[RADIATOR] Cisco IP Phones & 802.1x TLS with MIC authentication?
Gregory Fuller
gregory.fuller at oswego.edu
Mon Jul 26 08:58:27 CDT 2010
Anyone have any experience authenticating Cisco IP Phones (7942& 7962)
via an 802.1x switchport using TLS with the Cisco installed MIC
(manufacturers installed certificate)? What I'm trying to do is to
authenticate the phone to our network via the built-in MIC and
validate against the CommonName of the phone's certificate (which
should be CP7960-SEP{mac-address}.
I do not want to apply any LSC's to the phones (locally signed
certificate), I only want to use the MIC to validate against.
According to Cisco's docs it should be possible, but they don't give
any examples of how to use the built-in cert on the phone to validate
with. They only show how to apply an LSC to the phone. And of course
all the docs are how to configure it using the own ACS radius product.
:( I've had a heck of a time with Cisco TAC trying to get the right
information out of them on what is needed for the MIC side and not the
LSC side.
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-605524.html#wp9000414
ACS configuration and setup from the document above (for LSCs):
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-605524.html#wp9000600
I have radiator configured like this to use TLS off the phone:
<Handler Client-Identifier=LANIGAN-SWITCHES,
NAS-Port-Type=Ethernet,EAP-Message = /.+/, User-Name =
/(.+)SEP([0-9a-fA-F]{12})$/>
PacketTrace
<AuthBy FILE>
Filename %D/voip-phones-tls
EAPType TLS
# EAPTLS_CAPath %D/certs/cisco-root/ca/
# EAPTLS_CAFile %D/certs/cisco-root/ca/crca2048.pem
EAPTLS_CAFile %D/certs/cisco-root/ca/cmca.pem
EAPTLS_CertificateFile %D/certs/cisco-phone/CAP-RTP-001.pem
# EAPTLS_CertificateFile %D/certs/cisco-phone/CAP-RTP-002.pem
# EAPTLS_CertificateFile %D/certs/cisco-root/ca/cmca.pem
# EAPTLS_CertificateFile %D/certs/cisco/manufacturer/cmca.pem
EAPTLS_CertificateType PEM
# EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
# EAPTLS_PrivateKeyPassword
EAPTLS_MaxFragmentSize 1000
AutoMPPEKeys
</AuthBy>
# <AuthBy FILE>
# Filename %D/voip-phones
# EAPType MD5
# </AuthBy>
# Log accounting to a detail file
AuthLog VOIP-AuthLogger
AcctLogFileName /var/log/radius/VOIP-detail
</Handler>
My "voip-phones-tls" auth file looks like this:
CP-7942G-SEP2893FE127C54
SEP2893FE127C54
crca2048.pem is the Cisco Systems Root CA from:
http://www.cisco.com/security/pki/certs/crca2048.cer
cmca.cer.pem is the Cisco Manufacturer CA from:
http://www.cisco.com/security/pki/certs/cmca.cer
CAP-RTP-001.pem and CAP-RTP-002.pem are Cisco Systems CA signed certs
from my Cisco Call Manager. I have no idea if these 2 should be used
as the "server" cert for radius. I thought that I needed to have a
server certificate signed by the Cisco Manufacturer CA in order to do
this, but I don't think I can create one of them, they need to be
provided by Cisco.
Anyway, using the above config when my 7942 phone authenticates back
to radiator I'm seeing the info below in the logfile, I see a TLS
challenge from the phone but nothing else.
I assume that the reason why the authentication is failing is because
of this error:
Thu Jul 22 13:19:25 2010: ERR: EAP TLS error: -1, 1, 8466, 0, 3687:
1- error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
Any ideas would be appreciated. Thanks!
--greg
Gregory A. Fuller - CCNA
Network Manager
State University of New York at Oswego
Phone: (315) 312-5750
http://www.oswego.edu/~gfuller
[root at radius-02 radiator]# Thu Jul 22 13:18:51 2010: DEBUG: Handling
request with Handler 'Client-Identifier=LANIGAN-SWITCHES,
NAS-Port-Type=Ethernet, EAP-Message = /.+/, User-Name =
/(.+)SEP([0-9a-fA-F]{12})$/'
Thu Jul 22 13:18:51 2010: DEBUG: Deleting session for
CP-7942G-SEP2893FE127C54, 10.128.61.5, 50107
Thu Jul 22 13:18:51 2010: DEBUG: Handling with Radius::AuthFILE:
Thu Jul 22 13:18:51 2010: DEBUG: Handling with EAP: code 2, 1, 29, 1
Thu Jul 22 13:18:51 2010: DEBUG: Response type 1
Thu Jul 22 13:18:51 2010: DEBUG: EAP result: 3, EAP TLS Challenge
Thu Jul 22 13:18:51 2010: DEBUG: AuthBy FILE result: CHALLENGE, EAP
TLS Challenge
Thu Jul 22 13:18:51 2010: DEBUG: Access challenged for
CP-7942G-SEP2893FE127C54: EAP TLS Challenge
Thu Jul 22 13:18:51 2010: DEBUG: Packet dump:
*** Sending to 10.128.61.5 port 1645 ....
Packet length = 46
0b 72 00 2e 3a 52 d0 d0 d6 9e 50 06 65 d1 c0 8e
a7 a9 09 12 4f 08 01 02 00 06 0d 20 50 12 8d d8
ff 08 4d 4c 5d 69 e8 a0 c8 3f fd 80 93 87
Code: Access-Challenge
Identifier: 114
Authentic: :R<208><208><214><158>P<6>e<209><192><142><167><169><9><18>
Attributes:
EAP-Message = <1><2><0><6><13>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Thu Jul 22 13:19:24 2010: DEBUG: Handling request with Handler
'Client-Identifier=LANIGAN-SWITCHES, NAS-Port-Type=Ethernet,
EAP-Message = /.+/, User-Name = /(.+)SEP([0-9a-fA-F]{12})$/'
Thu Jul 22 13:19:24 2010: DEBUG: Deleting session for
CP-7942G-SEP2893FE127C54, 10.128.61.5, 50107
Thu Jul 22 13:19:24 2010: DEBUG: Handling with Radius::AuthFILE:
Thu Jul 22 13:19:24 2010: DEBUG: Handling with EAP: code 2, 1, 29, 1
Thu Jul 22 13:19:24 2010: DEBUG: Response type 1
Thu Jul 22 13:19:24 2010: DEBUG: EAP result: 3, EAP TLS Challenge
Thu Jul 22 13:19:24 2010: DEBUG: AuthBy FILE result: CHALLENGE, EAP
TLS Challenge
Thu Jul 22 13:19:24 2010: DEBUG: Access challenged for
CP-7942G-SEP2893FE127C54: EAP TLS Challenge
Thu Jul 22 13:19:24 2010: DEBUG: Packet dump:
*** Sending to 10.128.61.5 port 1645 ....
Packet length = 46
0b 73 00 2e be f3 88 01 83 4b df f5 ef 57 d1 7e
ae 91 2f fa 4f 08 01 02 00 06 0d 20 50 12 f5 48
c8 98 68 f0 8f 5e a7 91 55 8b 37 f1 7b e8
Code: Access-Challenge
Identifier: 115
Authentic: <190><243><136><1><131>K<223><245><239>W<209>~<174><145>/<250>
Attributes:
EAP-Message = <1><2><0><6><13>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Thu Jul 22 13:19:25 2010: DEBUG: Handling request with Handler
'Client-Identifier=LANIGAN-SWITCHES, NAS-Port-Type=Ethernet,
EAP-Message = /.+/, User-Name = /(.+)SEP([0-9a-fA-F]{12})$/'
Thu Jul 22 13:19:25 2010: DEBUG: Deleting session for
CP-7942G-SEP2893FE127C54, 10.128.61.5, 50107
Thu Jul 22 13:19:25 2010: DEBUG: Handling with Radius::AuthFILE:
Thu Jul 22 13:19:25 2010: DEBUG: Handling with EAP: code 2, 2, 29, 1
Thu Jul 22 13:19:25 2010: DEBUG: Response type 1
Thu Jul 22 13:19:25 2010: DEBUG: EAP result: 3, EAP TLS Challenge
Thu Jul 22 13:19:25 2010: DEBUG: AuthBy FILE result: CHALLENGE, EAP
TLS Challenge
Thu Jul 22 13:19:25 2010: DEBUG: Access challenged for
CP-7942G-SEP2893FE127C54: EAP TLS Challenge
Thu Jul 22 13:19:25 2010: DEBUG: Packet dump:
*** Sending to 10.128.61.5 port 1645 ....
Packet length = 46
0b 74 00 2e 5e d9 8f eb 68 10 bb d2 d1 7a b3 9a
a7 ea 73 2a 4f 08 01 03 00 06 0d 20 50 12 30 68
33 33 ba a2 73 79 28 8c 4c e1 18 d8 b3 0b
Code: Access-Challenge
Identifier: 116
Authentic: ^<217><143><235>h<16><187><210><209>z<179><154><167><234>s*
Attributes:
EAP-Message = <1><3><0><6><13>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Thu Jul 22 13:19:25 2010: DEBUG: Handling request with Handler
'Client-Identifier=LANIGAN-SWITCHES, NAS-Port-Type=Ethernet,
EAP-Message = /.+/, User-Name = /(.+)SEP([0-9a-fA-F]{12})$/'
Thu Jul 22 13:19:25 2010: DEBUG: Deleting session for
CP-7942G-SEP2893FE127C54, 10.128.61.5, 50107
Thu Jul 22 13:19:25 2010: DEBUG: Handling with Radius::AuthFILE:
Thu Jul 22 13:19:25 2010: DEBUG: Handling with EAP: code 2, 1, 29, 1
Thu Jul 22 13:19:25 2010: DEBUG: Response type 1
Thu Jul 22 13:19:25 2010: DEBUG: EAP result: 3, EAP TLS Challenge
Thu Jul 22 13:19:25 2010: DEBUG: AuthBy FILE result: CHALLENGE, EAP
TLS Challenge
Thu Jul 22 13:19:25 2010: DEBUG: Access challenged for
CP-7942G-SEP2893FE127C54: EAP TLS Challenge
Thu Jul 22 13:19:25 2010: DEBUG: Packet dump:
*** Sending to 10.128.61.5 port 1645 ....
Packet length = 46
0b 75 00 2e d4 dc cd a6 c2 d1 00 58 e5 61 6f 2c
23 6a 4a 15 4f 08 01 02 00 06 0d 20 50 12 a9 23
14 f1 b1 f1 65 dc 82 66 3a 3e e3 55 0d 1f
Code: Access-Challenge
Identifier: 117
Authentic: <212><220><205><166><194><209><0>X<229>ao,#jJ<21>
Attributes:
EAP-Message = <1><2><0><6><13>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Thu Jul 22 13:19:25 2010: DEBUG: Handling request with Handler
'Client-Identifier=LANIGAN-SWITCHES, NAS-Port-Type=Ethernet,
EAP-Message = /.+/, User-Name = /(.+)SEP([0-9a-fA-F]{12})$/'
Thu Jul 22 13:19:25 2010: DEBUG: Deleting session for
CP-7942G-SEP2893FE127C54, 10.128.61.5, 50107
Thu Jul 22 13:19:25 2010: DEBUG: Handling with Radius::AuthFILE:
Thu Jul 22 13:19:25 2010: DEBUG: Handling with EAP: code 2, 2, 29, 1
Thu Jul 22 13:19:25 2010: DEBUG: Response type 1
Thu Jul 22 13:19:25 2010: DEBUG: EAP result: 3, EAP TLS Challenge
Thu Jul 22 13:19:25 2010: DEBUG: AuthBy FILE result: CHALLENGE, EAP
TLS Challenge
Thu Jul 22 13:19:25 2010: DEBUG: Access challenged for
CP-7942G-SEP2893FE127C54: EAP TLS Challenge
Thu Jul 22 13:19:25 2010: DEBUG: Packet dump:
*** Sending to 10.128.61.5 port 1645 ....
Packet length = 46
0b 76 00 2e 63 91 4f f2 7b 1b 9f b4 53 44 97 92
bd df 83 0f 4f 08 01 03 00 06 0d 20 50 12 96 27
67 af fb 4d 79 5d 76 f2 a5 c9 87 39 d3 ec
Code: Access-Challenge
Identifier: 118
Authentic: c<145>O<242>{<27><159><180>SD<151><146><189><223><131><15>
Attributes:
EAP-Message = <1><3><0><6><13>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Thu Jul 22 13:19:25 2010: DEBUG: Handling request with Handler
'Client-Identifier=LANIGAN-SWITCHES, NAS-Port-Type=Ethernet,
EAP-Message = /.+/, User-Name = /(.+)SEP([0-9a-fA-F]{12})$/'
Thu Jul 22 13:19:25 2010: DEBUG: Deleting session for
CP-7942G-SEP2893FE127C54, 10.128.61.5, 50107
Thu Jul 22 13:19:25 2010: DEBUG: Handling with Radius::AuthFILE:
Thu Jul 22 13:19:25 2010: DEBUG: Handling with EAP: code 2, 1, 29, 1
Thu Jul 22 13:19:25 2010: DEBUG: Response type 1
Thu Jul 22 13:19:25 2010: DEBUG: EAP result: 3, EAP TLS Challenge
Thu Jul 22 13:19:25 2010: DEBUG: AuthBy FILE result: CHALLENGE, EAP
TLS Challenge
Thu Jul 22 13:19:25 2010: DEBUG: Access challenged for
CP-7942G-SEP2893FE127C54: EAP TLS Challenge
Thu Jul 22 13:19:25 2010: DEBUG: Packet dump:
*** Sending to 10.128.61.5 port 1645 ....
Packet length = 46
0b 77 00 2e d2 2c f1 19 8d 9b 2c a5 70 06 63 25
40 c2 5b a0 4f 08 01 02 00 06 0d 20 50 12 22 b9
bb 59 0b a1 bb ba 84 e7 ca 04 22 75 90 67
Code: Access-Challenge
Identifier: 119
Authentic: <210>,<241><25><141><155>,<165>p<6>c%@<194>[<160>
Attributes:
EAP-Message = <1><2><0><6><13>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Thu Jul 22 13:19:25 2010: DEBUG: Handling request with Handler
'Client-Identifier=LANIGAN-SWITCHES, NAS-Port-Type=Ethernet,
EAP-Message = /.+/, User-Name = /(.+)SEP([0-9a-fA-F]{12})$/'
Thu Jul 22 13:19:25 2010: DEBUG: Deleting session for
CP-7942G-SEP2893FE127C54, 10.128.61.5, 50107
Thu Jul 22 13:19:25 2010: DEBUG: Handling with Radius::AuthFILE:
Thu Jul 22 13:19:25 2010: DEBUG: Handling with EAP: code 2, 2, 62, 13
Thu Jul 22 13:19:25 2010: DEBUG: Response type 13
Thu Jul 22 13:19:25 2010: ERR: EAP TLS error: -1, 1, 8466, 0, 3687: 1
- error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
Thu Jul 22 13:19:25 2010: DEBUG: EAP result: 1, EAP TLS error
Thu Jul 22 13:19:25 2010: DEBUG: AuthBy FILE result: REJECT, EAP TLS error
Thu Jul 22 13:19:25 2010: INFO: Access rejected for
CP-7942G-SEP2893FE127C54: EAP TLS error
Thu Jul 22 13:19:25 2010: DEBUG: Packet dump:
*** Sending to 10.128.61.5 port 1645 ....
Packet length = 60
03 78 00 3c 95 88 8a 57 33 f5 fc 64 de 6a 46 3c
df cb fb 59 4f 06 04 02 00 04 50 12 b9 b2 a5 a6
0e b8 f9 14 42 e7 ea 91 07 74 97 65 12 10 52 65
71 75 65 73 74 20 44 65 6e 69 65 64
Code: Access-Reject
Identifier: 120
Authentic: <149><136><138>W3<245><252>d<222>jF<<223><203><251>Y
Attributes:
EAP-Message = <4><2><0><4>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Reply-Message = "Request Denied"
More information about the radiator
mailing list