OEAP 602 Remote LAN 802.1x (Port 4) with Wired IP Phone and Laptop behind the IP Phone
1. WLC 5508 running 126.96.36.199
2. OEAP 602I
3. Windows 7 Client
4. Cisco IP Phone 7975
5. ACS 5.2
Creating a Remote LAN for OEAP Wired Clients (Port 4)
STEP 2: Setting up wired ip phone for 802.1X authentication
On the phone go to Settings > Security Configuration > 802.1X Authentication > Device Authentication > Enabled
you do not need to enable password for EAP-MD5
the Phone does EAP-TLS authentication
STEP3: Getting chained cert for the Cisco 7975 phone for EAP-TLS authentication
Note: Set the remote LAN to no security. Let the phone grab an ip address and register to the call manager. From the call manager enable the web mode. Navigate to the https page of the phone and grab the device cert of the phone using your web browser.
Click on the Details tab and hit Export
Save the cert on the local machine
Open the cert by double clicking on it and Click on the 'Certification Path'
you can see the chained cert of the device. you already have the device cert. From this view save the Intermediate root and the Root CA cert.
Now you have a 3 certs, CP-7975G-SEPD0C282D1F0BA, Cisco Manufacturing CA and Cisco Systems.
STEP 4: Import these certs on the ACS Certificate Authorities for EAP-TLS authentication of 7975 IP Phone.
When you add the cert check the 'trust for Client with EAP-TLS' option
STEP 5: Configuring Access Policies on ACS
From Service Selection Rules check Rule based result selection.
I have configured Rule 1 for Radius with service set to Default Network Access and Rule 2 for TACACS with service set to Default Device Admin
Under Default Network Access
Allow the necessary protocols
Select Default Network Access > Identity and click on Rule based result selection
Hit Customize to add 'EAP Authentication Method' and 'EAP Tunnel Building Method'
Create a new Rule which matches PEAP and MSCHAP-v2 for Windows 7 authentication which points to the Internal Users Identity Source
I have the Default rule at the end pointing to CN username for EAP-TLS authentication of the 7975 IP Phone
STEP 6: Setting up wired 802.1X authentication for Windows 7
STEP 7: Enable 802.1X authentication on the Remote LAN and sit tight
Below you can see successful authentication for 7975 phone using x509_PKI and Windows 7 using PEAP (EAP-MSCHAPV2)