07-11-2013 01:03 PM - edited 02-21-2020 04:55 AM
Hi Gents,
I have a question about the CA configs for ISE or ACS.
As I understand, LSC certificate is issued by the CUCM by its Certificate Authority Proxy Function. If an IP Phone needs to be authenticated by its LSC (Locally Significant Certificate), which of the following CA we need to trust:
1. Cisco CA Certificate
2. CUCM Locally signed Certificate or CUCM Identity Certificate
And if these certificates are imported into ISE/ACS, will the ISE/ACS will be able to authenticate the IP Phone if the dot1x EAP-TLS authentication is enabled for IP Phones?
Is there any other configs needed?
I would highly appreicate if someone can clearify me this process.
Regards,
07-12-2013 08:09 AM
I got the answer, for the first part of the EAP TLS authentication: Phone authentication
In an IEEE 802.1X authentication, the AAA server is responsible for validating the certificate provided by the phone. To do this, the AAA server must have a copy of the root CA certificate that signed the phone's certificate. The root certificates for both LSCs and MICs can be exported from the CUCM Operating System Administration interface and imported into your AAA server
As this is EAP TLS, Server (ISE/ACS) is also required to authenticate itself to the phone.
What is needed for this?
07-17-2013 06:30 PM
A CTL File with Server Certificates.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: