Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
276
Views
0
Helpful
4
Replies

Authenticating phone via EAP-TLS

Nadav
Level 7
Level 7

‎09-22-2015 01:32 AM - edited ‎03-17-2019 04:22 AM

Hi everyone,

 

I'm trying to authenticate deskphones (LSC certs, not MIC) via EAP-TLS. I'm using the latest version of Radiator AAA server. I've read on the forum how this is done for phones which authenticate with a MIC, but I'm interested in the more secure LSC solution. My cluster is in mixed mode and each phone has an LSC installed. 

As part of the configuration I need to supply the public and private key for the server authentication. I'm assuming the CAPF-trust certificate called  CAPF-xxxxxxxx.pem is the public key (I took the one which appears under every phone's security menu). Anyone know how to extract the private key? 

Better yet, can anyone provide a snippet of radiator configuration for authenticating with LSC?

 

Thanks for the help :)

Labels:
0 Helpful
4 Replies 4

Mohammed al Baqari
Level 11
Level 11

‎09-22-2015 03:51 AM

Hi,

 

Did you use self-signed certificate for CAPF or you installed signed one.

0 Helpful

Nadav
Level 7
Level 7
In response to Mohammed al Baqari

‎09-23-2015 01:48 AM

Created via CTL client and two SASTs to sign it, so it should be self-signed.

If I were to take a SAST and use Safenet utility used for the CTL client, would the exported certificate be the server's private key? Would I need all such certificates from the SASTs for EAP-TLS?

0 Helpful

Nadav
Level 7
Level 7

‎09-24-2015 01:48 AM

Does anyone have any idea how to extract the private keys of the CAPF (which was installed via CTL client)? 

0 Helpful

Nadav
Level 7
Level 7

‎09-29-2015 04:10 AM

With some trial and error I've found how to configure Radiator to authenticate by EAP-TLS with LSC certificates. Below is the relevant handler for 78xx series phones:

 

<Handler User-Name = /^CP-78/>
<AuthBy FILE>
 
Filename %{GlobalVar:MY_DIRECTORY}/users
 
EAPType TLS
EAPTLS_Protocols TLSv1,TLSv1.1,TLSv1.2
 
EAPTLS_CAPath %{GlobalVar:CERT_DIRECTORY}
EAPTLS_CAFile %{GlobalVar:CISCO_CAPF_FILE}
 
EAPTLS_CertificateFile %{GlobalVar:RADIATOR_SERVER_CERT}
EAPTLS_PrivateKeyFile %{GlobalVar:RADIATOR_SERVER_CERT}
EAPTLS_PrivateKeyPassword mypassword
EAPTLS_CertificateType PEM
 
#You can choose either to allow session resumption or disallow it
EAPTLS_SessionResumption 1
 
EAPTLS_Ciphers HIGH
EAPTLS_MaxFragmentSize 1500
 
</AuthBy>
</Handler>
 
Keep in mind that there are two certificates on the radiator side: one of which is the CAPF file which can be obtained from Certificate Management under the CUCM, and the other is a local certificate with a private key. Both certificates should be in the same directory.
0 Helpful
Customers Also Viewed These Support Documents