cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1535
Views
1
Helpful
3
Replies

EAP-TLS fails behind Cisco IP phone with validate server certificate on

harrzhan
Cisco Employee
Cisco Employee

Hi experts

We have a customer just deployed Cisco IP phones. They are doing EAP-TLS with machine certs on their PCs. Everything was working fine. Once they plugged the PCs behind the phones, they are seeing auth failure because of client EAPOL response timeout.

From the packet capture, we see client PC received Server certs, and sent out the "Rekey and change CipherSpec", the phone however did not forward it to the switch. After some long delay, the phone finally forwarded it.

The validate server cert is ON when this happens.  When it is OFF, everything works.

I noticed that the response the client sent was an "anycast" with the destination "NEAREST" captured in the wireshark. I guess somehow the phone was trying to validate the response.

This is very strange.

Any idea?

1 Accepted Solution

Accepted Solutions

Greg Gibbs
Cisco Employee
Cisco Employee

The following link has an older but still relevant design guide for IP Telephony and 802.1x. The phone should be simply passing through the EAP communications between the client and the switch.

IP Telephony for 802.1X Design Guide - Cisco

The only suggestion the guide has for this symptom is to upgrade the phone firmware. If the phones are older models, you might want to check the firmware version.

The majority of times I've seen issues with EAP-TLS only when the validate server certificate is ticked (as long as the correct CAs are also ticked) it was related to MTU mismatches between the client and PSN. You might want to ensure that the phone is not somehow creating an MTU mismatch.

If all of that is verified, you might try getting a packet capture from the phone using this method:

https://www.uccollabing.com/2017/07/05/how-to-collect-packet-capture-from-cisco-ip-phone/

If all else fails, you will likely need open a TAC case so they can start looking at debugs or packet captures from the client, SPAN port, phone, and possibly the PSN.

View solution in original post

3 Replies 3

Greg Gibbs
Cisco Employee
Cisco Employee

The following link has an older but still relevant design guide for IP Telephony and 802.1x. The phone should be simply passing through the EAP communications between the client and the switch.

IP Telephony for 802.1X Design Guide - Cisco

The only suggestion the guide has for this symptom is to upgrade the phone firmware. If the phones are older models, you might want to check the firmware version.

The majority of times I've seen issues with EAP-TLS only when the validate server certificate is ticked (as long as the correct CAs are also ticked) it was related to MTU mismatches between the client and PSN. You might want to ensure that the phone is not somehow creating an MTU mismatch.

If all of that is verified, you might try getting a packet capture from the phone using this method:

https://www.uccollabing.com/2017/07/05/how-to-collect-packet-capture-from-cisco-ip-phone/

If all else fails, you will likely need open a TAC case so they can start looking at debugs or packet captures from the client, SPAN port, phone, and possibly the PSN.

We have done the packet captures on the PC (good and bad) and on the switch. the length of the packets passing through from the good PC is the same as the one stuck in the phone. I am not sure the MTU is the problem.

I am really thinking that the certificate issue. The ISE EAP-TLS is using a public cert. the PC is using a MS CA cert. The phone is using CUCM self-signed cert.

We have a TAC case open, and we will looking into different variables.

Interesting, In EAP-TLS there is one packet (after tunnel is built) which goes beyond 1800 which undergoes fragmentation and re-assembly.

Maybe that is being dropped. Packet Capture could confirm that

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: