[RADIATOR] Cisco IP Phones & 802.1x TLS with MIC authentication?
Gregory Fuller
gregory.fuller at oswego.edu
Wed Jul 28 06:14:56 CDT 2010
You can specify multiple EAPTLS_CAFile statements per authby?!?!! I
don't know why I didn't think of that. I did end up installing Cisco
SecureACS v5.1 eval copy and followed Cisco's instructions as to get
TLS auth working with it. It worked like a charm with ACS and I was
able to see the debugs on how it was sending certs back and forth.
I guess I didn't understand initially how the "server" cert worked,
but I see now that you can use a self-signed server cert for it to
work.
You just need the following 2 certs in a SINGLE CA file for Radiator:
Cisco Root CA: http://www.cisco.com/security/pki/certs/crca2048.cer
Manufacturing Root CA: http://www.cisco.com/security/pki/certs/cmca.cer
Merge both of those together into a single CA, use your own
self-signed server cert and your good to go with your AuthBy. Thank
you for pointing me in the right direction to get this working
properly! Now I just need to write a perl hook to verify the phone is
part of our CUCM CallManager Cluster.
--greg
More information about the radiator
mailing list