Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
560
Views
0
Helpful
3
Replies

CUCM/7821 EAP-TLS Radius issues.

m.dehkordy
Level 1
Level 1

‎03-26-2015 08:37 AM - edited ‎03-18-2019 11:29 AM

Hello.

We are attempting to get our 7821 phones to authenticate with a Windows 2012 NPS radius server using EAP-TLS.

CUCM (v9.1) is running in mixed mode, our test phone has a LSC certificate.

 

Unfortunately nothing we seem to try is working.

 

We have used wireshark to try and intercept communication between RADIUS and Switch -  and it seems as though the two are passing certificate information between each other.

However when using EAP tracing on the windows server we see the following error messages.

 

[3436] 03-26 15:12:19:532: AuthenticateUser
[3436] 03-26 15:12:19:532: DwGetEKUUsage
[3436] 03-26 15:12:19:532: GetEKUUsage
[3436] 03-26 15:12:19:532: Number of EKUs on the cert are 3
[3436] 03-26 15:12:19:532: FCheckPolicy
[3436] 03-26 15:12:19:548: CertVerifyCertificateChainPolicy succeeded but policy check failed 0x800b0110.
[3436] 03-26 15:12:19:548: FCheckPolicy done.
[3436] 03-26 15:12:19:548: The user's cert does not have correct usage.
[3436] 03-26 15:12:19:548: MakeAlert(49, Manual)
[3436] 03-26 15:12:19:548: State change to SentFinished. Error: 0x800b0110

 

Wireshare seems to be indicate the server certificate (which has all EKU roles assigned) and the CAPF certificate (which only seems to have two EKU roles assigned to it) are being used in the exchange.

Are we missing something? Does the CAPF certificate need modifiying to support more EKUs? Or are we heading in completly the wrong direction?

 

Thanks.

 

**edit**

To add to this, these are the EKU's the certificate has.

 

  Extensions: 3 present
  [
     Extension: KeyUsage (OID.2.5.29.15)
     Critical: false
     Usages: digitalSignature, keyEncipherment, keyCertSign,
  ]
  [
     Extension: ExtKeyUsageSyntax (OID.2.5.29.37)
     Critical: false
     Usage oids: 1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.5,
  ]
  [
     Extension: SubjectKeyIdentifier (OID.2.5.29.14)
     Critical: false
     keyID: 392b33381247e0d2ecb891d317e72af7463d2faf
  ]

 

 

If I use the MIC certificate for authentication, it gets further, but presents a different error.

 

[788] 03-27 10:17:39:706: AuthenticateUser
[788] 03-27 10:17:39:706: DwGetEKUUsage
[788] 03-27 10:17:39:706: GetEKUUsage
[788] 03-27 10:17:39:706: Number of EKUs on the cert are 0
[788] 03-27 10:17:39:706: FCheckPolicy
[788] 03-27 10:17:39:706: FCheckPolicy done.
[788] 03-27 10:17:39:706: FCheckUsage: All-Purpose: 1
[788] 03-27 10:17:39:706: CheckUserName
[788] 03-27 10:17:39:706: QuerySecurityContextToken failed and returned 0x8009030b
[788] 03-27 10:17:39:706: MakeAlert(49, Manual)
[788] 03-27 10:17:39:706: State change to SentFinished. Error: 0x8009030b
Labels:
0 Helpful
3 Replies 3

Mateusz Pagacz
Cisco Employee
Cisco Employee

‎03-28-2015 02:26 AM

May be related to https://tools.cisco.com/bugsearch/bug/CSCuo40169.

Can you give it a test using anything other than 78xx and let us know if it works?

0 Helpful

m.dehkordy
Level 1
Level 1
In response to Mateusz Pagacz

‎05-08-2015 06:22 AM

I am afraid I don't have anything other than 7821's to test with.

 

The 7821's work with FreeRadius and the MIC certificates

The issue I think is with incompatibilties with NPS and the LSC certificate not having the appropriate usages.

 

 

 

0 Helpful

LudovicDS
Level 1
Level 1
In response to m.dehkordy

‎05-26-2015 09:18 AM

Hi, i have the same problem even with MIC certificates.

Did you succeed with MIC?

On my side i have this kind of error "User not found"

 

Regards

0 Helpful
Customers Also Viewed These Support Documents