[RADIATOR] Cisco IP Phones & 802.1x TLS with MIC authentication?

Wolfgang Miedl wmiedl at zid.tuwien.ac.at
Tue Jul 27 11:21:38 CDT 2010 

Hello Greg,

On 07/26/2010 03:58 PM, Gregory Fuller wrote:
> Anyone have any experience authenticating Cisco IP Phones (7942& 7962)
> via an 802.1x switchport using TLS with the Cisco installed MIC
> (manufacturers installed certificate)?  What I'm trying to do is to
> authenticate the phone to our network via the built-in MIC and
> validate against the CommonName of the phone's certificate (which
> should be CP7960-SEP{mac-address}.

We used MIC's early in the proof-of-concept stage of our VOIP-setup, but
since then moved on to use LSC's.

The following certificates where simply placed in a single file: (Common
Name and SHA1 fingerprint)
CAP-RTP-001
	F7:B4:0B:94:58:31:D2:AB:44:7A:B8:F2:25:99:07:32:22:76:31:BE
CAP-RTP-002
	1B:E2:B5:03:DC:72:EE:28:0C:0F:6B:18:79:82:36:D8:D3:B1:8B:E6
Cisco Manufacturing CA 	
	E3:E7:83:D3:CC:9C:30:AE:DE:FF:CD:EB:5E:CF:EE:08:FF:8F:16:84
Cisco Root CA 2048
	DE:99:0C:ED:99:E0:43:1F:60:ED:C3:93:7E:7C:D5:BF:0E:D9:E5:FA

You can get those certificates via Web or via the Callmanagers'
Certificate Store. You probably could also put each cert in a single
file and use multiple EAPTLS_CAFile clauses.

A few further notes:
* I'm not really sure if you need all 4 certificates. As i said, we only
used it for a few weeks as a proof-of-concept before switching to LSC's,
so we didn't really investigate that.
* This setup was discontinued last year. Newer phones may have MIC's
signed by different certificates.
* We have always used a SQL-based solution for Usernamestorage for the
usual reasons.

We used the following Handler and AuthBy clauses, which i can confirm
worked with Cisco 7962G phones:

<AuthBy SQL>
        Identifier 8021x-sql

        EAPType TLS

        EAPTLS_PrivateKeyFile   <ServerPrivateKeyFile>
        EAPTLS_PrivateKeyPassword       xxxxxx
        EAPTLS_CertificateFile  <ServerPublicCertificateFile>
        EAPTLS_CertificateType  PEM
        EAPTLS_CAFile   <ChainCertififcatesForServerCert>
        EAPTLS_CAFile   <PathToCiscoCerts>

        EAPTLS_MaxFragmentSize

include <DatabaseCredentials>

	NoDefault
        AuthSelect SELECT LOWER(CN) \
                   FROM  PHONES \
                   WHERE CN = '%u'


</AuthBy>

<Handler Client-Identifier=8021x>
        RejectHasReason
        AuthBy 8021x-sql

        AddToReply      \
                cisco-avpair = "device-traffic-class=voice"

</Handler>


Best regards,
	Wolfgang Miedl

-- 
Wolfgang Miedl     <wmiedl at zid.tuwien.ac.at>   Tel (+43-1) 58801 - 42057
Information Technology Services                      Communication Group
University of Technology Vienna                                  Austria
http://pgpkeys.tuwien.ac.at/                              PGP Key wmiedl

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 898 bytes
Desc: OpenPGP digital signature
Url : http://www.open.com.au/pipermail/radiator/attachments/20100727/fd28ee1c/attachment.bin

More information about the radiator mailing list