Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
242
Views
0
Helpful
2
Replies

Denied EAP-TLS handshake IP-Phone 802.1x authentication

sven-matthias47533
Level 1
Level 1

‎04-07-2025 10:28 PM

Hello,

currently we are using 8851 IP Phone (SIP88XX.14-2-1-0201-40) registered on CUCM (14.0.1.14901-1).

We are using 802.1x authentication on Cisco 3850 for about 2 years now.

Our NPS is a Windows Server 2016 machine with security patch KB5034862. Since that patch was deployed by our admins our IP-Phones are not able to authenticate anymore.

The phones are using Windows CA signed certs for 802.1x.

Within the TLS handshake of the radius protocol i can see that after the key exchange between phone and NPS server the servers messages "access denied".

I also enabled the web-server of the ip phone and tried to reach it via https, the browser says the trust is not established.

Within the TLS Handshake of the browser and ip phone i see certificate unknown.

We use TLS 1.2 and the phones are creating CSR with 2048 bit RSA.

As negotiated cipher it says ECDHE-RSA-AES256-GCM-SHA384, this suite is offered on client and server site.

Is there a known problem regarding windows signed LSCs for ip phones with the KB5034862 patch ?

Thank you

Labels:
0 Helpful
2 Replies 2

M02@rt37
VIP
VIP

‎04-07-2025 10:56 PM - edited ‎04-07-2025 10:58 PM

Hello @sven-matthias47533 

Do you ensure that tls_1.2 is enabled and preferred on your NPS server ?

Also, review and configure the cipher suites on the NPS server to ensure compatibility: https://learn.microsoft.com/en-us/windows/win32/secauthn/cipher-suites-in-schannel

You should examine the NPS logs for more detailed error messages that can provide us insights as concerned the autentication failure...

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

sven-matthias47533
Level 1
Level 1
In response to M02@rt37

‎04-10-2025 01:42 AM

Hello,

unfortunately i cant post the original logs.

We also use that same NPS server to authenticate our windows clients. In that trace i also see tls 1.2. It works without problems.

Here is the wiresharkt trace in a schematic view:

Client Hello

TLS Record layer handshake: client hello
vers. : TLS 1.0
handshake: Client Hello
Version TLS 1.2
Cypher suites (5 Suites in total) ECDHE-RSA-AES256-GCM-SHA384

Server Hello

TLS Record layer handshake: Server hello
vers.: TLS 1.2
cyper suite: ECDHE-RSA-AES256-GCM-SHA384
Handshake: Certificate
-> Server Cert
Handshake: Server Key exchange
Handshake: Cert request
Handshake: server hello done

Client

TLS Record layer handshake: Certificate
version 1.2
Handhsake: Certificate
-> Client Cert
Handshake: Certificate verify

TLS Record layer handshake: change cipher spec protocol
version 1.2

TLS Record layer handshake: Encrypted Handshake Message
version 1.2

Server

TLS Record Layer Alert: (Level:Fatal, desc: Access Denied)
version 1.0
access denied (49)

EAP Message
Failure (4)

Its noticeable that the last tls message from the server is on TLS vers. 1.0

The NPS message of the event viewer is: Authentication failed due to a user cred mismatch. Either the user name provieded does not map to an existing user account or the password was incorrect.

Since this problem occured overnight the accounts for the ip phones should be fine.

Every help is appricated

 

 

0 Helpful
Customers Also Viewed These Support Documents
Top