Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

ISE - dot1x EAP TLS for Cisco IP Phones

Hi Gents,

I have a question about the CA configs for ISE or ACS.

As I understand, LSC certificate is issued by the CUCM by its Certificate Authority Proxy Function. If an IP Phone needs to be authenticated by its LSC (Locally Significant Certificate), which of the following CA we need to trust:

1. Cisco CA Certificate

2. CUCM Locally signed Certificate or CUCM Identity Certificate

And if these certificates are imported into ISE/ACS, will the ISE/ACS will be able to authenticate the IP Phone if the dot1x EAP-TLS authentication is enabled for IP Phones?

Is there any other configs needed?

I would highly appreicate if someone can clearify me this process.


Everyone's tags (4)
New Member

ISE - dot1x EAP TLS for Cisco IP Phones

I got the answer, for the first part of the EAP TLS authentication: Phone authentication

In an IEEE 802.1X authentication, the AAA server  is responsible for validating the certificate provided by the phone. To  do this, the AAA server must have a copy of the root CA certificate that  signed the phone's certificate. The root certificates for both LSCs and  MICs can be exported from the CUCM Operating System Administration  interface and imported into your AAA server

As this is EAP TLS, Server (ISE/ACS) is also required to authenticate itself to the phone.

What is needed for this?

New Member

ISE - dot1x EAP TLS for Cisco IP Phones

A CTL File with Server Certificates.

CreatePlease to create content