[RADIATOR] Cisco IP Phones & 802.1x TLS with MIC authentication?

Wolfgang Miedl wmiedl at zid.tuwien.ac.at
Tue Jul 27 11:21:38 CDT 2010

Hello Greg,

On 07/26/2010 03:58 PM, Gregory Fuller wrote:
> Anyone have any experience authenticating Cisco IP Phones (7942& 7962)
> via an 802.1x switchport using TLS with the Cisco installed MIC
> (manufacturers installed certificate)?  What I'm trying to do is to
> authenticate the phone to our network via the built-in MIC and
> validate against the CommonName of the phone's certificate (which
> should be CP7960-SEP{mac-address}.

We used MIC's early in the proof-of-concept stage of our VOIP-setup, but
since then moved on to use LSC's.

The following certificates where simply placed in a single file: (Common
Name and SHA1 fingerprint)
Cisco Manufacturing CA 	
Cisco Root CA 2048

You can get those certificates via Web or via the Callmanagers'
Certificate Store. You probably could also put each cert in a single
file and use multiple EAPTLS_CAFile clauses.

A few further notes:
* I'm not really sure if you need all 4 certificates. As i said, we only
used it for a few weeks as a proof-of-concept before switching to LSC's,
so we didn't really investigate that.
* This setup was discontinued last year. Newer phones may have MIC's
signed by different certificates.
* We have always used a SQL-based solution for Usernamestorage for the
usual reasons.

We used the following Handler and AuthBy clauses, which i can confirm
worked with Cisco 7962G phones:

<AuthBy SQL>
        Identifier 8021x-sql

        EAPType TLS

        EAPTLS_PrivateKeyFile   <ServerPrivateKeyFile>
        EAPTLS_PrivateKeyPassword       xxxxxx
        EAPTLS_CertificateFile  <ServerPublicCertificateFile>
        EAPTLS_CertificateType  PEM
        EAPTLS_CAFile   <ChainCertififcatesForServerCert>
        EAPTLS_CAFile   <PathToCiscoCerts>


include <DatabaseCredentials>

        AuthSelect SELECT LOWER(CN) \
                   FROM  PHONES \
                   WHERE CN = '%u'


<Handler Client-Identifier=8021x>
        AuthBy 8021x-sql

        AddToReply      \
                cisco-avpair = "device-traffic-class=voice"


Best regards,
	Wolfgang Miedl

Wolfgang Miedl     <wmiedl at zid.tuwien.ac.at>   Tel (+43-1) 58801 - 42057
Information Technology Services                      Communication Group
University of Technology Vienna                                  Austria
http://pgpkeys.tuwien.ac.at/                              PGP Key wmiedl

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 898 bytes
Desc: OpenPGP digital signature
Url : http://www.open.com.au/pipermail/radiator/attachments/20100727/fd28ee1c/attachment.bin 

More information about the radiator mailing list