I don't know Mitel specifically, but most IP Phone vendors have factory-installed client certificates that are issued by a vendor-specific Root CA.
Unsure if you classified that as 'trusted self signed', as self signed is untrusted by definition.
If the phones do have a client certificate that is issued by the phone vendor, you should import the root CA into your ClearPass Trust List and enable for EAP. After that, there are good chances that the phone can authenticate with its factory certificate.
If you issued the certificates yourself, have them signed by your own CA and import that root CA into your ClearPass Trust List, similarly to a vendor root VA.
An internet search for 'Mitel Root CA' shows at least one result that appears to originate from the documentation, but I could not see a date on there so it may be old and obsolete. Your Mitel vendor or support may be able to provide you with the root CA, and if you found the reference it may be useful to post it here for others in the same situation. If you get stuck on the ClearPass side, opening a support case at your Partner or Aruba Support may help you further.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------
Original Message:
Sent: Jan 14, 2021 05:54 AM
From: VALERIO RIC
Subject: 802.1X EAP-TLS with Mitel VoIP
Hi,
I can help you on Mitel Phone, but I need help on CPPM.
My VOIP Phone has a trusted self signed certifcate onboard, Can I import it to CPPM for EAP-TLS?
Thanks
------------------------------
VALERIO RIC
Original Message:
Sent: May 08, 2018 07:55 AM
From: Nebojsa Markovic
Subject: 802.1X EAP-TLS with Mitel VoIP
Hi all,
I am trying to help a customer in getting their Mitel 6900 Series VoIP phones move to 802.1X using EAP-TLS. While CPPM part in configuring service and the rest is under control, I was wondering if anyone has dealt with this in real life deployment, as I would like to know:
a) where from did you push certs on phones (Mitel Admin Guide is mentioning "The phone downloads certificates using the URLs provided in startup.cfg file" without saying which server URL is pointing to)
b) how is the solution incorporated with AD/CPPM
I am sure there is a nice document somewhere explaining all of this, but I cannot find it :-). Thanks.