@KoenV wrote:
I'm trying to get wired Alcatel VOIP phones to authenticate using EAP-TLS with a self-signed certificate.
To this purpose I've enabled Clearpass Onboard as a self-signed Certificate Authority (CA).
From this CA I've generated a TLS-client certificate which I've then activated on the VOIP phone.
Now a few observations/questions.
- Why does this eap-tls phone still need a user to authenticate together with the certificate? I would think the certificate replaces the user? Now I need to create a user with any password for the phone to authenticate succesfully.
- Does Clearpass automatically check whether its a valid certificate since its the CA for it or do I need to configure this myself somewhere?
Okay. There is a lot of configuration that you possibly might have here, but let me try:
- The Signing Certificate for your Onboard CA must be in the Trusted Root CAs of your Server.
- The service that you are using to authenticate those devices needs to have an EAP-TLS method under Authentication. You need to duplicate and use that Authentication method so that you can make the required changes to that method:
- Uncheck Authorization required so that it does not check the username in the certificate
- Under Certificate Comparison, make it "Do not compare"
- To make sure that revocation is checked you need to either (1) Ensure that Onboard is embedding the OCSP URL and "Verify using OCSP" is enabled in the EAP-TLS method or you (2) Override OCSP URL from the certificate and enter your own.
That should be all that you would require basically for it to work. There might be quite a bit more configuration based on whatever you have already done.