03-19-2012 10:12 PM - edited 03-10-2019 06:55 PM
Hello,
I'm currently on the first phases of deploying a Cisco IPT 802.1X based proof of concept using freeradius, Cisco switching infrastructure (4500's).
The requirements are to use EAP-TLS authentication for the phones, and freeradius as Radius Server.
While trying out the concept in lab using an ISE Radius server, the configuration was straightforward and I did manage to authenticate IP phones using their MIC certificates to the ISE.
Going to actual testing with freeradius, EAP-TLS authentication keeps looping, the phones keep sending RADIUS Access requests, but not being rejected or allowed.
What was done:
- set up freeradius with EAP-TLS configuration, trusting both cisco CA root and manufacturing root.
- freeradius has a server certificate generated by Thawte SSL CA certificate, where EKU fields are properly set for server authentication (and also client authentication)
- Phone had 802.1X enabled (and it does support EAP-TLS, as verified with the ISE test)
What I can see while running a wireshark trace on freeradius is:
- both parties negotiate properly that they will engage in EAP-TLS.
- they start the TLS handshake
- Server sends its certificate on a Server Hello to the phone (which is meant to not validate it)
- Client (phone) never sends its certificate (MIC) to the server.
- Client restarts EAP-TLS negotiation and goes on and on.
Unfortunately the debugs/Captures on freeradius do not allow to verify if the server certificate exchange is finished, or if it is failing somewhere (like a fragment being dropped).
Does anyone have an idea on what might be happening? I find it very strange that the phone, on a freeradius deployment, would behave differently than one on a ISE deployment, especially because it doesn't validate the server certificate, so it shouldn't matter what is presented to the phone.
Phone firmware is 9.2(3) and callmanager 8.6
Thanks
Gustavo Novais
11-15-2015 12:32 AM
I know this is an old thread but I just had the same behavior as OP with freeRadius 3.0.9 and 8845 phones running 10.3.16 on a 10.5 cluster so... still relevant.
I found the following in the phone console logs:
5840 ERR Nov 14 23:25:51.242806 PAE: -Total fragmented length(1616) doesn't match expected length(1612)
I was able to resolve the problem by adding include_length = no in mods-available/eap file under the tls section.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide