Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
665
Views
5
Helpful
1
Replies

Does CAPF validate the LSC, or does the LSC validate the CAPF?

Go to solution
Nadav
Level 7
Level 7

‎12-01-2018 07:17 AM - edited ‎03-18-2019 12:34 PM

Hi everyone,

 

I've seen that it's enough to upload the CAPF's public key to a Cisco ISE trusted certificate store in order for EAP-TLS authentication to pass.

 

Since it's enough to have only the public key for the CAPF to authenticate an IP phone, it makes me wonder:

 

1) How does the client know that this authentiation server is indeed trusted? A public key isn't hard to capture.

 

An ISE server knowing that the client is in fact a trusted Cisco phone is intuitive. I'd imagine that since the client has both a public and private key issued by the CAPF that the server can send a challenge encrypted with the client's public key and the client can answer it by decrypting the challenge with its own private key

 

2) If in the scenario that I'm describing the client is in fact not validating the server securely, is there a way to ensure that this does happen?

 

Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jonathan Schulenberg
Hall of Fame
Hall of Fame

‎12-01-2018 10:07 AM

To my knowledge Cisco IP Phones do not perform server certificate validation during EAP-TLS. The only way they could do this is if the certificate was added to the CTL but I have not seen a document that suggests that step, from Cisco or anyone else. TVS wouldn’t be an option here since ISE wouldn’t allow the phone to reach CUCM until after authenticating.

 

I believe the thought process here is that the client certificate doesn’t contain sensitive information so it doesn’t matter if it’s intercepted and the point of 802.1x is to protect the network from the devices connecting to it. If you want to protect the phone/VoIP from the network then you should enable Authentication or Encryption in the Phone Security Profile. This will force the phone to perform mutual TLS authentication directly to CUCM when it registers over SCCP/SIP.

View solution in original post

1 Reply 1

Go to solution
Jonathan Schulenberg
Hall of Fame
Hall of Fame

‎12-01-2018 10:07 AM

To my knowledge Cisco IP Phones do not perform server certificate validation during EAP-TLS. The only way they could do this is if the certificate was added to the CTL but I have not seen a document that suggests that step, from Cisco or anyone else. TVS wouldn’t be an option here since ISE wouldn’t allow the phone to reach CUCM until after authenticating.

 

I believe the thought process here is that the client certificate doesn’t contain sensitive information so it doesn’t matter if it’s intercepted and the point of 802.1x is to protect the network from the devices connecting to it. If you want to protect the phone/VoIP from the network then you should enable Authentication or Encryption in the Phone Security Profile. This will force the phone to perform mutual TLS authentication directly to CUCM when it registers over SCCP/SIP.

Customers Also Viewed These Support Documents