Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3063
Views
5
Helpful
5
Replies

Authenticate Cisco IP Phone to ISE using MIC Certificate

dan.letkeman
Level 4
Level 4

‎09-14-2017 07:09 AM - edited ‎02-21-2020 10:34 AM

Hello,

 

I am trying to authenticate our IP Phones using the built in MIC certificate.  I am unable to find documentation on how to acheve this with ISE.  I found an older ACS document, but I find that there are many aspects that are different.

 

I have installed the CAP-RTP certs from our CUCM servers into the Trusted store in ISE.

 

I have an authentication policy that allows wired 802.1x and EAP-TLS, and an authorization policy that allows EAP-TLS and a certificate with a subject that starts with CP-.  Could the Authentication policy be incorrectly setup?

 

I get a 12514 error stating that there is an unknown CA in the client cert chain.  The documentation states that you need to have the two Cisco CA certs, and they are installed in ISE, however the older ones are disabled.  Could this be part of the issue?  Is there any harm in enabling them?

 

Thanks,

Dan.

Labels:
Preview file
111 KB
Preview file
9 KB
Preview file
37 KB
0 Helpful
5 Replies 5

Francesco Molino
VIP Alumni
VIP Alumni

‎09-15-2017 06:50 PM

Hi

Can you share the complete config you've done on ise?
You're missing a trusted CA from CUCM. Have you exported all those certificates: Cisco_Root_CA_2048, Cisco_Manufacturing_CA, CAP-RTP-001, and CAP-RTP-002 ?
And imported them into ISE?


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

dan.letkeman
Level 4
Level 4
In response to Francesco Molino

‎09-16-2017 04:38 PM

I had to enable the older Cisco Root certs that were installed on ISE.   By default only the two newer Cisco Root certs are enabled.

0 Helpful

fpadron
Level 1
Level 1
In response to dan.letkeman

‎03-28-2018 07:13 AM

Dan,

 

Was that all you had to do? Also, can you share the screenshot of the policy you created on ISE? I am getting ready to do a similar deployment.

 

Thank you,

 

Francisco Padron.

0 Helpful

dan.letkeman
Level 4
Level 4
In response to fpadron

‎03-28-2018 08:09 AM

Here you go.

 

Phone.png

Octavian Szolga
Level 4
Level 4

‎03-28-2018 12:36 PM

HI,

Your policy looks ok.

Just do a capture on ISE (host SWITCH_IP) and check in wireshark the phone cert. (it will not be that hard to see)

 

Thanks,

Octavian

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents