Re: IP Phone 6945 with MIC Cert and NPS 802.1x Authentication

Rene Mueller · ‎10-17-2016

Hello,

I read a lot of articels in here, but I did not find the solution for my problem until now. I enabled 802.1x on my Cisco Switch and Windows Clients are working fine. Now I want to enable Cisco IP Phones to authenticate with my NPS 2008R2 Server.

I have a CP-6945 IP Phone with MIC cert on it, I want to EAP-TLS Authentication to NPS. I imported Cisco Root CA and Manufacturing CA to NPS. I also get it done that NPS can lookup username with more than 20 characters. I used a Connection Request Policy and added the Domain to the username (username@domain.local) so NPS was able to find the user. But I get the following error message from NPS:

Reason Code: 295
Reason: A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.

I wiresharked the IP Phone Authentication Request and saw that the machine cert was issued by Cisco Manucaturing CA. I also saved this machine cert and name mapped it to the AD User Account of the phone. All without success :-(

Any Ideas?

René

Fredde87 · ‎03-07-2019

I am having a very similiar problem too. I followed all the steps on this guide on here: https://social.technet.microsoft.com/Forums/lync/en-US/6d78c698-a087-48cb-bc73-9566aa61bf10/using-nps-with-cisco-ip-phones?forum=winserverNAP

MIC Root and MIC imported, assigned to user etc as per guide.

But Event Viewer reports, "A certificate chain could not be built to a trusted root authority".

Did you solve your issue in the end?

Fredde87 · ‎03-11-2019

I finally got this working!

I've been following this excellent guide here by MikeLascha. The only things I'd add to it is,

1) If you like me have been trying to use LSC certificates beforehand, then remove these from your Cisco phones before attempting to use MIC certs for authentication or else it will send the wrong certificate and fail!

2) You need to stop and start the NPS service after some big changes (not sure which ones so I suggest you do it between each attempt)

3) You definitively have to follow his guide closely and follow the link to the Microsoft article about loading certificates into the NTAuthCA store. You can't do this in the MMC console, you have to use the certutil command utility.

4) His guide is correct but other guides online say otherwise and can be confusing. So just to clarify on the Network Policy. You do NOT want to add a Protected EAP (PEAP) as the EAP type and then edit it to add the Microsoft: Smart Card or other certificate.

You want to just add the "Microsoft: Smart Card or other certificate" to the first EAP list, not under a Protected EAP (PEAP) type.

Ferrriop · ‎03-18-2019

Hi Fredde87,

Which certificate did you use in Smart Card or other certificate drop down list Cisco Root CA M2 (root) or Cisco Manufacturing CA SHA2?

How did you import them in NPS?

Can you share screenshot from NPS configuration for phone?

Fredde87 · ‎03-26-2020

Hi Ferrriop,

Sorry for the really late reply. I didn't see your reply until now.

I have since left the job I did this on so I dont recall for sure. But reading the guide by MikeLascha which he posted on the Technet thread earlier in this topic it seems to be fairly clear? It says to use the root certificate (Cisco Root CA M2) so thats most likely what I did.

And as mentioned, it has to go into the NTAuthCA store. He links to a Microsoft Knowledge base article in his guide here, https://support.microsoft.com/en-us/help/295663/how-to-import-third-party-certification-authority-ca-certificates-into

(I used method 2, using certutil.exe)