Hi,

why is the username not a problem, did you fixed that?

I think about to use an ACS for Phone and forward the authentication traffic for Computer by ACS  to NPS, i'm not sure if that operates together.

Hi again,

you can change the username which is used internal in the MS checking with a wildcard-match and replacement at NPS.

If you like to now more - privat message with your mail contact and we will get in touch and i send some screenshots..

Hi all !

Have you solved this problem (LSC certificate )? I am facing the same problem and I did not find the solution yet.

This is the last e-mail that Microsoft TAC has sent to the customer:

====================================================================================

As per the discussion, we need to engage Vendor on the case to find out why the CRL Distribution Point (CDP) and AIA paths are missing from the certificate. Ideally CDP contains that Revocation List of the certificates and AIA is used for building the certificate chain.

"Please find below some more information about the same from Microsoft TechNet Article :

CRL Distribution Points : This extension contains one or more URLs where the issuing CA’s base certificate revocation list (CRL) is published. If revocation checking is enabled, an application will use the URL to retrieve an updated version of the CRL. URLs can use HTTP, LDAP or File.

Authority Information Access : This extension contains one or more URLs where the issuing CA’s certificate is published. An application uses the URL when building a certificate chain to retrieve the CA certificate if it does not exist in the application’s certificate cache."

=====================================================================================

Tks for your help !!!!!!!

Luis

I did it another way and use for phone dot1x only ACS and for machine dot1x ACS and Windows 2008 R2 as CA.

It was the best way in my case.

So i could authenticate the phone and the machine(PC,Laptop e.g.) with eap-tls without any problems.

The phone gets the lsc over the CAPF from CUCM, import the CUCM certs in the ACS certificate store and the phone authenticate within the ACS.

the machine gets his certificate from the Windows CA, import the root cert to acs, manual create a ACS cert signing request to the Windows CA and bind the result cert in the acs.

Now all requests, phone and machine,will pass the ACS.

Hi Sebastian,

I have been searching the forums for hours and I have finally come across what i am looking. From what you are saying if I am trying to have 802.1x authentication for both the laptop users and Cisco ip phones, the best method is by using the ACS. We were able to get the laptops authenticated with nps but the phones are another issue since they connect on the same port as the laptops. 

I have to present a solution for 802.1x for a customer that has a converged VoIP network, can i safely advise that the nps will not work if  they want a certificate based authentication for both ip phones and clients?

Hi,

i never tried it with nps on Win 2008 a second time.

I will take a shot with NPS on Windows 2012 in the near future.

As far as i can tell, it works perfect with ACS or ISE and Windows CA

Hello everyone,

I can asure you, that NPS will _NOT_ work with Cisco IP-Phones! You have to use ACS, ISE oder another radius server (like Aruba Clearpass or Freeradius). But Microsoft NPS (I testen NPS on Server 2012 R2) is a nogo. NPS & Clients (Laptop, Smartphones, ...) work perfectly fine (for example with a Windows CA). But not with IP-Phones. The reason for that is that the Cisco certificates for the IP-Phones are missing two attributes which are mandatory for NPS. I have filed a feature defect report with Cisco (Call Manager 10.5), but I don't know if they will fix this.

I also wrote a blog post about this subject (in german). The conclusion is: If you want/need to use EAP-TLS for both phones and other clients you have to use a full blown radius server (like the ones I already mentioned).

Best regards,

René

Thanks Rene/Sebastian for your prompt and detailed response on the topic. I can now move forward with creating a new solution with Cisco ACS for this deployment to work.

Again thanks

Hi Rene/Sebastian,

I have one further question, for a phone to use certification based authentication using the LSC certificate, will i need usb tokens for the CUCM to generate a certificate? And can i use an external CA signed certificate for instance microsoft CA? I am seeing mixed information on the guides....Can you provide guidance?

I have to provide a solution moving forward and i want to have a good working design for 802.1x authentication using certficates for both clients and ip phones.

Sorry, I forgot to add one additional information!

Microsoft NPS works fine if you use the MIC certificates! If you use Call Manager 10 or higher you don't need the usb tokens anymore to issue lsc certificates. You let your (root or intermediate) CA sign the Call Manager capf certificate. That's it. After that you can issue lsc certificates for your phones from Call Manager.

If I remember correctly, the usb tokens are solely used (nowadays) for voice encryption. But maybe I'am wrong here and there is no use for them in Call Manager 10 and above. It's been six months since we implemented all of this...

Best regards,

René