Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2857
Views
0
Helpful
18
Replies

684510397 - UCM\\ Enable 802.1x\CAPF\phone not working\reference:684325552

mumustha
Cisco Employee
Cisco Employee

‎05-29-2018 07:27 PM

While authenticating phones signed by a CA-Signed CAPF, ISE fails to authenticate the phones with the error being, "client certificate is missing the complete chain".

On extracting the client certificate form the ISE pcaps, we observed the whole chain to be present in the certificate. However, the client complained that the Intermediate CA is not valid for the selected purpose, "This certificate does not appear to be valid for the selected purpose" (Attached as Client certificate)

On observing the logs it displays that, "Crypto,2018-05-22 02:36:24,630,DEBUG,0x7f67fae65700,NIL-CONTEXT,Crypto::Result=0,

CryptoLib.CSSL.x509ExceptionCallback - problematic certificate issuer=", which is followed by the Intermediate CA Subject.


All the certificates are enabled to perform server and client authentication. However, I observed that the Root CA had the key usage as "non-repudiation" as one of the attributes.

Could someone share a document or shed some light into the parameters that are required for the root certificates for a successful authentication of the client.

Preview file
11 KB
0 Helpful
18 Replies 18

ognyan.totev
Level 5
Level 5

‎05-29-2018 08:23 PM

First you must be sure that all certificate from chain are inserted in Ise side . They are Cisco manufecturing . Cisco Capf certificate from call manager and cisco root Ca again from call manager. In mine lab we make even old phones like model 7911 to work with capf. You must configure authentication for them to use X509 .pki and subject alternative name contains exact you Capf -3557766 . This is the exact same number by exported from call manager certificate.One more thin when you go to phone are you sure LSC is installed on it ??

0 Helpful

mumustha
Cisco Employee
Cisco Employee
In response to ognyan.totev

‎05-29-2018 09:09 PM

Thank you for your response Ognyan.

They had the LSC that was directly signed by CAPF ( without being signed by CA) and that worked.

They have LSC installed and have followed the below document :

https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html#pgfId-38…

When trying to authenticate using certificate, ISE radius live logs show error as, "12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain".

0 Helpful

ognyan.totev
Level 5
Level 5
In response to mumustha

‎05-29-2018 09:34 PM

Thats what i told you . You missed to import one of certificates in ise side. And please be sure you enable cisco manufaturing ca in ise . In Ise 2.2 the certificate is there but is not enable.

0 Helpful

ognyan.totev
Level 5
Level 5

‎05-29-2018 10:12 PM

I worked on same guide and all working well. This is mine certificate from call manager :

Without it they never work

0 Helpful

mumustha
Cisco Employee
Cisco Employee
In response to ognyan.totev

‎05-30-2018 12:08 AM

The Root and the intermediate CA of client is present on ISE. Is there any other certificate we need to install in ISE?

0 Helpful

ognyan.totev
Level 5
Level 5
In response to mumustha

‎05-30-2018 12:18 AM

Yes there is as i told you before

This 3 plus CAPF certificate from call manager imported in trusted store .As i show you before mine is this CAPF

Your maybe different but start is always same .

0 Helpful

mumustha
Cisco Employee
Cisco Employee
In response to ognyan.totev

‎05-30-2018 09:43 PM

All the certificates are already present on ISE including the CAPF certificate. They had been working with old certs. Is there a document that describes the key usage and other components required for the root-CA ?

0 Helpful

mumustha
Cisco Employee
Cisco Employee
In response to ognyan.totev

‎06-01-2018 02:04 AM

Thank you.

however, this is the link I have referred in the second thread. This doc does not mention the attributes required for the Root certificate.

0 Helpful

ognyan.totev
Level 5
Level 5
In response to mumustha

‎06-01-2018 02:08 AM

Yes there it is i try show you:

This is for ACS but it is almost same for ISE

0 Helpful

mumustha
Cisco Employee
Cisco Employee
In response to ognyan.totev

‎06-01-2018 02:22 AM

Thank you for the images.

however, they are looking for the attributes the certificate should be signed with. For example, the fields to be populated in the Key usage, SN and likewise

0 Helpful

ognyan.totev
Level 5
Level 5
In response to mumustha

‎06-01-2018 02:30 AM

Yes they are you must create certificate profile like this  and use it in policy sets for authentication

0 Helpful

ognyan.totev
Level 5
Level 5
In response to ognyan.totev

‎06-04-2018 05:33 AM

Are you resolve your problem ???

0 Helpful

mumustha
Cisco Employee
Cisco Employee
In response to ognyan.totev

‎06-04-2018 07:06 PM

Not yet Ognyan,

When CAPF is self signed they are getting it to work. The issues arise when the CAPF is signed by the root CA and the Root and Intermediate CA is present in ISE trusted store.

As mentioned when the question was posted, the set up seems to be fine. However, ISE complains that the certificate is problematic and we are looking for a document that explains the attributes/fields required by the Root CA.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents