Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3413
Views
1
Helpful
1
Replies

Authenticating Cisco IP Phones using ISE and 802.1X

Bobby Stojceski
Level 1
Level 1

‎04-27-2016 12:02 AM - edited ‎03-10-2019 11:42 PM

I have seen a few others ask similar questions but no answers seem to have been posted.

How do you configure ISE 2.0 to authenticate a Cisco IP Phone that has the MIC and LSC certificates installed? I have already done the export of certificates from CUCM and import into ISE, but I just cannot get the Authentication Rule/s right. The phone is enabled for 802.1X and certificate, and switch is doing it's job as I see the RADIUS logs both in ISE and the switch showing the failures.

What identity store does a Cisco IP Phone use to authenticate itself against in ISE? Surely every phone doesn't need to be added into ISE ahead of time (hundreds or thousands)? The failure I get is ISE unable to match the user in any identity store.

There doesn't seem to be any guides available to help here other than old ACS guides.

I see there are prebuilt Authorization rules in ISE for Cisco IP Phones but I can't get far enough for the device to authenticate let alone hit the Authorization rule.

Can anyone help?

Thank you.

Labels:
0 Helpful
1 Reply 1

jan.nielsen
Level 7
Level 7

‎04-27-2016 01:18 PM

If you are using EAP-TLS, your authentication rules, need to select a certificate profile and an identity store, for EAP-TLS it will use the cert profile for auhthentication. It will still try to get AD groups for the CN/SAN name of your MIC/LSC cert, but it shouldn't fail authentication.

This thread also has some info :

https://supportforums.cisco.com/discussion/10952961/8021x-phone-authentication-eap-tls-mic-only

Customers Also Viewed These Support Documents