802.1x phone authentication for EAP-TLS via MIC only?

Unanswered Question
Jul 26th, 2010

Anyone have any experience authenticating Cisco IP Phones (7942G & 7962G) via an 802.1x switchport using EAP-TLS with the Cisco installed MIC (manufacturers installed certificate)?  What I'm trying to do is to authenticate the phone to our network via the built-in MIC and validate against the CommonName of the phone's built-in certificate (which should be CP7962-SEP{mac-address}.

802.1x auth on the switchport works with Windows/Linux clients without any problems (via EAP-PEAP with a Thawte signed local certificate).  I can also authenticate the phones via EAP-MD5 if I configure a password on the phone itself.  So I know that the switch is configured properly.  I don't want to manually configure a MD5 password on all 700+ phones we are deploying.  I'd like to use the built-in MIC certificate to validate based on the CN name of the phone's certificate.

I do not want to apply any LSC's to the phones (locally signed certificate), I only want to use the MIC to validate against.  According to Cisco docs it should be possible, but there are no any examples of how to use the built-in cert on the phone to validate with. Only an LSC examples are shown.

And of course all the docs are how to configure it using SecureACS v5.1 (I'm using a 3rd party radius server -- Radiator (www.open.com.au/radiator).

I've had a heck of a time with TAC trying to get the right information out of them on what is needed for the MIC side and not the LSC side.

So far I've found the following documentation on how to configure ACS v5.1 -- but it doesn't state how to use the MIC instead of the LSC.

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-605524.html#wp9000414

ACS configuration and setup from the document above (for LSCs):  http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-605524.html#wp9000600

I've downloaded the following Certificate Authorities and applied them to my radiator configuration as "CA Certs":

Cisco Systems Root CA from:  http://www.cisco.com/security/pki/certs/crca2048.cer
Cisco Manufacturer CA from:  http://www.cisco.com/security/pki/certs/cmca.cer


It looks like both of the above are Certificate Authorities.  But in order to configure TLS, the radius server needs to have a "server certificate" to work in addition to the CA for TLS.  I've tried using CAP-RTP-001.pem and CAP-RTP-002.pem and callmanager.pem as the server certificate from my CUCM v7.x servers with no luck.

Test phone is running 9.0.3 SCCP load talking to Call Manager v7.1.3.

Switches are 3750's running 12.2(53)SE.

I have enabled 802.1x authentication manually on each phone through the settings button.

Any idea what I need to be using for the server certificate and CA in order to use the MIC for 802.1x EAP-TLS?  Remember I just want to authenticate the phone to our network (without installing any certificates on the phone itself -- use only the built-in Cisco cert).  I don't want to authenticate the phone to Call Manager, just to our switchports via 802.1x to assign VLAN/etc to make sure the phone is authorized to be on our network and put in the appropriate VLAN.

--greg

Gregory A. Fuller - CCNA
Network Manager
State University of New York at Oswego
Phone: (315) 312-5750
http://www.oswego.edu/~gfuller

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Yorick Petey Tue, 09/21/2010 - 09:01

Hi Greg,

I am looking to do the exact same configuration. Did you succeed to use MIC?

Thank you for your help.

Best regards,

Yorick

greg.fuller Wed, 09/22/2010 - 05:46

Yes I was able to get this working.  I should have come back and posted how I got this working for my future reference and everyone elses!  Here's a sample config file Radiator for how I did it.  I also provided the same information to Cisco TAC and they said they would add it to their reference notes for other customers when they inquired about the same issue.

####################################################################
####################################################################
########## Phone EAP-TLS Authentication  ###########################
####################################################################
####################################################################
#
# This MUST come before any less specific other handlers for
# otherwise Cisco phones may try authentication via other EAP
# types such as EAP-FAST which we DO NOT want to use
#

       
                Filename %D/voip-phones-tls-redirect
                EAPType TLS
                EAPTLS_CertificateFile /etc/radiator/certs/20100817-cert.pem
                EAPTLS_PrivateKeyFile  /etc/radiator/certs/20100818-priv.key
                EAPTLS_CertificateType  PEM
                EAPTLS_CAFile   /etc/radiator/certs/ca/SSL123_CA_Bundle.pem
                EAPTLS_CAFile %D/certs/ca/cisco/crca2048-cmca-chain.pem
                EAPTLS_MaxFragmentSize 1000
                AutoMPPEKeys
                DefaultReply REJECT
               AddToReply    cisco-avpair = "device-traffic-class=voice" \
                                       Tunnel-Type=1:VLAN,\
                                       Tunnel-Medium-Type=1:Ether_802,\
                                       Tunnel-Private-Group-ID=1:VOICE-LAN
       

        AuthLog VOIP-AuthLogger
        AcctLogFileName /var/log/radius/VOIP-detail


        # Default result should be ACCEPT so we can change the VLAN to a "dummy" VLAN for un-authorized devices
        # This prevents "looping" of authentication requests from the device when it keeps failing
        Identifier Check-CUCM

        DefaultResult ACCEPT


Contents of "voip-phones-tls-redirect" user file:

DEFAULT Auth-Type=Check-CUCM

You'll need to create the "crca2048-cmca-chain.pem" CA file manually.  You just download the following 2 files and concat them together with crca2048.cer being at the top of the file.

http://www.cisco.com/security/pki/certs/crca2048.pem

http://www.cisco.com/security/pki/certs/cmca.cer

Both of the above (and other Cisco security certs) can be found at:  http://www.cisco.com/security/pki

Whatever certifcate you send to the phone (/etc/radiator/certs/20100817-cert.pem listed above) can be issued from ANY ssl provider as long as it is valid and you have the correct corresponding CA file.

This should all validate the MIC that the phone replies back with against the Cisco Manufacturing cert and you should be good to go.  Keep in mind that if you send a REJECT message back, the phone will keep trying to authenticate over and over and over and over again.  We setup a postauth script that will reply with an accept message and a "dummy" vlan to place the phone in that doesn't go anywhere.  This prevents the frequent re-authorizations from the client and filling up log space on the radius server.  You could also do this on the switch side by enabling the dot1x failure vlan on each port to the "dummy" vlan as well (authentication event fail action authorize vlan xxx).

--greg

Yorick Petey Wed, 09/22/2010 - 06:32

Thank you so much Greg for this quick and complete answer. We will have to configure 802.1X between IPPhones and ACS. We want to avoid the security mode of the cluster in a first step, so MIC will be very useful.

Thank you again and have a good day.

Best regards,

Yorick

greg.fuller Wed, 09/22/2010 - 07:03

If your configuring this using ACS Cisco has a really nice guide that they published that explains everything you need to do for IP phones and 802.1x called "Identity-Based Networking Services: IP Telephony In IEEE 802.1X-Enabled Networks Deployment and Configuration Guide":

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-605524.html

There are excellent screen shots of ACS 5.x and how to configure ACS for it with a MIC or LSC.  I actually used the evaluation version of ACS 5.1 and followed those directions to figure out how it was actually working to replicate it on my 3rd party Radiator RADIUS server.

Good luck!

--greg

Gustavo Novais Thu, 03/15/2012 - 18:54

Hi Greg,

First of all, thanks a lot for sharing the information on this post. We are exactly at the same position than you, but actually our problem doesn't seem to be related to the radiator (in our case freeradius) but to the phone.

What settings did you enable on the phone/cucm to allow the phone to authenticate? Did you push any root CA certificates to the phone via the CAPF / CTL file function? Does the phone even validate the server certificate that you present upon authentication?

Are you also encrypting the RTP streams on the phones or only using MIC to authenticate via 802.1X?

what we're seeing currently is the RADIUS presenting its certificate as part of the TLS handshake, but the phone just seems to ignore that. We didn't push any certificate yet or enable CAPF for the phones yet.

Thanks in advance for your insight.

Gustavo

Actions

Login or Register to take actions

This Discussion

Posted July 26, 2010 at 10:20 AM
Stats:
Replies:5 Avg. Rating:5
Views:6697 Votes:0
Shares:0

Related Content

Discussions Leaderboard

Rank Username Points
1 21,026
2 15,047
3 10,314
4 7,999
5 4,856
Rank Username Points
154
95
75
66
55