Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

EAP-TLS w/freeradius failing. Phone doesn't present Client certificate.


I'm currently on the first phases of deploying a Cisco IPT 802.1X based proof of concept using freeradius, Cisco switching infrastructure (4500's).

The requirements are to use EAP-TLS authentication for the phones, and freeradius as Radius Server.

While trying out the concept in lab using an ISE Radius server, the configuration was straightforward and I did manage to authenticate IP phones using their MIC certificates to the ISE.

Going to actual testing with freeradius, EAP-TLS authentication keeps looping, the phones keep sending RADIUS Access requests, but not being rejected or allowed.

What was done:

- set up freeradius with EAP-TLS configuration, trusting both cisco CA root  and manufacturing root.

- freeradius has a server certificate generated by Thawte SSL CA certificate, where EKU fields are properly set for server authentication (and also client authentication)

- Phone had 802.1X enabled (and it does support EAP-TLS, as verified with the ISE test)

What I can see while running a wireshark trace on freeradius is:

     - both parties negotiate properly that they will engage in EAP-TLS.

     - they  start the TLS handshake

     - Server sends its certificate on a Server Hello to the phone (which is meant to not validate it)

     - Client (phone) never sends its certificate (MIC) to the server.

     - Client restarts EAP-TLS negotiation and goes on and on.

Unfortunately the debugs/Captures on freeradius do not allow to verify if the server certificate exchange is finished, or if it is failing somewhere (like a fragment being dropped).

Does anyone have an idea on what might be happening? I find it very strange that the phone, on a freeradius deployment, would behave differently than one on a ISE deployment, especially because it doesn't validate the server certificate, so it shouldn't matter what is presented to the phone.

Phone firmware is 9.2(3) and callmanager 8.6


Gustavo Novais

Everyone's tags (6)
New Member

I know this is an old thread

I know this is an old thread but I just had the same behavior as OP with freeRadius 3.0.9 and 8845 phones running 10.3.16 on a 10.5 cluster so... still relevant.

I found the following in the phone console logs:

5840 ERR Nov 14 23:25:51.242806 PAE: -Total fragmented length(1616) doesn't match expected length(1612)

I was able to resolve the problem by adding  include_length = no in mods-available/eap file under the tls section.

CreatePlease to create content