phones is on the latest and greatest as well.
John
11-04-2011 02:17 AM
Hi Sebastian
we have the same problem - actually the username isn´t the problem - we changed that..
The problem we weren´t able to solve is the certificate schema from the nps - the nps expects to have a SAN (subject alternative name) in the cert from the phone. But the cert for the phone is issued by the cucm and does not have that information field written.
we do not have a solution - looking forward to get input from you and maybe we can find a solution together.
Timo
11-08-2011 07:10 AM
Hi,
why is the username not a problem, did you fixed that?
I think about to use an ACS for Phone and forward the authentication traffic for Computer by ACS to NPS, i'm not sure if that operates together.
11-10-2011 07:44 AM
Hi again,
you can change the username which is used internal in the MS checking with a wildcard-match and replacement at NPS.
If you like to now more - privat message with your mail contact and we will get in touch and i send some screenshots..
03-16-2012 12:24 PM
Hi all !
Have you solved this problem (LSC certificate )? I am facing the same problem and I did not find the solution yet.
This is the last e-mail that Microsoft TAC has sent to the customer:
====================================================================================
As per the discussion, we need to engage Vendor on the case to find out why the CRL Distribution Point (CDP) and AIA paths are missing from the certificate. Ideally CDP contains that Revocation List of the certificates and AIA is used for building the certificate chain.
"Please find below some more information about the same from Microsoft TechNet Article :
CRL Distribution Points : This extension contains one or more URLs where the issuing CA’s base certificate revocation list (CRL) is published. If revocation checking is enabled, an application will use the URL to retrieve an updated version of the CRL. URLs can use HTTP, LDAP or File.
Authority Information Access : This extension contains one or more URLs where the issuing CA’s certificate is published. An application uses the URL when building a certificate chain to retrieve the CA certificate if it does not exist in the application’s certificate cache."
=====================================================================================
Tks for your help !!!!!!!
Luis
07-05-2012 09:48 PM
I've managed to figure out the regular expression that you can use to replace the Cisco username with a service account with some help from a friend of mine. Under Connection Request Policies, go to the policy you created to authenticate your phones right click > Properties > Settings Tab select Attribute. Go to the drop down to the right select User-Name and click add. Once the Attribute Manipulation Rule window opens put CP-7945G-SEP\w{12} under Find: and in the Replace with: field add your username.
04-25-2013 02:18 PM
We have exactly the same scenario and facing the same problem and I would be very happy to find a solution.
Sadly the phone doesn't seem tu support scep to aquire a certificate from our own (internal) ca.
Kind Regarda
René
06-26-2013 02:37 AM
I did it another way and use for phone dot1x only ACS and for machine dot1x ACS and Windows 2008 R2 as CA.
It was the best way in my case.
So i could authenticate the phone and the machine(PC,Laptop e.g.) with eap-tls without any problems.
The phone gets the lsc over the CAPF from CUCM, import the CUCM certs in the ACS certificate store and the phone authenticate within the ACS.
the machine gets his certificate from the Windows CA, import the root cert to acs, manual create a ACS cert signing request to the Windows CA and bind the result cert in the acs.
Now all requests, phone and machine,will pass the ACS.
02-21-2015 01:23 PM
Hi Sebastian,
I have been searching the forums for hours and I have finally come across what i am looking. From what you are saying if I am trying to have 802.1x authentication for both the laptop users and Cisco ip phones, the best method is by using the ACS. We were able to get the laptops authenticated with nps but the phones are another issue since they connect on the same port as the laptops.
I have to present a solution for 802.1x for a customer that has a converged VoIP network, can i safely advise that the nps will not work if they want a certificate based authentication for both ip phones and clients?
02-21-2015 02:47 PM
Hi,
i never tried it with nps on Win 2008 a second time.
I will take a shot with NPS on Windows 2012 in the near future.
As far as i can tell, it works perfect with ACS or ISE and Windows CA
02-21-2015 03:01 PM
Hello everyone,
I can asure you, that NPS will _NOT_ work with Cisco IP-Phones! You have to use ACS, ISE oder another radius server (like Aruba Clearpass or Freeradius). But Microsoft NPS (I testen NPS on Server 2012 R2) is a nogo. NPS & Clients (Laptop, Smartphones, ...) work perfectly fine (for example with a Windows CA). But not with IP-Phones. The reason for that is that the Cisco certificates for the IP-Phones are missing two attributes which are mandatory for NPS. I have filed a feature defect report with Cisco (Call Manager 10.5), but I don't know if they will fix this.
I also wrote a blog post about this subject (in german). The conclusion is: If you want/need to use EAP-TLS for both phones and other clients you have to use a full blown radius server (like the ones I already mentioned).
Best regards,
René
02-21-2015 03:10 PM
Thanks Rene/Sebastian for your prompt and detailed response on the topic. I can now move forward with creating a new solution with Cisco ACS for this deployment to work.
Again thanks
02-21-2015 03:20 PM
Hi Rene/Sebastian,
I have one further question, for a phone to use certification based authentication using the LSC certificate, will i need usb tokens for the CUCM to generate a certificate? And can i use an external CA signed certificate for instance microsoft CA? I am seeing mixed information on the guides....Can you provide guidance?
I have to provide a solution moving forward and i want to have a good working design for 802.1x authentication using certficates for both clients and ip phones.
02-21-2015 03:57 PM
Sorry, I forgot to add one additional information!
Microsoft NPS works fine if you use the MIC certificates! If you use Call Manager 10 or higher you don't need the usb tokens anymore to issue lsc certificates. You let your (root or intermediate) CA sign the Call Manager capf certificate. That's it. After that you can issue lsc certificates for your phones from Call Manager.
If I remember correctly, the usb tokens are solely used (nowadays) for voice encryption. But maybe I'am wrong here and there is no use for them in Call Manager 10 and above. It's been six months since we implemented all of this...
Best regards,
René
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide