OEAP 602 Remote LAN 802.1x (Port 4) with Wired IP Phone and Laptop behind the IP Phone
1. WLC 5508 running 22.214.171.124
2. OEAP 602I
3. Windows 7 Client
4. Cisco IP Phone 7975
5. ACS 5.2
Creating a Remote LAN for OEAP Wired Clients (Port 4)
STEP 2: Setting up wired ip phone for 802.1X authentication
On the phone go to Settings > Security Configuration > 802.1X Authentication > Device Authentication > Enabled
you do not need to enable password for EAP-MD5
the Phone does EAP-TLS authentication
STEP3: Getting chained cert for the Cisco 7975 phone for EAP-TLS authentication
Note: Set the remote LAN to no security. Let the phone grab an ip address and register to the call manager. From the call manager enable the web mode. Navigate to the https page of the phone and grab the device cert of the phone using your web browser.
Click on the Details tab and hit Export
Save the cert on the local machine
Open the cert by double clicking on it and Click on the 'Certification Path'
you can see the chained cert of the device. you already have the device cert. From this view save the Intermediate root and the Root CA cert.
Now you have a 3 certs, CP-7975G-SEPD0C282D1F0BA, Cisco Manufacturing CA and Cisco Systems.
STEP 4: Import these certs on the ACS Certificate Authorities for EAP-TLS authentication of 7975 IP Phone.
When you add the cert check the 'trust for Client with EAP-TLS' option
STEP 5: Configuring Access Policies on ACS
From Service Selection Rules check Rule based result selection.
I have configured Rule 1 for Radius with service set to Default Network Access and Rule 2 for TACACS with service set to Default Device Admin
Under Default Network Access
Allow the necessary protocols
Select Default Network Access > Identity and click on Rule based result selection
Hit Customize to add 'EAP Authentication Method' and 'EAP Tunnel Building Method'
Create a new Rule which matches PEAP and MSCHAP-v2 for Windows 7 authentication which points to the Internal Users Identity Source
I have the Default rule at the end pointing to CN username for EAP-TLS authentication of the 7975 IP Phone
STEP 6: Setting up wired 802.1X authentication for Windows 7
STEP 7: Enable 802.1X authentication on the Remote LAN and sit tight
Below you can see successful authentication for 7975 phone using x509_PKI and Windows 7 using PEAP (EAP-MSCHAPV2)
Hi Guys, I hope all of you are fine, I have one 1550e AP outdoor with AC power supply and I decided to format the flash: to upload a new FW from cisco, and the boot output are:IOS Bootloader - Starting system.Xmodem file system is available...
Hi guys, I am having this issue on my Cisco Aironet Mobility Express running on version 8.5.151.The user keep disconnecting from the AP, and sometimes cannot authenticate to the network. This issue happen to me last time, but I have solved it. ...
I am having this weird behavior which i hope someone can provide good pointers.My primary controller is stuck in maintenance mode. Switchover reason on the current active(Secondary unit) is Default gateway is not reachable. This happened on Thu ...
My ultimate goal is that I want to be able to contain rogue AP's that are detected broadcasting (spoofing) SSID's that our controller is broadcasting. I see that this can easily be done at: Security>Wireless Protection Policies>Rogue Polices>...