09-14-2017 07:09 AM - edited 02-21-2020 10:34 AM
Hello,
I am trying to authenticate our IP Phones using the built in MIC certificate. I am unable to find documentation on how to acheve this with ISE. I found an older ACS document, but I find that there are many aspects that are different.
I have installed the CAP-RTP certs from our CUCM servers into the Trusted store in ISE.
I have an authentication policy that allows wired 802.1x and EAP-TLS, and an authorization policy that allows EAP-TLS and a certificate with a subject that starts with CP-. Could the Authentication policy be incorrectly setup?
I get a 12514 error stating that there is an unknown CA in the client cert chain. The documentation states that you need to have the two Cisco CA certs, and they are installed in ISE, however the older ones are disabled. Could this be part of the issue? Is there any harm in enabling them?
Thanks,
Dan.
09-15-2017 06:50 PM
09-16-2017 04:38 PM
I had to enable the older Cisco Root certs that were installed on ISE. By default only the two newer Cisco Root certs are enabled.
03-28-2018 07:13 AM
Dan,
Was that all you had to do? Also, can you share the screenshot of the policy you created on ISE? I am getting ready to do a similar deployment.
Thank you,
Francisco Padron.
03-28-2018 08:09 AM
Here you go.
03-28-2018 12:36 PM
HI,
Your policy looks ok.
Just do a capture on ISE (host SWITCH_IP) and check in wireshark the phone cert. (it will not be that hard to see)
Thanks,
Octavian
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide