ISE - dot1x EAP TLS for Cisco IP Phones

contactabbas · ‎07-11-2013

Hi Gents,

I have a question about the CA configs for ISE or ACS.

As I understand, LSC certificate is issued by the CUCM by its Certificate Authority Proxy Function. If an IP Phone needs to be authenticated by its LSC (Locally Significant Certificate), which of the following CA we need to trust:

1. Cisco CA Certificate

2. CUCM Locally signed Certificate or CUCM Identity Certificate

And if these certificates are imported into ISE/ACS, will the ISE/ACS will be able to authenticate the IP Phone if the dot1x EAP-TLS authentication is enabled for IP Phones?

Is there any other configs needed?

I would highly appreicate if someone can clearify me this process.

Regards,

contactabbas · ‎07-12-2013

I got the answer, for the first part of the EAP TLS authentication: Phone authentication

In an IEEE 802.1X authentication, the AAA server is responsible for validating the certificate provided by the phone. To do this, the AAA server must have a copy of the root CA certificate that signed the phone's certificate. The root certificates for both LSCs and MICs can be exported from the CUCM Operating System Administration interface and imported into your AAA server

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-605524.html#wp9000412

As this is EAP TLS, Server (ISE/ACS) is also required to authenticate itself to the phone.

What is needed for this?

contactabbas · ‎07-17-2013

A CTL File with Server Certificates.