Welcome to Cisco Support Community. We would love to have your feedback.
I want to use this contribution to said YES.
I can said IT works with Cisco phone series 78xx !!!
Yesterday i finished my Cisco Phone Lab (with 1x 7821 and 1x 7841) succesfully with MS NPS authentication and EAP-TLS. i've used a CUCM-Cluster (version 10.5.2) in Offline CA mode and an Windows 2008 R2 Server.
I have a problem with the Cisco Phones series 79xx (SCCP and SIP) and the LSC certificate to authenticate it on the MS NPS (Errorcode 262). A workaround is to use MD5 authentication for 802.1x, but for secure voice you can also use the LSC certificate from the Windows CA.
if you want to have the complete solution pm me.
Could you share the answer? I'm looking to use MIC certs for 7962 and 2008 Microsoft NPS. I'm having an issue where the phone isn't sending the correct EAP type. I've tried everything here... Please share!
you have to set "microsoft smartcard or other certificate" in your networkrule to use eap-tls with the cisco phone.
if you have an cucm 10.5 or higher, you can also use an LSC-Cert from your Windows CA to authenticate the phone.
if you have an cucm lower than 10.5, you can use MD5 Authentication.
That is indeed the settings I've tried and exploited to my very last nerve. I am on CUCM 10.5 and attempting with MIC with eap-tls. Were you able to accomplish said condition?
Was any certificate mapping required in active directory to the used service account?
The NPS is translating the incoming mac to this service account.
have you tested the settings with the service principal name?
you need both, the subject alternative name (SAN) in the certificate and the service principal name (SPN) in the user account.
for 79xx phones with NPS 2008 R2 you have to limit the certificates to 1024 Bit.
Now i can say 802.1x EAP-TLS works with 78xx and 79xx phones, LSC Certificate from NPS 2008 R2 and CUCM 10.5.2.
can you confirm which value we have to use to create username in AD?
I used CP-<model>-SEP-<MAC> format with no success.
I upload both mic certificates on NPS server
(You can download these certificate from there if I'm correct:
In NPS log I have this error:
The specified user account does not exist.
Does it because username used by IP Phone is longer than 20 characters?
Yes it does. You have to "manipulate" the Username in NPS. What I did was to add a @your.domain at the end of the username.
I've managed to figure out the regular expression that you can use to replace/modify the Cisco username. Under Connection Request Policies, go to the policy you created to authenticate your phones right click > Properties > Settings Tab select Attribute. Go to the drop down to the right select User-Name and click add...
That's what I tried but it didn't worked for me.
Hi Nicolas, Hi Rene,
I've manipulated the Connection Request Policy for the Username to cut the CP-<model>- off and use the Rest of the IP-Phone Model for the Useraccount (Username).
I've used SEP<MAC> for all Useraccounts in addition manipulate the SPN into host/SEP<MAC>.
can u provide your solution to me. We are using NPS for 802.1x too.
But our 802.1x guys are facing Problems with the AD Objects.
How must the USER (Phone) be configured/added to AD to be used within NPS
u can reach me at firstname (without the 1) dot lastname @grz.at
many thnxs and cheers