Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
349
Views
0
Helpful
2
Replies

7921G with 802.1X \ EAP-TLS. What CA Template is required?

danielgoing
Level 1
Level 1

‎11-27-2015 07:47 AM - edited ‎03-10-2019 11:16 PM

Hello Cisco forum,

I'm new to the Forum, and I'm having some difficulty getting my 7921's connected to an 802.1x \ EAP-TLS SSID.

I can generate the CSR on the handset, and then get the output into the web page of a windows cert server to generate the User Certificate.

The question I have is what exactly is required in the CA Template when generating a User Certificate from the CSR generated from the handset.

The device attempts to join the SSID, the authentication is forwarded to our NPS servers who make the decision.

Does anyone have any answeres on the above, or has anyone got some 7921's running EAP-TLS with a windows PKI. And if you do, what advice do you have for me! I've trawled through the documentation of the 7921's and I can't find for love nor money what is required in the CA template.

Any advice, please! I need it.

Thanks Forum...

Labels:
0 Helpful
2 Replies 2

Nadav
Level 7
Level 7

‎11-30-2015 04:14 AM

Hi Daniel,

If I'm understanding your issue correctly, you're asking which CA Template should be used for the certificates which are issued for the handsets. If I recall correctly, you can either use:

1) The MIC

2) CAPF-signed LSC

3) LSC signed with your own CA (as explained in http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/118779-configure-cucm-00.html)

However, you cannot create your own certs using a CA template. The template provided by Cisco's CAPF or MIC is non-negotiable.

MICs are supported by Microsoft NPS because they comply to Microsoft's demands of an X.509 certificate. LSCs on the other hand do not. This issue has been discussed numerous times on this forum including which cert extensions are missing from the LSC which NPS expects.

From my experience the only way to get an LSC or CA-signed LSC to authenticate a host is via Cisco ACS, FreeRadius or OSC's Radiator server. There are likely other AAA servers which can support this. As for MICs, I think it should work for you with NPS. You may need to rewrite the user-name to make the length compatible with NPS's demands but apart from that it should work. I haven't tried to authenticate using a MIC but I've read that it's supported by NPS.

0 Helpful

danielgoing
Level 1
Level 1
In response to Nadav

‎11-30-2015 05:23 AM

Hello,

Thanks for the response. I see option 3 requries some input \ configuration on a call manager - at this point, the Wireless Phones are not connected to the network so are unable to communicate with the call manager. Access to the wireless 7921 is via an independant public wireless connection. We connect to the web page of the device, and use the web GUI of the 7921 to create a the EAP-TLS WLAN SSID settings that are required and generate the CSR from there. The certificate authentication is used to authenticate the handset to a corporate wireless network.

The documentation I have been referring to is here:

http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/7921g/6_0/english/administration/guide/7921cfgu.html

Based on your answer though, it seems that using the MIC is probably the only way to authenticate the device with a NPS server.

I'll give this a go and update with progress.

Thank you

0 Helpful
Customers Also Viewed These Support Documents