03-26-2015 08:37 AM - edited 03-18-2019 11:29 AM
Hello.
We are attempting to get our 7821 phones to authenticate with a Windows 2012 NPS radius server using EAP-TLS.
CUCM (v9.1) is running in mixed mode, our test phone has a LSC certificate.
Unfortunately nothing we seem to try is working.
We have used wireshark to try and intercept communication between RADIUS and Switch - and it seems as though the two are passing certificate information between each other.
However when using EAP tracing on the windows server we see the following error messages.
[3436] 03-26 15:12:19:532: AuthenticateUser
[3436] 03-26 15:12:19:532: DwGetEKUUsage
[3436] 03-26 15:12:19:532: GetEKUUsage
[3436] 03-26 15:12:19:532: Number of EKUs on the cert are 3
[3436] 03-26 15:12:19:532: FCheckPolicy
[3436] 03-26 15:12:19:548: CertVerifyCertificateChainPolicy succeeded but policy check failed 0x800b0110.
[3436] 03-26 15:12:19:548: FCheckPolicy done.
[3436] 03-26 15:12:19:548: The user's cert does not have correct usage.
[3436] 03-26 15:12:19:548: MakeAlert(49, Manual)
[3436] 03-26 15:12:19:548: State change to SentFinished. Error: 0x800b0110
Wireshare seems to be indicate the server certificate (which has all EKU roles assigned) and the CAPF certificate (which only seems to have two EKU roles assigned to it) are being used in the exchange.
Are we missing something? Does the CAPF certificate need modifiying to support more EKUs? Or are we heading in completly the wrong direction?
Thanks.
**edit**
To add to this, these are the EKU's the certificate has.
Extensions: 3 present
[
Extension: KeyUsage (OID.2.5.29.15)
Critical: false
Usages: digitalSignature, keyEncipherment, keyCertSign,
]
[
Extension: ExtKeyUsageSyntax (OID.2.5.29.37)
Critical: false
Usage oids: 1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.5,
]
[
Extension: SubjectKeyIdentifier (OID.2.5.29.14)
Critical: false
keyID: 392b33381247e0d2ecb891d317e72af7463d2faf
]
If I use the MIC certificate for authentication, it gets further, but presents a different error.
[788] 03-27 10:17:39:706: AuthenticateUser
[788] 03-27 10:17:39:706: DwGetEKUUsage
[788] 03-27 10:17:39:706: GetEKUUsage
[788] 03-27 10:17:39:706: Number of EKUs on the cert are 0
[788] 03-27 10:17:39:706: FCheckPolicy
[788] 03-27 10:17:39:706: FCheckPolicy done.
[788] 03-27 10:17:39:706: FCheckUsage: All-Purpose: 1
[788] 03-27 10:17:39:706: CheckUserName
[788] 03-27 10:17:39:706: QuerySecurityContextToken failed and returned 0x8009030b
[788] 03-27 10:17:39:706: MakeAlert(49, Manual)
[788] 03-27 10:17:39:706: State change to SentFinished. Error: 0x8009030b
03-28-2015 02:26 AM
May be related to https://tools.cisco.com/bugsearch/bug/CSCuo40169.
Can you give it a test using anything other than 78xx and let us know if it works?
05-08-2015 06:22 AM
I am afraid I don't have anything other than 7821's to test with.
The 7821's work with FreeRadius and the MIC certificates
The issue I think is with incompatibilties with NPS and the LSC certificate not having the appropriate usages.
05-26-2015 09:18 AM
Hi, i have the same problem even with MIC certificates.
Did you succeed with MIC?
On my side i have this kind of error "User not found"
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide