ISE - dot1x EAP TLS for Cisco IP Phones
Hi Gents,
I have a question about the CA configs for ISE or ACS.
As I understand, LSC certificate is issued by the CUCM by its Certificate Authority Proxy Function. If an IP Phone needs to be authenticated by its LSC (Locally Significant Certificate), which of the following CA we need to trust:
1. Cisco CA Certificate
2. CUCM Locally signed Certificate or CUCM Identity Certificate
And if these certificates are imported into ISE/ACS, will the ISE/ACS will be able to authenticate the IP Phone if the dot1x EAP-TLS authentication is enabled for IP Phones?
Is there any other configs needed?
I would highly appreicate if someone can clearify me this process.
Regards,
I got the answer, for the first part of the EAP TLS authentication: Phone authentication
In an IEEE 802.1X authentication, the AAA server is responsible for validating the certificate provided by the phone. To do this, the AAA server must have a copy of the root CA certificate that signed the phone's certificate. The root certificates for both LSCs and MICs can be exported from the CUCM Operating System Administration interface and imported into your AAA server
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-605524.html#wp9000412
As this is EAP TLS, Server (ISE/ACS) is also required to authenticate itself to the phone.
What is needed for this?
Similar Messages
-
802.1x EAP-TLS with Cisco IP-Phone on MS NPS
Hi,
does anybody get 802.1x - EAP-TLS with IP-Phones ( e.g. 7962G ) on Microsoft NPS up and running?
With ACS it is not a problem at all.
thx
SebastianHi all !
Have you solved this problem (LSC certificate )? I am facing the same problem and I did not find the solution yet.
This is the last e-mail that Microsoft TAC has sent to the customer:
====================================================================================
As per the discussion, we need to engage Vendor on the case to find out why the CRL Distribution Point (CDP) and AIA paths are missing from the certificate. Ideally CDP contains that Revocation List of the certificates and AIA is used for building the certificate chain.
"Please find below some more information about the same from Microsoft TechNet Article :
CRL Distribution Points : This extension contains one or more URLs where the issuing CA’s base certificate revocation list (CRL) is published. If revocation checking is enabled, an application will use the URL to retrieve an updated version of the CRL. URLs can use HTTP, LDAP or File.
Authority Information Access : This extension contains one or more URLs where the issuing CA’s certificate is published. An application uses the URL when building a certificate chain to retrieve the CA certificate if it does not exist in the application’s certificate cache."
=====================================================================================
Tks for your help !!!!!!!
Luis -
EAP TLS for machine and EAP PEAP for user
Hi forum
I am doing a design to use ISE to enforece dot1x for corporate machinese on both wired and wireless.
Due to the particular environment, we will need to use EAP-TLS for machines auth and on top of that use EAP-PEAP for user auth with windows credential and posture for full access.
Just wondering if anyone has done this before:
1. Will this work?
2. Any gottas?
3. what is the user experience like?
All machines are win7 based.
ThanksYou can not use the native supplicant for this. Cisco Anyconnect NAM will allow you to use this method. It is very simple to configure and deploy.
Tarik Admani
*Please rate helpful posts* -
Hi
We're planning on implementing eap-tls for our corporate iPads and in the past I've successfully tested it authenticating against ACS5.3 but now that we've moved to ISE (1.1.1.24) I'm getting an error.
22045 Identity policy result is configured for password based authentication methods but received certificate based authentication request
I've tried two different profiles, one with a certificates and AD credentials and the other one with just certificates but the error message is the same for both.
EAP-TLS is enabled in the 'Default Network Access' authentication result.
Can anyone shine a light on where I'm going wrong?
Thanks
MartinMartin,
Then that makes sense, since the ISE uses certificate based authentication when using eap-tls the certificate doesnt have the OIDs to support certificate based authentication. Here is a guide that shows the requirements needed in order to authenticate clients via certificates:
http://support.microsoft.com/kb/814394
Here is the comment in the article in this case the IAS is the radius server and the same holds true for ISE:
The IAS or the VPN server computer certificate is configured with the Server Authentication purpose. The object identifier for Server Authentication is 1.3.6.1.5.5.7.3.1.
Here is the Cisco eap-tls deployment guide which references the same as above:
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_white_paper09186a008009256b.shtml#wp39121
Thanks,
Tarik Admani
*Please rate helpful posts* -
EAP-TLS for Wireless network and PEAP for wired network
Hello,
it is possible to use EAP-TLS for Wireless network and PEAP for wired network on the same laptop (Windows 7).
Thank you in advance.
ThibaultYes, this is possible. You just need to properly configure each interface to use the EAP type you want.
HTH,
Steve
Sent from Cisco Technical Support iPad App -
Hello friends!
I'm developing an application for Cisco IP Phones that whorks with JMF. Since there are some programmers in this forum that knows Cisco IP phones, I send my question here.
I was send succefully the XML message to phone (CiscoIPPhoneExecute), I was customized the paket's size to 160, etc. All works aparently. But audio stream does not reach to phone. Can anyone tell me why??
Below I write my source code.
Tanks!
Max.
import java.io.*;
import java.net.*;
import java.util.*;
import org.apache.xerces.impl.dv.util.Base64;
import javax.media.*;
import javax.media.control.*;
import javax.media.format.*;
import javax.media.protocol.*;
* @author Administrator
public class MMHTTPPost {
/** Creates a new instance of MMHTTPPost */
public MMHTTPPost() {
try {
* Envia el CiscoIPPhoneExecute al telefono
String xml = new String("<CiscoIPPhoneExecute>"+
"<ExecuteItem Priority=\"0\" URL=\"RTPRx:Stop\"/>"+"<ExecuteItem Priority=\"1\" URL=\"RTPRx:10.1.15.10:23480\"/>"+
"</CiscoIPPhoneExecute>");
String userId = "Max",
password = "12345",
basicAuth = "Basic ",
params = "XML=" + URLEncoder.encode(xml, "ISO-8859-1" );
byte[] bytes = params.getBytes();
// Create a URL pointing to the servlet or CGI script and open an HttpURLConnection on that URL
URL url = new URL( "http://10.1.15.56/CGI/Execute" );
HttpURLConnection con = ( HttpURLConnection ) url.openConnection();
// Indicate that you will be doing input and output, that the method is POST, and that the content
// length is the length of the byte array
con.setDoOutput( true );
con.setDoInput( true );
con.setRequestMethod( "POST" );
con.setRequestProperty( "Content-length", String.valueOf( bytes.length ) );
// Create the Basic Auth Header
Base64 encoder = new Base64();
basicAuth = (String)encoder.encode( ((String)(userId + ":" + password)).getBytes() );
System.out.println("Codificado: " + basicAuth);
con.setRequestProperty( "Authorization", "Basic " + basicAuth.trim() );
// Write the parameters to the URL output stream
OutputStream output = con.getOutputStream();
output.write( bytes );
output.flush();
// Read the response
BufferedReader input = new BufferedReader( new InputStreamReader( con.getInputStream() ) );
while ( true ) {
String line = input.readLine();
if ( line == null )
break;
System.out.println( line );
input.close();
output.close();
con.disconnect();
* Aca empieza la parte RTP/JMF
// Create a Processor for the selected file. Exit if the
// Processor cannot be created.
Processor processor = null;
try {
String mediaUrl = "file:\\C:\\pruebas execute\\spacemusic.au";
processor = Manager.createProcessor( new MediaLocator(mediaUrl));
} catch (IOException e){
System.out.println("Exception occured (1a): " + e);
} catch (NoProcessorException e){
System.out.println("Exception occured (1b): " + e);
// configure the processor
//processor.configure();
//Espera el estado Processor.Configured
boolean result = waitForState(processor, Processor.Configured);
if (result == false)
System.out.println("No se pudo configurar el procesador...");
// Block until the Processor has been configured
TrackControl track[] = processor.getTrackControls();
boolean encodingOk = false;
// Go through the tracks and try to program one of them to
// output ulaw data.
for (int i = 0; i < track.length; i++)
if (!encodingOk && track[i] instanceof FormatControl)
if (((FormatControl)track).setFormat( new AudioFormat(AudioFormat.ULAW_RTP,8000,8,1)) == null)
track[i].setEnabled(false);
else
encodingOk = true;
else
// we could not set this track to ulaw, so disable it
track[i].setEnabled(false);
*Aqu? se cambia el tama?o del paquete a 160
if (((TrackControl)track[i]).isEnabled()) {
try {
System.out.println("Cambiando la lista de codecs...");
Codec codec[] = new Codec[3];
codec[0] = new com.ibm.media.codec.audio.rc.RCModule();
codec[1] = new com.ibm.media.codec.audio.ulaw.JavaEncoder();
//codec[2] = new com.ibm.media.codec.audio.ulaw.Packetizer();
codec[2] = new com.sun.media.codec.audio.ulaw.Packetizer();
((com.sun.media.codec.audio.ulaw.Packetizer)codec[2]).setPacketSize(160);
((TrackControl)track[i]).setCodecChain(codec);
catch (Exception e){
System.out.println("Error al cambiar el tamano del paquete: " + e);
System.out.println("Encoding ok?: " + encodingOk );
// At this point, we have determined where we can send out
// ulaw data or not.
// realize the processor
if (encodingOk)
//processor.realize();
// block until realized.
// get the output datasource of the processor and exit
// if we fail
//Espera el estado Processor.Realized
result = waitForState(processor, Processor.Realized);
if (result == false)
System.out.println("No se pudo realizar el procesador...");
DataSource ds = null;
try
ds = processor.getDataOutput();
catch (NotRealizedError e)
System.out.println("Exception occured(2): "+e);
// hand this datasource to manager for creating an RTP
// datasink.
// our RTP datasink will multicast the audio
try
String mediaUrl= "rtp://10.1.15.56:23480/audio/1";
MediaLocator m = new MediaLocator(mediaUrl);
DataSink d = Manager.createDataSink(ds, m);
d.open();
d.start();
catch (Exception e)
System.out.println("Exception occured(3): "+e);
catch ( MalformedURLException murlex )
System.out.println( murlex );
catch ( IOException ioex )
System.out.println( ioex );
* @param args the command line arguments
public static void main(String[] args) {
new MMHTTPPost();
* Convenience methods to handle processor's state changes.
private Integer stateLock = new Integer(0);
private boolean failed = false;
Integer getStateLock() {
return stateLock;
void setFailed() {
failed = true;
private synchronized boolean waitForState(Processor p, int state) {
p.addControllerListener(new StateListener());
failed = false;
// Call the required method on the processor
if (state == Processor.Configured) {
p.configure();
} else if (state == Processor.Realized) {
p.realize();
// Wait until we get an event that confirms the
// success of the method, or a failure event.
// See StateListener inner class
while (p.getState() < state && !failed) {
synchronized (getStateLock()) {
try {
getStateLock().wait();
} catch (InterruptedException ie) {
return false;
if (failed)
return false;
else
return true;
* Inner Classes
class StateListener implements ControllerListener {
public void controllerUpdate(ControllerEvent ce) {
// If there was an error during configure or
// realize, the processor will be closed
if (ce instanceof ControllerClosedEvent)
setFailed();
// All controller events, send a notification
// to the waiting thread in waitForState method.
if (ce instanceof ControllerEvent) {
synchronized (getStateLock()) {
getStateLock().notifyAll();ignore my last post.. I didn't properly read the source code.
Anyway, I got g.711 streaming to work. I started out using the AVTransmit2 sample, but set the audio output format to what is used in the source code posted here. I've also applied the same codec chain described above, and that was it.
I could never get streaming to work using the first RTP streaming method described in the JMF Programmers guide (and this is the method used in the source posted above), but using the RTPManager, things work just fine. -
AnyConnect for Cisco VPN Phone demo license
I want to test VPN Phone in the ASA5520,but "show ver" find the "AnyConnect for Cisco VPN Phone : Disabled", www.cisco.com/go/license i didn't find register AnyConnect for Cisco VPN Phone demo license, how to apply for the demo license??
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
SSL VPN Peers : 2
Total VPN Peers : 750
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has an ASA 5520 VPN Plus license.Hi there,
Did you try
https://tools.cisco.com/SWIFT/LicensingUI/loadDemoLicensee?FormId=717
Cheers!
Rob
"Why not help one another on the way" - Bob Marley -
AnyConnect for Cisco VPN Phone Spanless recording?
I'm looking to add this to my existing ASA5520.
Does AnyConnect for Cisco VPN phone support spanless recording?
If not what options are there?
Thanks,
MikeHi there,
Did you try
https://tools.cisco.com/SWIFT/LicensingUI/loadDemoLicensee?FormId=717
Cheers!
Rob
"Why not help one another on the way" - Bob Marley -
Cisco 6807 and 6800ia Swtich QOS for Cisco ip phones
Does anyone have an example of configuring a 6800ia switch port connected to a 6807VSS parent for cisco ip phones qos. Normally we'd use auto qos voip but auto qos is not supported on 6800IA switches.
Cant find any cisco documentation of what the IA switches port config should look like for a cisco ip phone.
Any help would be appreciated.
Thanks,
DaveI'd leave QoS alone.
-
Wireless ISE - 12508 EAP-TLS handshake failed
Hi guys,
I'm in the middle of my very first wireless ISE deployment and I'm hitting issues with EAP-TLS based authentication. In short, all EAP-TLS authentication is failing with the following error. Below that is the relevant excerpt from the logs:
Authentication failed : 12508 EAP-TLS handshake failed
OpenSSLErrorMessage=SSL alert: code=0x233=563 \; source=local \; type=fatal \; message="X509 decrypt error - certificate signature failure", OpenSSLErrorStack= 597863312:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm:a_verify.c:146:,
Setup:
- Single standalone ISE 3355 appliance
- Two tier MS enterprise PKI (outside of my direct control)
- WLC 5508
- Windows 7 laptop\
- The ISE has both the root and intermediate CA server certificates installed (individually, not chained) and has an identity certificate from the intermediate CA.
- The test laptop has both the root and intermediate CA server certificates installed (individually, not chained) and has an identity certificate from the intermediate CA.
Now, I'm pretty new to certs so I'm sure I'm missing something simple here. One thing that has come to mind as I'm writing this is that all of the issued certificates are using SHA1 as the Signature hash algorithm but if I remember correctly ISE defaults to SHA-256 when generating a CSR and I can't remember actually changing that. Could my issue be as simple as this, or does this hash algorithm only apply to the CSR process?
This is what TAC came back with, but none of the workarounds helped
Symptom:
========
EAP-TLS auth handshake failing with X509 decrypt error. The error presented to the ISE administrator is "12508: EAP-TLS handshake failed"
Conditions:
=========
EAP-TLS certificate based authentications ISE 1.1.2.145
Workaround:
===========
1) Reboot or restart ISE application service 2) Recreate CAP (Certificate Authentication Profile) 3) Toggle between ID sequence and single ID sourceHi Amjad,
Thanks for the response. I realise that SHA256 is highly preferable, however as per my post the PKI is outside of my direct control so that's a whole other conversation.
Cisco actually recommends avoiding chained certs for ISE, their best practice is that the intermediate and root CA server certificates should be imported into the ISE individually (I don't have a link for this, but it was presented in the Advanced ISE session at Cisco Live this year). On the client side the identity certificate (machine) shows the full trust chain, so I would assume that there isn't an issue there but I'm happy to be corrected.
The certificate format has not been modified in any way. The server and identity certs have been pushed out to the clients via GPO. Tthe root and intermediate certs were exported in DER format directly from each the respective CAs and imported directly in to the ISE
Cheers,
Owen -
Apple macosx machine authentication with ISE using EAP-TLS
Hello,
On a ongoing setup we are using eap-tls authentication with account validation against AD. We have our own CA (microsoft based). ISE version 1.2.1 patch 1.
With windows machines all is working well. We are using computer authentication only.
Now the problem is that we wish to do the same with MAC OSX machines.
We are using casper software suite and are able to push certificates into macosx, and are doing machine authentication.
in ISE the certificate authentication profile is being set to look at the subject alternative name - DNS name of the machines. Whenever we set it to the UPN (hostname$) windows accounts are not found in ad.
When MAC OSX authenticate as machines (they have a computer account in AD) they present themselves with RADIUS-Username = hostname$ instead of host/hostname.
The consequence is that by lacking the host/, ISE considers that this is a user authentication, instead of a computer one, and when it sets off to find the account, it searches in User class instead of Computer - which obviously returns no results.
Is anybody aware of any way to force MAC OSX to present a host/hostname RADIUS-Username when authenticating?
Any similar experiences of authenticating MAC OSX with ISE and machine/computer authentication are welcome.
Thanks
Gustavo NovaisAdditional information from the above question.
I have the following setup;
ACS 3.2(3) built 11 appliance
-Cisco AP1200 wireless access point
-Novell NDS to be used as an external database
-Windows 2003 enterprise with standalone Certificate Authorithy Services Installed
-Windows XP SP2 Client
My Goal is to use Windows XP Native Wlan Utility to connect to AP using EAP-TLS authentication against Novell NDS.
Tried to connect using Cisco compatible wlaN utility and authenticate using EAP-GTC against Novell NDS for for users, it works fine and perfectly.
When connecting using EAP-TLS, I am getting an error from ACS failed attempt "Auth type Not supported by External DB". But in the ACS documentation says that it supports EAP-TLS. How true is this? Is there anybody have the same problem? Do I need to upgrade my ACS? What should I do? What other authentication type could be used to utilize native WinXP Wlan Utility?
Please help...
Thanks -
Hello, I´m stucked with this problem for 3 weeks now.
I´m not able to configure the EAP-TLS autentication.
In the "Certificate Store" of the ISE server I have Installed the Root, policy and the Issuing certificates as "trust for client authentication",and in the Local store I have a certificate issuing for the same issuing authority which sign the thw client ones.
The ISE´s certificate has been issued with the "server Authentication certificate" template.
The clients have installed the certificates also the certificate chain.
When I try to authenticate the wireless clients I allways get the same error: " Authentication failed : 12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain"
and "OpenSSLErrorMessage=SSL alert
code=0x230=560 ; source=local ; type=fatal ; message="Unknown CA - error self-signed certificate in chain",OpenSSLErrorStack= 1208556432:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:s3_srvr.c:2720"
I don´t know what else can I do.
Thank you
JorgeHi Rik,
the Below are the certificate details
ISE Certificate Signed by XX-CA-PROC-06
User PKI Signed by XX-CA-OTHER-08
In ISE certificate Store i have the below certificates
XX-CA-OTHER-08 signed by XX-CA-ROOT-04
XX-CA-PROC-06 signed by XX-CA-ROOT-04
XX-CA-ROOT-04 signed by XX-CA-ROOT-04
ISE certificate signed by XX-CA-PROC-06
I have enabled - 'Trust for client authentication' on all three certificates
this is unchecked - 'Enable Validation of Certificate Extensions (accept only valid certificate)'
when i check the certificates of current user in the Client PC this is how it shows.
