cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

366
Views
5
Helpful
1
Replies
Nadav
Rising star

Does CAPF validate the LSC, or does the LSC validate the CAPF?

Hi everyone,

 

I've seen that it's enough to upload the CAPF's public key to a Cisco ISE trusted certificate store in order for EAP-TLS authentication to pass.

 

Since it's enough to have only the public key for the CAPF to authenticate an IP phone, it makes me wonder:

 

1) How does the client know that this authentiation server is indeed trusted? A public key isn't hard to capture.

 

An ISE server knowing that the client is in fact a trusted Cisco phone is intuitive. I'd imagine that since the client has both a public and private key issued by the CAPF that the server can send a challenge encrypted with the client's public key and the client can answer it by decrypting the challenge with its own private key

 

2) If in the scenario that I'm describing the client is in fact not validating the server securely, is there a way to ensure that this does happen?

 

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions

To my knowledge Cisco IP Phones do not perform server certificate validation during EAP-TLS. The only way they could do this is if the certificate was added to the CTL but I have not seen a document that suggests that step, from Cisco or anyone else. TVS wouldn’t be an option here since ISE wouldn’t allow the phone to reach CUCM until after authenticating.

 

I believe the thought process here is that the client certificate doesn’t contain sensitive information so it doesn’t matter if it’s intercepted and the point of 802.1x is to protect the network from the devices connecting to it. If you want to protect the phone/VoIP from the network then you should enable Authentication or Encryption in the Phone Security Profile. This will force the phone to perform mutual TLS authentication directly to CUCM when it registers over SCCP/SIP.

View solution in original post

1 REPLY 1

To my knowledge Cisco IP Phones do not perform server certificate validation during EAP-TLS. The only way they could do this is if the certificate was added to the CTL but I have not seen a document that suggests that step, from Cisco or anyone else. TVS wouldn’t be an option here since ISE wouldn’t allow the phone to reach CUCM until after authenticating.

 

I believe the thought process here is that the client certificate doesn’t contain sensitive information so it doesn’t matter if it’s intercepted and the point of 802.1x is to protect the network from the devices connecting to it. If you want to protect the phone/VoIP from the network then you should enable Authentication or Encryption in the Phone Security Profile. This will force the phone to perform mutual TLS authentication directly to CUCM when it registers over SCCP/SIP.

View solution in original post

Content for Community-Ad