collapse

Promotion

Search


User Info

 
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Author Topic: ISE and Cisco IP phone  (Read 77 times)

Offline aris

  • Cisco Newbie
  • *
  • Posts: 1
  • Reputation: 0
    • View Profile
  • Certification: CCNP
ISE and Cisco IP phone
« on: October 26, 2017, 02:12:31 AM »
Hello,

We would like to authenticate Cisco IP Phones with ISE with the use of certificates. From the IP Telephony for 802.1X Design Guide states that you can use X.509 certificates for phone authentication and that they can be validated by the ACS in a single authorization rule without the need to configure and maintain a database of phone usernames and/or passwords, so I guess this is true of ISE.

It also states that in an 802.1X authentication, the AAA server is responsible for validating the certificate provided by the phone. To do this, the AAA server must have a copy of the root CA certificate that signed the certificate of the phone. The root certificates for both LSCs and MICs can be exported from the Unified CM Operating System Administration interface and imported into your AAA server.

Now the question is that we want to use a self-signed CAPF of the CUCM to sign the LSCs, so we need to export that and import it in ISE, but under system certificates in ISE in Used by we can only have one certificate selected.

So if my understanding is correct, we can not have a CA to issue PC certificates and a self-signed CAPF for the phones and both be active on ISE, right?

Thank you,

Aris.

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 362
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
    • View Profile
  • Certification: CCIE
Re: ISE and Cisco IP phone
« Reply #1 on: October 26, 2017, 09:33:07 PM »
Hi Aris, That's incorrect. For ISE to trust Phone and PC, you need to import CA cert that sign those devices cert into ISE trusted cert store (in your case the self-sign CAPF for phone and possibly your internal CA for PC). This has nothing to do with who sign ISE cert. Then for the phone to trust ISE, you need to import CA cert that sign ISE into phone CTL.

 

Related Topics

  Subject / Started by Replies Last post
10 Replies
8029 Views
Last post November 13, 2013, 11:04:57 PM
by adecisco
1 Replies
2058 Views
Last post October 03, 2013, 11:43:58 PM
by MC
0 Replies
1067 Views
Last post February 12, 2014, 11:34:46 AM
by MC
2 Replies
2082 Views
Last post February 09, 2015, 10:54:52 AM
by ozone007
6 Replies
4589 Views
Last post July 20, 2015, 07:48:48 AM
by amsa

SimplePortal 2.3.5 © 2008-2012, SimplePortal