[RADIATOR] Cisco IP Phones & 802.1x TLS with MIC authentication?

Gregory Fuller gregory.fuller at oswego.edu
Wed Jul 28 06:14:56 CDT 2010

You can specify multiple EAPTLS_CAFile statements per authby?!?!!  I
don't know why I didn't think of that.  I did end up installing Cisco
SecureACS v5.1 eval copy and followed Cisco's instructions as to get
TLS auth working with it.  It worked like a charm with ACS and I was
able to see the debugs on how it was sending certs back and forth.

I guess I didn't understand initially how the "server" cert worked,
but I see now that you can use a self-signed server cert for it to

You just need the following 2 certs in a SINGLE CA file for Radiator:

Cisco Root CA:  http://www.cisco.com/security/pki/certs/crca2048.cer
Manufacturing Root CA:  http://www.cisco.com/security/pki/certs/cmca.cer

Merge both of those together into a single CA, use your own
self-signed server cert and your good to go with your AuthBy.  Thank
you for pointing me in the right direction to get this working
properly!  Now I just need to write a perl hook to verify the phone is
part of our CUCM CallManager Cluster.


More information about the radiator mailing list