Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4960
Views
0
Helpful
2
Replies

Cisco Phone 802.1X authentication with ISE

shamax_1983
Level 3
Level 3

‎09-23-2018 09:32 PM - edited ‎03-11-2019 01:49 AM

I am testing 802.1x  (with EAP-TLS + ISE) for Cisco Phones.

Planning on using the MIC (Manufacturer Issued Cert) for authentication.

Going through the resources available on the web,  they all seem to suggest that, in addition to the following 3x Certs that come pre-installed in ISE;

1) Cisco CA Manufacturing 

2) Cisco Manufacturing CA SHA2

3) Cisco Root CA 2048

 

Also to manually import the following two Certs into ISE from Call Manager.

1) CAP-RTP-001

2) CAP-RTP-002

 

Is there a purpose in importing these two Certs?. 

My question is, who is the real issuer of the certs installed on the end phones?.  If they come directly from one of the pre-installed 3 x Certs, then we wouldn't need to import these additional two Certs into ISE. But I guess,  if the phones are issued with certs signed by  CAP-RTP-*  certs, it might need all of them to probably complete the chain.  Is this the case?

 

Furthermore, In case if we have to install CAP-RTP-00* certs to get this working (for whatever reason), how would that affect the ongoing operations when considering Call Manager or ISE upgrades?. In other words, can a Call manager upgrade cause the issuer of the End Phone certs to change (in which case we will have to reinstall certs on ISE from CUCM)? or is it fixed (as long as the Cert is Valid)?.

I'm just trying to understand how complex this can get, getting Call Manager involved (indirectly) in the decision-making process when authenticating phones into the Network. 

 

Please let me know your experience around this setup. Did you end up going with EAP MD5/password  method to avoid complexity that can arise with this setup?

Any issues that you encountered during an ISE or Call Manager upgrade due to Certificate issues?

 

Thanks in advance.

0 Helpful
2 Replies 2

Aravind Ravichandran
Level 3
Level 3

‎09-29-2018 12:04 AM

Hi,

Best way to authenticate Cisco phone is by using profiling feature,rather than authenticating through cert, you can restrict the Cisco phone based on their model.That will reduce the overload,call manager will not come into picture in any case.

In case if you don’t want to use profiling feature,you can import the MAC address of all the Cisco phone from call manager to ISE and can utilise mab method of authentication by providing voice permission to those Cisco phone in ISE authorization profile.

If you are preferring to use certificate based, make sure all the intermittent certificate and root certificate issued for phone is added in trusted certificate store in ISE.

-Aravind
0 Helpful

Aravind Ravichandran
Level 3
Level 3
In response to Aravind Ravichandran

‎10-01-2018 03:18 AM

Hi,

Please refer this document for complete guide on 802.1x on Cisco IP phone https://community.cisco.com/t5/security-documents/cisco-ise-wired-access-deployment-guide/ta-p/3641515

-Aravind
0 Helpful
Customers Also Viewed These Support Documents