12-01-2018 07:17 AM - edited 03-18-2019 12:34 PM
Hi everyone,
I've seen that it's enough to upload the CAPF's public key to a Cisco ISE trusted certificate store in order for EAP-TLS authentication to pass.
Since it's enough to have only the public key for the CAPF to authenticate an IP phone, it makes me wonder:
1) How does the client know that this authentiation server is indeed trusted? A public key isn't hard to capture.
An ISE server knowing that the client is in fact a trusted Cisco phone is intuitive. I'd imagine that since the client has both a public and private key issued by the CAPF that the server can send a challenge encrypted with the client's public key and the client can answer it by decrypting the challenge with its own private key
2) If in the scenario that I'm describing the client is in fact not validating the server securely, is there a way to ensure that this does happen?
Thanks!
Solved! Go to Solution.
12-01-2018 10:07 AM
To my knowledge Cisco IP Phones do not perform server certificate validation during EAP-TLS. The only way they could do this is if the certificate was added to the CTL but I have not seen a document that suggests that step, from Cisco or anyone else. TVS wouldn’t be an option here since ISE wouldn’t allow the phone to reach CUCM until after authenticating.
I believe the thought process here is that the client certificate doesn’t contain sensitive information so it doesn’t matter if it’s intercepted and the point of 802.1x is to protect the network from the devices connecting to it. If you want to protect the phone/VoIP from the network then you should enable Authentication or Encryption in the Phone Security Profile. This will force the phone to perform mutual TLS authentication directly to CUCM when it registers over SCCP/SIP.
12-01-2018 10:07 AM
To my knowledge Cisco IP Phones do not perform server certificate validation during EAP-TLS. The only way they could do this is if the certificate was added to the CTL but I have not seen a document that suggests that step, from Cisco or anyone else. TVS wouldn’t be an option here since ISE wouldn’t allow the phone to reach CUCM until after authenticating.
I believe the thought process here is that the client certificate doesn’t contain sensitive information so it doesn’t matter if it’s intercepted and the point of 802.1x is to protect the network from the devices connecting to it. If you want to protect the phone/VoIP from the network then you should enable Authentication or Encryption in the Phone Security Profile. This will force the phone to perform mutual TLS authentication directly to CUCM when it registers over SCCP/SIP.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide