Thanks for the info. I would like to try this method using the MIC certificate. So my steps would be to download the MIC root certificate from CUCM and import it into NPS and then try to authenticate the phones? Is this the right steps? Am I missing anything.
As for the LSC, the customer has cucm 9.1(2) so they will require the usb tokens if they are using the root certificate from the cucm. I will have to look at the third party certificates to see if this will work.
I'am not sure if the root/intermediate certificates for the mic are available via the Call Manager. But you can surely download them from here: http://www.cisco.com/security/pki/
After that, you (for example via Group Policy) import them into your NPS server(s) truststore.
Then you create a policy and that should be it.
But the right policy set can be very tricky. We got it up and running (for a test) with a regular expression like "bjforesthowell" recommended a few years ago in this thread.
But I would prefer EAP-TLS with certificates I have issued to devices I "know". MIC will work for sure, but you also trust _every_ single device Cisco has built. And this is a major security issue if you ask me.
I would rather stick with ACS or another radius server to do this properly, but this is up to you/your customer.
I totally agree with you on a solution with LSC certificates and an ACS server for the ip phones.
Thanks my friend, I will speak to my customer.
This might be a long shot (you've mentioned you're not using NPS)
But when we use our MIC certificates, there seems to be issues with the account it is trying to authenticate with. It looks like it is accepting the certificates as valid, but when checking the user account in active directory NPS/EAP throws the following error
QuerySecurityContextToken failed and returned 0x8009030b
and active directory says that there was a logon failure (Unknown user name or bad password)
I am assuming it is getting past the certificate stage, and validating the user, but there is no password (or at least, it shouldn't need to use one?) being used.
Thank you, However we are using 7821 IP Phones which I believe only support EAP-TLS. (EAP-MD5 doesn't appear in the 802.1x menu on the phone, and the tech specs only mention EAP-TLS)
Also, as far as I know, EAP-MD5 shared secrets must be set manually on each phone, which isn't practical in a large environment.
did you ever got this running, MIC certs with IP Phones and NPS?
I try to get it done, but it failes until now. I have CP-6945 IP Phone with MIC cert on it, I want to EAP-TLS Authentication to NPS 2008R2. I imported Cisco Root CA and Manufacturing CA to NPS. I also get it done that NPS can lookup username with more than 20 characters. I used a Connection Request Policy and added the Domain to the username (firstname.lastname@example.org) so NPS was able to find the user. But I get the following error message from NPS:
Reason Code: 295
Reason: A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.
And what about your german blog you wrote, what is the URL to look it up?
sorry but I have to cut it short (I have a training starting in a few minutes). If you are interested, drop me a short mail to <first name>@<last name>.de and I will answer you as soon as possible.
Then I can also explain how to access my blog (it's invite only since last year).