Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

802.1x phone authentication for EAP-TLS using MS NPS radius server?

I cannont make it work. Anyone come across that?

  • IP Telephony
14 REPLIES
New Member

I want to use this

I want to use this contribution to said YES.

I can said IT works with Cisco phone series 78xx !!!

Yesterday i finished my Cisco Phone Lab (with 1x 7821 and 1x 7841) succesfully with MS NPS authentication and EAP-TLS. i've used a CUCM-Cluster (version 10.5.2) in Offline CA mode and an Windows 2008 R2 Server.

I have a problem with the Cisco Phones series 79xx (SCCP and SIP) and the LSC certificate to authenticate it on the MS NPS (Errorcode 262). A workaround is to use MD5 authentication for 802.1x, but for secure voice you can also use the LSC certificate from the Windows CA.

if you want to have the complete solution pm me.

New Member

Could you share the answer? I

Could you share the answer? I'm looking to use MIC certs for 7962 and 2008 Microsoft NPS. I'm having an issue where the phone isn't sending the correct EAP type. I've tried everything here... Please share!

New Member

Hi Cisco-ID,

Hi Cisco-ID,

you have to set "microsoft smartcard or other certificate" in your networkrule to use eap-tls with the cisco phone.

if you have an cucm 10.5 or higher, you can also use an LSC-Cert from your Windows CA to authenticate the phone.

if you have an cucm lower than 10.5, you can use MD5 Authentication.

New Member

Hey Lappian

Hey Lappian

That is indeed the settings I've tried and exploited to my very last nerve. I am on CUCM 10.5 and attempting with MIC with eap-tls. Were you able to accomplish said condition?

Was any certificate mapping required in active directory to the used service account?

https://technet.microsoft.com/en-us/library/cc736781(v=ws.10).aspx

The NPS is translating the incoming mac to this service account.

New Member

Hi CSCO11894119,

Hi CSCO11894119,

have you tested the settings with the service principal name?

you need both, the subject alternative name (SAN) in the certificate and the service principal name (SPN) in the user account.

for 79xx phones with NPS 2008 R2 you have to limit the certificates to 1024 Bit.

Now i can say 802.1x EAP-TLS works with 78xx and 79xx phones, LSC Certificate from NPS 2008 R2 and CUCM 10.5.2.

New Member

Hi,

Hi,

can you confirm which value we have to use to create username in AD?

I used  CP-<model>-SEP-<MAC> format with no success.

I upload both mic certificates on NPS server 

(You can download these certificate from there if I'm correct:

http:/​/​www.cisco.com/​security/​pki/​certs/​cmca2.cer

http:/​/​www.cisco.com/​security/​pki/​certs/​crcam2.cer)

In NPS log I have this error:

The specified user account does not exist.

Does it because username used by IP Phone is longer than 20 characters?

New Member

Yes it does. You have to

Yes it does. You have to "manipulate" the Username in NPS. What I did was to add a @your.domain at the end of the username.

I've managed to figure out the regular expression that you can use to replace/modify the Cisco username. Under Connection Request Policies, go to the policy you created to authenticate your phones right click > Properties > Settings  Tab select Attribute. Go to the drop down to the right select User-Name and click add...

https://technet.microsoft.com/en-us/library/dd197583(WS.10).aspx

That's what I tried but it didn't worked for me.

New Member

Hi Nicolas, Hi Rene,

Hi Nicolas, Hi Rene,

I've manipulated the Connection Request Policy for the Username to cut the CP-<model>- off and use the Rest of the IP-Phone Model for the Useraccount (Username).

I've used SEP<MAC> for all Useraccounts in addition manipulate the SPN into host/SEP<MAC>.

greets

Lappian

New Member

Hy Lappian,

Hy Lappian,

can u provide your solution to me. We are using NPS for 802.1x too.

But our 802.1x guys are facing Problems with the AD Objects.

How must the USER (Phone) be configured/added to AD to be used within NPS

u can reach me at firstname (without the 1) dot lastname @grz.at

many thnxs and cheers

622
Views
0
Helpful
14
Replies