OEAP 602 Remote LAN 802.1x (Port 4) with Wired IP Phone and Laptop behind the IP Phone
1. WLC 5508 running 22.214.171.124
2. OEAP 602I
3. Windows 7 Client
4. Cisco IP Phone 7975
5. ACS 5.2
Creating a Remote LAN for OEAP Wired Clients (Port 4)
STEP 2: Setting up wired ip phone for 802.1X authentication
On the phone go to Settings > Security Configuration > 802.1X Authentication > Device Authentication > Enabled
you do not need to enable password for EAP-MD5
the Phone does EAP-TLS authentication
STEP3: Getting chained cert for the Cisco 7975 phone for EAP-TLS authentication
Note: Set the remote LAN to no security. Let the phone grab an ip address and register to the call manager. From the call manager enable the web mode. Navigate to the https page of the phone and grab the device cert of the phone using your web browser.
Click on the Details tab and hit Export
Save the cert on the local machine
Open the cert by double clicking on it and Click on the 'Certification Path'
you can see the chained cert of the device. you already have the device cert. From this view save the Intermediate root and the Root CA cert.
Now you have a 3 certs, CP-7975G-SEPD0C282D1F0BA, Cisco Manufacturing CA and Cisco Systems.
STEP 4: Import these certs on the ACS Certificate Authorities for EAP-TLS authentication of 7975 IP Phone.
When you add the cert check the 'trust for Client with EAP-TLS' option
STEP 5: Configuring Access Policies on ACS
From Service Selection Rules check Rule based result selection.
I have configured Rule 1 for Radius with service set to Default Network Access and Rule 2 for TACACS with service set to Default Device Admin
Under Default Network Access
Allow the necessary protocols
Select Default Network Access > Identity and click on Rule based result selection
Hit Customize to add 'EAP Authentication Method' and 'EAP Tunnel Building Method'
Create a new Rule which matches PEAP and MSCHAP-v2 for Windows 7 authentication which points to the Internal Users Identity Source
I have the Default rule at the end pointing to CN username for EAP-TLS authentication of the 7975 IP Phone
STEP 6: Setting up wired 802.1X authentication for Windows 7
STEP 7: Enable 802.1X authentication on the Remote LAN and sit tight
Below you can see successful authentication for 7975 phone using x509_PKI and Windows 7 using PEAP (EAP-MSCHAPV2)
Hi, What are the best settings for 2.4 GHz radio for a high-density environment as I am getting bad SNR and the connection not stable. How I can create RF profile and apply on AP group so I can get good SNR and better coverage and less interference i...
I am using aironet 1140's in autonomous configuration to create a wireless bridge for vlan's 1, 5, 10, 15. The problem i am having is the client access point is failing to pass anything but vlan1 through to the client side network. from the client side ac...
Hello guys, One question, I want to know which country code I must choose to register my AP cisco AIR-CAP3502I-A-K9 on the WLC? The controller was set up to use the following country code:But the AP cannot register. Can someone help m...
I'm running into a weird issue when leveraging the switch DHCP server for a EWC on cat9300 setup. When using the AP Onboarding VLAN my 3800s don't seem to grab an IP. My EWC is on the same 9300 that my APs are connected to. What's really odd is...