Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2274
Views
0
Helpful
7
Replies

7945 IP phone failing authentication 802.1x

Go to solution
razor3105
Level 1
Level 1

‎01-11-2019 12:54 AM

I am trying configure 7945 use MIC certificates to authenticate in ISE. I have already reviewed the information in "ISE Secure Wired Access Prescriptive Deployment Guide", and it looks like everything is ready to work. However, the phone keeps failing over to MAB.

 

When I look at the live logs details, here is what I see:

 

12816TLS handshake succeeded
 12509EAP-TLS full handshake finished successfully
 12505Prepared EAP-Request with another EAP-TLS challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 12504Extracted EAP-Response containing EAP-TLS challenge-response
 61025Open secure connection with TLS peer
 15041Evaluating Identity Policy
 22072Selected identity source sequence - AD_Then_Local_Then_Guest
 22070Identity name is taken from certificate attribute
 15013Selected Identity Source - plcmrjlab.local
 24432Looking up user in Active Directory - plcmrjlab.local
 24325Resolving identity - CP-7945G-SEP001D70FCE6F9
 24313Search for matching accounts at join point - plcmrjlab.local
 24318No matching account found in forest - plcmrjlab.local
 24322Identity resolution detected no matching account
 24352Identity resolution failed - ERROR_NO_SUCH_USER
 24412User not found in Active Directory - plcmrjlab.local
 22056Subject not found in the applicable identity store(s)
 22058The advanced option that is configured for an unknown user is used
 22061The 'Reject' advanced option is configured in case of a failed authentication request
 12507EAP-TLS authentication failed
 11504Prepared EAP-Failure
 11003Returned RADIUS Access-Reject

 

I have a user configured in AD, but I am not trying to use that user. I am trying to use the local endpoint Identity store since the trusted MIC certs along with every other CUCM trust certs are there.

Do I need to configure a new authentication rule under the policy and somehow tell it to look only at the local endpoints. This is something I tried, but I get a different error indicating that there is conflict in the authentication request (Certificate vs password based).

Not even sure if my point is cleared enough to understand. Any help is appreciated. Thanks.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
razor3105
Level 1
Level 1
In response to paul

‎01-11-2019 05:06 PM

Hey Paul.

 

I was able to figure it out. Every suggestion on here was very useful. 

I finally ran into what was causing the problem resulting on "Identity resolution failed - ERROR_NO_SUCH_USER".

The authorization profile. I was using the Subject - Common Name attribute under the Certificate icon for a condition instead of using the one under the User icon. 

 

CiscoIPPhoneMicAuthzProfile.png

 

Lesson learned: Be sure to carefully follow instructions...  :-) Thanks.

 

 

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Surendra
Cisco Employee
Cisco Employee

‎01-11-2019 01:14 AM

I believe you are trying to do EAP-TLS. In this case, choose the Identity store where you have Certificate based authentication enabled and looking at a CA Auth profile. Example below :

[cid:image001.png@01D4A9BB.F40F02F0]
0 Helpful

Go to solution
razor3105
Level 1
Level 1
In response to Surendra

‎01-11-2019 11:05 AM

The screenshot didn't show up.

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to razor3105

‎01-11-2019 11:28 AM - edited ‎01-11-2019 11:32 AM

It should look something like this. See how there is no ID store configured.

Capture.JPG


0 Helpful

Go to solution
razor3105
Level 1
Level 1
In response to Surendra

‎01-11-2019 02:36 PM

Hi Surendra,

 

could you please share your screenshot again when you get a chance? it didn't show up the first time.

0 Helpful

Go to solution
paul
Level 10
Level 10

‎01-11-2019 06:32 AM

Looks like you are using a certificate profile that is tied into AD.  You need to create a certificate profile that is not checking AD for identity.  Create one that either uses the Common Name or SAN field for identity but no AD check.

0 Helpful

Go to solution
razor3105
Level 1
Level 1
In response to paul

‎01-11-2019 11:00 AM

Thanks. I think I was moving in that direction at some point, but since I was clueless I didn't keep trying. I will try that again and see how it works. Thanks again.

0 Helpful

Go to solution
razor3105
Level 1
Level 1
In response to paul

‎01-11-2019 05:06 PM

Hey Paul.

 

I was able to figure it out. Every suggestion on here was very useful. 

I finally ran into what was causing the problem resulting on "Identity resolution failed - ERROR_NO_SUCH_USER".

The authorization profile. I was using the Subject - Common Name attribute under the Certificate icon for a condition instead of using the one under the User icon. 

 

CiscoIPPhoneMicAuthzProfile.png

 

Lesson learned: Be sure to carefully follow instructions...  :-) Thanks.

 

 

0 Helpful
Customers Also Viewed These Support Documents