cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11823
Views
0
Helpful
15
Replies

802.1x phone authentication for EAP-TLS using MS NPS radius server?

Jerry Cao
Level 1
Level 1

I cannont make it work. Anyone come across that?

15 Replies 15

Lappian0815
Level 1
Level 1

I want to use this contribution to said YES.

I can said IT works with Cisco phone series 78xx !!!

Yesterday i finished my Cisco Phone Lab (with 1x 7821 and 1x 7841) succesfully with MS NPS authentication and EAP-TLS. i've used a CUCM-Cluster (version 10.5.2) in Offline CA mode and an Windows 2008 R2 Server.

I have a problem with the Cisco Phones series 79xx (SCCP and SIP) and the LSC certificate to authenticate it on the MS NPS (Errorcode 262). A workaround is to use MD5 authentication for 802.1x, but for secure voice you can also use the LSC certificate from the Windows CA.

if you want to have the complete solution pm me.

Could you share the answer? I'm looking to use MIC certs for 7962 and 2008 Microsoft NPS. I'm having an issue where the phone isn't sending the correct EAP type. I've tried everything here... Please share!

Hi Cisco-ID,

you have to set "microsoft smartcard or other certificate" in your networkrule to use eap-tls with the cisco phone.

if you have an cucm 10.5 or higher, you can also use an LSC-Cert from your Windows CA to authenticate the phone.

if you have an cucm lower than 10.5, you can use MD5 Authentication.

Hey Lappian

That is indeed the settings I've tried and exploited to my very last nerve. I am on CUCM 10.5 and attempting with MIC with eap-tls. Were you able to accomplish said condition?

Was any certificate mapping required in active directory to the used service account?

https://technet.microsoft.com/en-us/library/cc736781(v=ws.10).aspx

The NPS is translating the incoming mac to this service account.

Hi CSCO11894119,

have you tested the settings with the service principal name?

you need both, the subject alternative name (SAN) in the certificate and the service principal name (SPN) in the user account.

for 79xx phones with NPS 2008 R2 you have to limit the certificates to 1024 Bit.

Now i can say 802.1x EAP-TLS works with 78xx and 79xx phones, LSC Certificate from NPS 2008 R2 and CUCM 10.5.2.

Hi,

can you confirm which value we have to use to create username in AD?

I used  CP-<model>-SEP-<MAC> format with no success.

I upload both mic certificates on NPS server 

(You can download these certificate from there if I'm correct:

http:/​/​www.cisco.com/​security/​pki/​certs/​cmca2.cer

http:/​/​www.cisco.com/​security/​pki/​certs/​crcam2.cer)

In NPS log I have this error:

The specified user account does not exist.

Does it because username used by IP Phone is longer than 20 characters?

Yes it does. You have to "manipulate" the Username in NPS. What I did was to add a @your.domain at the end of the username.

I've managed to figure out the regular expression that you can use to replace/modify the Cisco username. Under Connection Request Policies, go to the policy you created to authenticate your phones right click > Properties > Settings  Tab select Attribute. Go to the drop down to the right select User-Name and click add...

https://technet.microsoft.com/en-us/library/dd197583(WS.10).aspx

That's what I tried but it didn't worked for me.

Hi Nicolas, Hi Rene,

I've manipulated the Connection Request Policy for the Username to cut the CP-<model>- off and use the Rest of the IP-Phone Model for the Useraccount (Username).

I've used SEP<MAC> for all Useraccounts in addition manipulate the SPN into host/SEP<MAC>.

greets

Lappian

Hy Lappian,

can u provide your solution to me. We are using NPS for 802.1x too.

But our 802.1x guys are facing Problems with the AD Objects.

How must the USER (Phone) be configured/added to AD to be used within NPS

u can reach me at firstname (without the 1) dot lastname @grz.at

many thnxs and cheers

Hello,

for me I can say we didn't got it up and running with NPS and EAP-TLS. I did a lot of research on the Internet, talked to a lot of People abouth the Problem and we also opened a TAC case without a positive Feedback from Cisco about using NPS for IP Phone Authentication. For now, we are using MAB for IP Phone Authentication and NPS. We are looking forward to invest in Cisco ISE Appliance which is I guess the most usable solution.


Regards,

Rene

Hi,

At NPS we configure Regex to forward (relay) Phone-Request to ISE.

At ISE we use eap-tls only for phones which supports it.

But we are running POC! To run it within PROD there is a long way to go.

kind regards

Martin

Hi Martin and Rene,

i can say, it's possible to use LSC-Certificates for 802.1x Authentication with NPS. Also it´s possible to use the LSC-Certs for Secure Voice if the CUCM Callmanager Service have an Trusted Certificate from the root CA / Sub CA.

1. Use an User-Account for the Phones with SEP<MAC>

2. Manipulate the SPN to host/SEP<MAC>

3. Write an Connection Request Policy for the Username to cut the CP-<model>- off 

4. Change the CAPF-Mode in your CUCM to Offline CA

5. Generate an CSR with your CUCM for any Cisco-Phone you want to use

6. Send the CSR to your Windows-CA and set the SAN to SEP<MAC>

7. Load the Certificate over the CUCM to the Phone

8. Write a Networkrule with "microsoft smartcard or other certificate"

9. Connect the Rule over a Windows Group with your User

That´s it.

If you use 79xx Phones think about the Certificates max Bits is 1024.

Greetz

Lappian

Hi Lappian0815,

I wanted to find out if you are able to get NPS to authenticate the ip phone. If so are you able share your NPS configuration with cisco ip phone. Where you able to use EAP-TLS or are you doing EAP-MD5.

In your situation did you create an account in active directory for all the phones.

Thanks

Raj

Hi Lappian,

I am interested in the complete solution, can you please share how you had setup NPS? I am trying to use MIC certs in first case, but all the time I get an error on NPS with error code 295 saying "A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider."

I uploaded Root and Manufacturing CA to NPS Trust store. I also replaced incmoning Account name of IP Phone with one that can be looked up in AD.

Rene