XX-CA-ROOT-04 is listed in Trusted root Certification Authority
and XX-CA-PROC-06 and XX-CA-OTHER-08 are in Intermediate Certificate Authorities -
802.1x EAP-TLS for wired users with ACS 5.5
Hi All,
We are configuring a new setup for wired users authentication with 802.1x(EAP-TLS). ACS 5.5 we are using as authentication server.
We have added the root CA(internal) certificate and certifcate for ACS signed by CA. Now We want to check the authentication is working or not . I hope both root CA and identity certifcate also we need to install in the laptops. But I am not sure how to download the certifcates for client machine manually from CA.
Kindly suggest on how to get certificates for clients both manually as well as automatically?
Thanks,
VijayHi Vijay,
for the Wired 802.1x (EAP-TLS) you need to have following certificates:
On ACS--- Root CA, Intermediate CA, Server Certificate
On Client-- Root CA, Intermediate CA, User certificate(In case of user authentication) OR Machine certificae(In case of Machine authentication)
I am not sure which third party certificate are you using, If its in house Microsoft or any other certificate server then you need download the client certificate from the server itself.
In case of Microsoft, There will be a template for user certificate. You can select it and create user certificate
This one is an old document, But has steps to configure Machine certificate for the user, You can see the steps to download user certificate if its Microsoft server:
http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-server-windows/43722-acs-eap.html#wc-2
In case You are using the third party certificate serevr , Then you need to check with them on how to download the user certificate
Cheers
Minakshi(rate the helpful post) -
EAP-TLS witch Cisco Secure ACS
Hi everyone,
we have implemented wpa/leap in our WLAN. We would use certificates for machine authentication. There is a Cisco Secure ACS Server 3.3 installed.
Is it possible to use the ACS self generated certificate without a CA ?
The examples I found on the web describes only the configuration with CSACS with Microsoft CA.
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a0080205a6b.html
We use Cisco AP1231/AP1232 with 12.3.4JA.
I think for machine authentication we have to install a CA. Let me know, how you think about that issue.
ArminThere are no much options on Client side: MS PEAP, EAP-TLS, EAP-MD5. ACS version 3.3 can generate self-signed certificate (for itself) without the need to install separate CA server. So I'd recommend you to use MS PEAP (PEAP MS-CHAPv2) with self-signed certificate on ACS.
-
ASA license for Cisco IP Phone over VPN
Hi,
Are there special licenses required on the ASA to use Cisco IP Phones (Hard phone) over SSL VPN connection?
ThanksHi,
You can purchase the phone proxy license. This elimiates the need to build a VPN tunnel for voice traffic.
It is not mandatory to purchase this license however.
From the ASA configuration guide:
http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/unified_comm_phoneproxy.html#wp1144845
"The Cisco Phone Proxy on the adaptive security appliance bridges IP telephony between the corporate IP telephony network and the Internet in a secure manner by forcing data from remote phones on an untrusted network to be encrypted. "
Don't forget to rate all posts that are helpful.
Maybe you are looking for
-
BP master data ship to address show in SO
Dear All, In the BP master data, there is a Addresses tab, inside this tab, there is the Ship to address with Address Name, Zip Code, State... etc. In the Sales Order, there is a Logistic tab, in the Ship to, user can select which address want to be
-
Using PI 7.1 to transfer file attachments using MTOM standard
Hello All, We have a scenario using PI 7.1 and we are required that PI calls a synchronous backend service and the backend service returns an attachement using MTOM format. 1) Can this be handled using PI ? 2) Any file size restrictions doing so usin
-
First-chance exception on load and calls
When loading our application we see quite a few "first chance exception" error messages being reported from the berkeley db xml library. The same first chance exceptions are thrown on each call to the berkeley db xml library - about 30 or so result f
-
Hi All, can any one tell me how to set up our own companies default logo in sap ecc6.0 Thanks vijay
-
Why is my imessanger and facetime not working
whenever i turn it on it keep saying waiting for activation then it gives me the error message "an error occurred during activation. try again" ive been at it for months and no success. ive also called apple support numerous times an still not fixed,