This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I am trying to authenticate our IP Phones using the built in MIC certificate. I am unable to find documentation on how to acheve this with ISE. I found an older ACS document, but I find that there are many aspects that are different.
I have installed the CAP-RTP certs from our CUCM servers into the Trusted store in ISE.
I have an authentication policy that allows wired 802.1x and EAP-TLS, and an authorization policy that allows EAP-TLS and a certificate with a subject that starts with CP-. Could the Authentication policy be incorrectly setup?
I get a 12514 error stating that there is an unknown CA in the client cert chain. The documentation states that you need to have the two Cisco CA certs, and they are installed in ISE, however the older ones are disabled. Could this be part of the issue? Is there any harm in enabling them?
I had to enable the older Cisco Root certs that were installed on ISE. By default only the two newer Cisco Root certs are enabled.
Was that all you had to do? Also, can you share the screenshot of the policy you created on ISE? I am getting ready to do a similar deployment.
Your policy looks ok.
Just do a capture on ISE (host SWITCH_IP) and check in wireshark the phone cert. (it will not be that hard to see)