@Aravind this is actually great deployment guide however is designed only for Cisco infrastructure.

It is really great but it is for Cisco Phones.

Btw I was able to configure Polycom VVX phone to use 802.1X & EAP-TLS and I was able to establish communication with ISE (using device certificate to authenticate). However I'm getting following error:
22007 Username attribute is not present in the authentication request

I was pretty sure that EAP-TLS can use CA/Device certificate to authenticate but based on error I getting it looks like I need username which is unclear to me....

[Steps performed from my side]
- configured authorized policy with one condition: Certificate:Issuer-Organization STARTS_WITH value from certificate

- configured dACL_Voice which permit all trafic and permit voice vlan as well

- configured authentication policy to allow EAP-TLS

Any queries/comments?

Thank you very much.

@kamil.swedrak - If you're 100% sure that the phone did perform EAP-TLS (and not EAP-PEAP), then it might be because by default ISE will look into the supplicant's certificate and try to extract the Subject Common Name (CN) from that cert.  This is default behaviour. If the cert doesn't contain any value in that part of the cert then ISE will complain.

Some customers might want to extract username from the Subject CN and then perform an LDAP/AD lookup to see if that user account is active.  Whether or not you do it is another story - but the fact is that ISE will expect some data in that field.

Have a look at the Polycom's cert and if the SUbject is null (empty) then tell ISE to look at another attribute

@Arne Bier - yes I'm pretty sure that my phone is using EAP-TLS:

Certificate I'm using is artificial and common name started with polycom.test please take a look:

Regarding certificate policy - I don't have position Certificate - Subject Common name, I have only Certificate - Issuer Common name but I think it can be used parallel (correct me if I'm wrong).

Below showing you the certificate which was imported to ISE and device:

The second thing is that I haven't entry under Certificate Authentication Profile which pointing to my Polycom certificate (I have only Polycom certificate under Trusted Certificate section).

Although I created new certificate with the template you shown it doesn't changed anything for me.

There are two things at play here

1) The ISE server is acting as Authenticating Server (in the EAP game) and it needs to present a certificate to the Polycom during TLS establishment.  This certificate has to be trusted by the Polycom, or else the TLS breaks down.  Question to you:  is this trust feature enabled or disabled on the Polycom?  If enabled, then have you installed that cert on the Polycom (or, if not the exact cert, then the CA chain that generated the ISE EAP cert?)

2) If point 1 is out of the way then let's look at the Polycom cert.  ISE needs to have the CA chain that signed that Polycom cert that you showed.  It doesn't make sense to install all the Polycom self-signed certs into ISE (although you could do that, it would be impractical). Normally those phones would have a cert created for them by some PKI.  Now if that is the case, then you must install that PKI cert chain into the ISE trusted cert store.

that's it.

1) Not sure if Polycom phones have trust feature (walked through phone menu/Web GUI and I didn't found).
The only information I have is that certificate is installed (so I'm assuming that is trusted).

2) Since polycom.test cert is installed on ISE how to check if ISE have CA chained signed by Polycom?
Should I refer to this?:
Cisco ISE Custom Certificate Installation

From my read of VVX 410 and 802.1x - Polycom Community, it seems you would need to fill-in the Identity field to serve as the user name.

EAP-TLS

• Device certificate

• Trusted pool of root/CA certificates

• Identity (user name)

@hslai - thank you for your post.

I already configured phone with username but it is unclear to me what kind of username that should be (I'm assumed that it can be artificial user but somewhere this artificial username should be authenticated is this correct?).

Once the identity configured, you should not be getting 

22007 Username attribute is not present in the authentication request

If you are still getting the same error, best to consult Polycom support team to validate the configuration for the Polycom device.

For cert-based auth only, ISE validates the client certificates and, I believe, it cares not the username as long as it present.

You can get the copy of the endpoint certificate and the chain that ISE is receiving using ISE debug tool:

1. On ISE GUI, go to Operations > Troubleshoot > Diagnostic Tools
2. On the left hand side. Click on General Tools > EndPoint Debug
3. Select MAC Address
4. Enter Phone MAC address
5. Make the IP Phone go through the authentication again
6. You will end up with two files; endpoint certificate and debug
7. Open the certificate from PC and inspect the subject and SAN field. This will provide information on what field can be used for identity
8. Also, inspect certificate path, which will provide root certificate. You can export the root certificate and import into ISE trusted CA, which will allow ISE to trust the Polycom root so you don't have to import each phone certificate into ISE as trusted root

Note: I am showing Cisco IP Phone example, but you get the idea.

@Arne Bier - thanks for that valued information.

I have also one question regarding Authorization Policy - where this should be specify since I'm looking on my dashboard and have only policy sets, authorization profiles under policy tab, please take a look:

At this moment I can only specify authorization profile/allowed protocols to use under policy sets but don't have any place where I can specify authorization policy for IP phone to use certificate.

Do you have Arne any thoughts on this?

Hi @kamil.swedrak

Not sure what you're asking.

When I reproduced this in the lab, I did not need to make any changes in ISE.  I was testing with a Linux supplicant called wpa_supplicant.  And it allows me to play around with EAP parameters.

In ISE there is no special tricks that you need to be aware of.  Any standard 802.1X EAP-TLS authentication example that you find with google searches (or via www.labminutes.com) will work.