08-11-2013 08:34 PM - edited 03-16-2019 06:47 PM
I cannont make it work. Anyone come across that?
05-20-2016 06:07 PM
I want to use this contribution to said YES.
I can said IT works with Cisco phone series 78xx !!!
Yesterday i finished my Cisco Phone Lab (with 1x 7821 and 1x 7841) succesfully with MS NPS authentication and EAP-TLS. i've used a CUCM-Cluster (version 10.5.2) in Offline CA mode and an Windows 2008 R2 Server.
I have a problem with the Cisco Phones series 79xx (SCCP and SIP) and the LSC certificate to authenticate it on the MS NPS (Errorcode 262). A workaround is to use MD5 authentication for 802.1x, but for secure voice you can also use the LSC certificate from the Windows CA.
if you want to have the complete solution pm me.
06-16-2016 11:10 AM
Could you share the answer? I'm looking to use MIC certs for 7962 and 2008 Microsoft NPS. I'm having an issue where the phone isn't sending the correct EAP type. I've tried everything here... Please share!
07-14-2016 08:57 AM
Hi Cisco-ID,
you have to set "microsoft smartcard or other certificate" in your networkrule to use eap-tls with the cisco phone.
if you have an cucm 10.5 or higher, you can also use an LSC-Cert from your Windows CA to authenticate the phone.
if you have an cucm lower than 10.5, you can use MD5 Authentication.
07-14-2016 11:25 AM
Hey Lappian
That is indeed the settings I've tried and exploited to my very last nerve. I am on CUCM 10.5 and attempting with MIC with eap-tls. Were you able to accomplish said condition?
Was any certificate mapping required in active directory to the used service account?
https://technet.microsoft.com/en-us/library/cc736781(v=ws.10).aspx
The NPS is translating the incoming mac to this service account.
07-21-2016 11:21 PM
Hi CSCO11894119,
have you tested the settings with the service principal name?
you need both, the subject alternative name (SAN) in the certificate and the service principal name (SPN) in the user account.
for 79xx phones with NPS 2008 R2 you have to limit the certificates to 1024 Bit.
Now i can say 802.1x EAP-TLS works with 78xx and 79xx phones, LSC Certificate from NPS 2008 R2 and CUCM 10.5.2.
10-19-2016 07:07 AM
Hi,
can you confirm which value we have to use to create username in AD?
I used CP-<model>-SEP-<MAC> format with no success.
I upload both mic certificates on NPS server
(You can download these certificate from there if I'm correct:
http://www.cisco.com/security/pki/certs/cmca2.cer
http://www.cisco.com/security/pki/certs/crcam2.cer)
In NPS log I have this error:
The specified user account does not exist.
Does it because username used by IP Phone is longer than 20 characters?
10-19-2016 07:26 AM
Yes it does. You have to "manipulate" the Username in NPS. What I did was to add a @your.domain at the end of the username.
I've managed to figure out the regular expression that you can use to replace/modify the Cisco username. Under Connection Request Policies, go to the policy you created to authenticate your phones right click > Properties > Settings Tab select Attribute. Go to the drop down to the right select User-Name and click add...
https://technet.microsoft.com/en-us/library/dd197583(WS.10).aspx
That's what I tried but it didn't worked for me.
01-01-2017 12:52 PM
Hi Nicolas, Hi Rene,
I've manipulated the Connection Request Policy for the Username to cut the CP-<model>- off and use the Rest of the IP-Phone Model for the Useraccount (Username).
I've used SEP<MAC> for all Useraccounts in addition manipulate the SPN into host/SEP<MAC>.
greets
Lappian
01-31-2017 06:12 AM
Hy Lappian,
can u provide your solution to me. We are using NPS for 802.1x too.
But our 802.1x guys are facing Problems with the AD Objects.
How must the USER (Phone) be configured/added to AD to be used within NPS
u can reach me at firstname (without the 1) dot lastname @grz.at
many thnxs and cheers
02-27-2017 01:24 AM
Hello,
for me I can say we didn't got it up and running with NPS and EAP-TLS. I did a lot of research on the Internet, talked to a lot of People abouth the Problem and we also opened a TAC case without a positive Feedback from Cisco about using NPS for IP Phone Authentication. For now, we are using MAB for IP Phone Authentication and NPS. We are looking forward to invest in Cisco ISE Appliance which is I guess the most usable solution.
Regards,
Rene
02-27-2017 02:37 AM
Hi,
At NPS we configure Regex to forward (relay) Phone-Request to ISE.
At ISE we use eap-tls only for phones which supports it.
But we are running POC! To run it within PROD there is a long way to go.
kind regards
Martin
04-23-2017 01:43 PM
Hi Martin and Rene,
i can say, it's possible to use LSC-Certificates for 802.1x Authentication with NPS. Also it´s possible to use the LSC-Certs for Secure Voice if the CUCM Callmanager Service have an Trusted Certificate from the root CA / Sub CA.
1. Use an User-Account for the Phones with SEP<MAC>
2. Manipulate the SPN to host/SEP<MAC>
3. Write an Connection Request Policy for the Username to cut the CP-<model>- off
4. Change the CAPF-Mode in your CUCM to Offline CA
5. Generate an CSR with your CUCM for any Cisco-Phone you want to use
6. Send the CSR to your Windows-CA and set the SAN to SEP<MAC>
7. Load the Certificate over the CUCM to the Phone
8. Write a Networkrule with "microsoft smartcard or other certificate"
9. Connect the Rule over a Windows Group with your User
That´s it.
If you use 79xx Phones think about the Certificates max Bits is 1024.
Greetz
Lappian
02-22-2017 07:53 AM
Hi Lappian0815,
I wanted to find out if you are able to get NPS to authenticate the ip phone. If so are you able share your NPS configuration with cisco ip phone. Where you able to use EAP-TLS or are you doing EAP-MD5.
In your situation did you create an account in active directory for all the phones.
Thanks
Raj
10-18-2016 04:53 AM
Hi Lappian,
I am interested in the complete solution, can you please share how you had setup NPS? I am trying to use MIC certs in first case, but all the time I get an error on NPS with error code 295 saying "A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider."
I uploaded Root and Manufacturing CA to NPS Trust store. I also replaced incmoning Account name of IP Phone with one that can be looked up in AD.
Rene
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide