cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7211
Views
10
Helpful
14
Replies

To-delete

kamil.swedrak
Level 1
Level 1

[***TO-DELETE***]

1 Accepted Solution

Accepted Solutions

Hi @kamil.swedrak

 

I have reproduced your issue in my lab.

There is an anonymous identity component in the EAP request that cannot be blank when talking to ISE.  You can make it whatever you like, and it won't have any bearing on your results, other than to make ISE happy to continue.  So put a static value in there like "PolycomVVX" - you will not see this anonymous username in the logs - you will see the Subject CN in the logs.

View solution in original post

14 Replies 14

Arne Bier
VIP
VIP

This is very common 802.1X authentication scenario and if you're starting out as a beginner, then I would recommend watching the www.labminutes.com - search that site for 802.1X - the guy shows you how to do exactly what you're after.

 

Doing cert auth is very simple once you see that video.

And AD lookups using EAP-PEAP (MSchapv2) is also relatively straightforward - you can easily join the AD domain or use LDAP for your lookups.  Again, for total beginners there is too much to explain here - watch the labminutes.  It's brilliant.

Hi,

As rightly mentioned, you can also refer this document for complete wired deployment guide where in they have mentioned 802.1x for IP phones. 

https://community.cisco.com/t5/security-documents/cisco-ise-wired-access-deployment-guide/ta-p/3641515

 

Thanks,

Aravind

-Aravind

@Aravind this is actually great deployment guide however is designed only for Cisco infrastructure.

It is really great but it is for Cisco Phones.

Btw I was able to configure Polycom VVX phone to use 802.1X & EAP-TLS and I was able to establish communication with ISE (using device certificate to authenticate). However I'm getting following error:
22007 Username attribute is not present in the authentication request

I was pretty sure that EAP-TLS can use CA/Device certificate to authenticate but based on error I getting it looks like I need username which is unclear to me....

[Steps performed from my side]
- configured authorized policy with one condition: Certificate:Issuer-Organization STARTS_WITH value from certificate

- configured dACL_Voice which permit all trafic and permit voice vlan as well

- configured authentication policy to allow EAP-TLS

 

Any queries/comments?

Thank you very much.

 

@kamil.swedrak - If you're 100% sure that the phone did perform EAP-TLS (and not EAP-PEAP), then it might be because by default ISE will look into the supplicant's certificate and try to extract the Subject Common Name (CN) from that cert.  This is default behaviour. If the cert doesn't contain any value in that part of the cert then ISE will complain.

Some customers might want to extract username from the Subject CN and then perform an LDAP/AD lookup to see if that user account is active.  Whether or not you do it is another story - but the fact is that ISE will expect some data in that field.

 

Have a look at the Polycom's cert and if the SUbject is null (empty) then tell ISE to look at another attribute

 

cert.PNG

 

@Arne Bier - yes I'm pretty sure that my phone is using EAP-TLS:

EAP-TLS_Polycom.jpg

Certificate I'm using is artificial and common name started with polycom.test please take a look:

Certificate-CN.jpg

Regarding certificate policy - I don't have position Certificate - Subject Common name, I have only Certificate - Issuer Common name but I think it can be used parallel (correct me if I'm wrong).

Below showing you the certificate which was imported to ISE and device:

Certificate_status.jpg

The second thing is that I haven't entry under Certificate Authentication Profile which pointing to my Polycom certificate (I have only Polycom certificate under Trusted Certificate section).

Although I created new certificate with the template you shown it doesn't changed anything for me.

 

There are two things at play here

1) The ISE server is acting as Authenticating Server (in the EAP game) and it needs to present a certificate to the Polycom during TLS establishment.  This certificate has to be trusted by the Polycom, or else the TLS breaks down.  Question to you:  is this trust feature enabled or disabled on the Polycom?  If enabled, then have you installed that cert on the Polycom (or, if not the exact cert, then the CA chain that generated the ISE EAP cert?)

2) If point 1 is out of the way then let's look at the Polycom cert.  ISE needs to have the CA chain that signed that Polycom cert that you showed.  It doesn't make sense to install all the Polycom self-signed certs into ISE (although you could do that, it would be impractical). Normally those phones would have a cert created for them by some PKI.  Now if that is the case, then you must install that PKI cert chain into the ISE trusted cert store.

 

that's it.

1) Not sure if Polycom phones have trust feature (walked through phone menu/Web GUI and I didn't found).
The only information I have is that certificate is installed (so I'm assuming that is trusted).

2) Since polycom.test cert is installed on ISE how to check if ISE have CA chained signed by Polycom?
Should I refer to this?:
Cisco ISE Custom Certificate Installation

From my read of VVX 410 and 802.1x - Polycom Community, it seems you would need to fill-in the Identity field to serve as the user name.

EAP-TLS
  • Device certificate

  • Trusted pool of root/CA certificates

  • Identity (user name)

@hslai - thank you for your post.

I already configured phone with username but it is unclear to me what kind of username that should be (I'm assumed that it can be artificial user but somewhere this artificial username should be authenticated is this correct?).

Once the identity configured, you should not be getting 

22007 Username attribute is not present in the authentication request

If you are still getting the same error, best to consult Polycom support team to validate the configuration for the Polycom device.

For cert-based auth only, ISE validates the client certificates and, I believe, it cares not the username as long as it present.

You can get the copy of the endpoint certificate and the chain that ISE is receiving using ISE debug tool:

  1. On ISE GUI, go to Operations > Troubleshoot > Diagnostic Tools
  2. On the left hand side. Click on General Tools > EndPoint Debug
  3. Select MAC Address
  4. Enter Phone MAC address
  5. Make the IP Phone go through the authentication again
  6. You will end up with two files; endpoint certificate and debugScreen Shot 2018-10-29 at 9.18.17 AM.png
  7. Open the certificate from PC and inspect the subject and SAN field. This will provide information on what field can be used for identityScreen Shot 2018-10-29 at 9.15.49 AM.png
  8. Also, inspect certificate path, which will provide root certificate. You can export the root certificate and import into ISE trusted CA, which will allow ISE to trust the Polycom root so you don't have to import each phone certificate into ISE as trusted rootScreen Shot 2018-10-29 at 9.17.16 AM.png

Note: I am showing Cisco IP Phone example, but you get the idea.

 

Hi @kamil.swedrak

 

I have reproduced your issue in my lab.

There is an anonymous identity component in the EAP request that cannot be blank when talking to ISE.  You can make it whatever you like, and it won't have any bearing on your results, other than to make ISE happy to continue.  So put a static value in there like "PolycomVVX" - you will not see this anonymous username in the logs - you will see the Subject CN in the logs.

@Arne Bier - thanks for that valued information.

I have also one question regarding Authorization Policy - where this should be specify since I'm looking on my dashboard and have only policy sets, authorization profiles under policy tab, please take a look:

11-6-2018 4-22-03 PM.jpg
At this moment I can only specify authorization profile/allowed protocols to use under policy sets but don't have any place where I can specify authorization policy for IP phone to use certificate.

Do you have Arne any thoughts on this?

Hi @kamil.swedrak

 

Not sure what you're asking.

 

When I reproduced this in the lab, I did not need to make any changes in ISE.  I was testing with a Linux supplicant called wpa_supplicant.  And it allows me to play around with EAP parameters.

 

In ISE there is no special tricks that you need to be aware of.  Any standard 802.1X EAP-TLS authentication example that you find with google searches (or via www.labminutes.com) will work.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: