Author Topic: ISE and Cisco IP phone (Read 21805 times)

aris · « **on:** October 26, 2017, 02:12:31 AM »

Hello,

We would like to authenticate Cisco IP Phones with ISE with the use of certificates. From the IP Telephony for 802.1X Design Guide states that you can use X.509 certificates for phone authentication and that they can be validated by the ACS in a single authorization rule without the need to configure and maintain a database of phone usernames and/or passwords, so I guess this is true of ISE.

It also states that in an 802.1X authentication, the AAA server is responsible for validating the certificate provided by the phone. To do this, the AAA server must have a copy of the root CA certificate that signed the certificate of the phone. The root certificates for both LSCs and MICs can be exported from the Unified CM Operating System Administration interface and imported into your AAA server.

Now the question is that we want to use a self-signed CAPF of the CUCM to sign the LSCs, so we need to export that and import it in ISE, but under system certificates in ISE in Used by we can only have one certificate selected.

So if my understanding is correct, we can not have a CA to issue PC certificates and a self-signed CAPF for the phones and both be active on ISE, right?

Thank you,

Aris.

MC · « **Reply #1 on:** October 26, 2017, 09:33:07 PM »

Hi Aris, That's incorrect. For ISE to trust Phone and PC, you need to import CA cert that sign those devices cert into ISE trusted cert store (in your case the self-sign CAPF for phone and possibly your internal CA for PC). This has nothing to do with who sign ISE cert. Then for the phone to trust ISE, you need to import CA cert that sign ISE into phone CTL.

Search

User Info

Author Topic: ISE and Cisco IP phone (Read 21805 times)

aris

ISE and Cisco IP phone

MC

Re: ISE and Cisco IP phone

Related Topics