I'm trying to configure ClearPass PM to authenticate Cisco IP Phones using EAP-TLS with certs. Can someone point me to the instructions on how to do EAP-TLS. I'm getting a response that the Certificate is unknown. I've loaded the cert onto the CPPM server.
- A server Certificate Issued by a Certificate Authority and uploaded to the ClearPass Policy Manager. (Administration> Certificates> Server Certificate. Create a certificate signing request. Import the request into your CA and import the resulting Server Certificate and Private Key back into ClearPass Policy Manager
- A (CA) Certificate Authority Certificate ssued by the Certificate Authority that issues the certificates to the phones. Import it into Administration> Certificates Trust List
Let me provide a little more background....
Cisco_IP_Phone > RAP3:port2 > Home_Router>Internet>3400Controller
I am getting this error in the Activity Log:
Is the LSC cert generated by the Cisco UC server? I'm afraid that I'm not familiar...
Yes, the Cisco UC server is runing CAPF services which is used to generate the LSC (Locally Significant Certificate) for the IP Phones. The CAPF server was configured by generating a CSR to our Internal CA.
It looks like its failing to do CN comparison. If you look at your EAP-TLS authentication method in CPPM, do you have CN comparison enabled? You could try to disable certfificate comparison to see if that helps.
Within the EAP-TLS authentication method on CPPM, it is set as shown below:
If I change the Certificate Comparison to "Do Not Compare" the phone gets on the network. My concern here is that there is no security. Does this basically disable the EAP-TLS function of mutual cert verification?
No, it does not disable mutual cert verification. Checks to make sure that the certificate is issued by a trusted root CA are still done. All you are disabling is checking a 3rd location to see if the CN on the certificate exists there. So if you wanted to make sure that the CN of the certificate exists in LDAP or AD or somewhere else, then you would want the compare CN to be enabled.
The only other check you would want from a security perspective would be CRL or OCSP. You want to make sure that the certificate has not been revoked.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.