Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco CP-8961 MIC certificates

Hi Everybody,

we want to configure 802.1X eap-tls authentication on our CP-8961 phones. Following the steps in this documentation

http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/IP_Tele/IP_Telephony_DIG.html#wp390292

I was able to configure EAP-TLS for our phones. Unfortunatelly according to ACS logs both MIC and LSC rules do not match. The authentication matches the default rule (permit access), but the TLS handshake succeeded every time. Since Im not SSL/TLS guru I assume the phone has a certificate.

To view the certificate installed on the phone I followed this instruction https://supportforums.cisco.com/docs/DOC-25798. In the first step you trigger the "troubleshoot" from our cucm. Unfortunatelly it does not genereate enything under /cm/trace/capf/sdi

So now my question is what certificate does my 8961 uses for EAP-TLS (MIC and LSC rules do not match, troubleshoot does not generate anything) and how can I view the certificate without capturing the traffic with tcpdump/wireshark.

Thanks in advance

1 REPLY
New Member

Cisco CP-8961 MIC certificates

Could solve my problem.

Since I did not choose right Device Security Profile option on CUCM under phone configuration, the "troubleshoot" option under CAPF did not generate any output under /cm/trace/capf/sdi.

After creating right security profile for my CP-8961 deskphone, "troubleshoot" succeeded.

Reviewing generated MIC certificate I noticed that OU is not EVVBU like described here

http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html#wp389672 but is VTG.

After changing OU from evvbu to VTG on my ACS the rule matches.

155
Views
0
Helpful
1
Replies
CreatePlease to create content