Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Cisco IP phone - 802.1X

This thread has been viewed 16 times

  • 1.  Cisco IP phone - 802.1X

    Posted Feb 18, 2020 11:56 AM

    Setting up 802.1X for 7841 phones, the team managing the CUCM have seemingly configured a test phone for 802.1X.

    I see the device request in access tracker using EAP-FAST but as a "Timeout" event - "Client did not complete EAP transaction".

    Is this a definite problem with the client, just wondering whether I need to do something special for EAP-FAST.

    I have imported the Cisco certificates and enabled them in the Trust List.



  • 2.  RE: Cisco IP phone - 802.1X

    MVP GURU
    Posted Feb 18, 2020 12:55 PM

    Do you have EAP-FAST enabled as an authentication method? And do you have the appropriate Authentication sources also? I would add the authentication source as an authorization source as well.

    5.JPG



  • 3.  RE: Cisco IP phone - 802.1X

    MVP GURU
    Posted Feb 18, 2020 12:59 PM

    Also check your Inner Methods on your EAP-FAST Authentication method as well. See below. Can you share the access tracker details?

    6.JPG



  • 4.  RE: Cisco IP phone - 802.1X

    Posted Feb 19, 2020 04:41 AM

    Hi Dustin, EAP-FAST is configured as an authentication method in the service.

    The inner methods for EAP-FAST are GTC, MSCHAPv2 & TLS.

    The Authentication source is the AD servers which are used for EAP-TLS for client laptops (the service is shared but I can create a new service if it can't be used for both.

    What would EAP-FAST on phones require as an authentication source? I thought it would use certs only for auth.



  • 5.  RE: Cisco IP phone - 802.1X

    Posted Feb 19, 2020 04:48 AM
      |   view attached

    I've attached the Access tracker log.

    Attachment(s)

    txt
    PhoneATLog_San.txt   16 KB 1 version


  • 6.  RE: Cisco IP phone - 802.1X

    EMPLOYEE
    Posted Feb 19, 2020 04:52 AM

    The fact that ClearPass is reporting a "Timeout" with an Alert: "Client did not complete EAP transaction" would indicate to me that the iPhone is not trusting the ClearPass' RADUS certificate.



  • 7.  RE: Cisco IP phone - 802.1X

    EMPLOYEE
    Posted Feb 19, 2020 05:47 AM

    Does access tracker log which is shared is complete? I see server sent access challenge request but didn't received any response, you need to look on switch side to which your IP phone is connected to see whether it forwarded challenge to IP client device.

     

     

    2020-02-18 16:05:53,901 [Th 192 Req 17876374 SessId R001ccd9e-01-5e4c0b61] INFO RadiusServer.Radius - rlm_ldap: searching for user CP-8831-SEPAC44F212B816 in AD:1.1.1.3
    2020-02-18 16:05:53,909 [Th 192 Req 17876374 SessId R001ccd9e-01-5e4c0b61] ERROR RadiusServer.Radius - rlm_ldap: could not start TLS Connect error
    2020-02-18 16:05:53,910 [Th 192 Req 17876374 SessId R001ccd9e-01-5e4c0b61] ERROR RadiusServer.Radius - rlm_ldap: (re)connection attempt failed
    2020-02-18 16:05:53,910 [Th 192 Req 17876374 SessId R001ccd9e-01-5e4c0b61] INFO RadiusServer.Radius - TLS_accept:error in SSLv3 read client key exchange A
    2020-02-18 16:05:53,910 [Th 192 Req 17876374 SessId R001ccd9e-01-5e4c0b61] INFO RadiusServer.Radius - TLS_accept:error in SSLv3 read client key exchange A
    2020-02-18 16:05:53,910 [Th 192 Req 17876374 SessId R001ccd9e-01-5e4c0b61] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 75:1124:11-22-33-44-55-66:ADkAbwCvAOGWxRABXa/cWhiAwiDkIvPbyXgLZw==

     

     



  • 8.  RE: Cisco IP phone - 802.1X

    Posted Feb 19, 2020 06:03 AM

    Hi Pavan, this is the complete log. I don't see any reason why the switch wouldn't be forwarding on the challenge so my assumption is that the phone isn't responding. Perhaps as DMellor suggests the client needs to trust the CPPM cert and this isn't happening.



  • 9.  RE: Cisco IP phone - 802.1X

    EMPLOYEE
    Posted Feb 19, 2020 06:23 AM

    If switch is forwarding the challenge to IP phone then next step is to check certificate, whether client is trusting CPPM certificate or not.

     

    Try check first on switch logs to narrow down the issue.



  • 10.  RE: Cisco IP phone - 802.1X

    Posted Feb 19, 2020 06:27 AM

    I'm reply on the service provider who manage CUCM to determine whether the phone is setup to trust the CPPM. Would the customer need to supply the CPPM server cert to the phone provider or can the trust be established using the Geo Trust CA root cert?



  • 11.  RE: Cisco IP phone - 802.1X

    EMPLOYEE
    Posted Feb 19, 2020 07:58 AM

    If CPPM server certificate is signed by any third party CA like Geo Trust then we can add root CA certificate in client trust list.

     

     



  • 12.  RE: Cisco IP phone - 802.1X

    Posted Feb 20, 2020 09:14 AM

    I'm not getting a reply from the service provider on the question of certificate trust. They have said that there is a version mismatch but I can't see an option in the EAP-FAST method settings to enable different versions -

     

    5285 NOT Feb 20 13:03:56.668111 (318:318) PAE: -rcvd EAP-Req/FAST
    5286 NOT Feb 20 13:03:56.668539 (318:318) PAE: -802.1X authenticating via EAP-TLS

    5304 WRN Feb 20 13:03:56.829839 (318:318) PAE: -checkRxMsg: Invalid EAP-FAST version 0



  • 13.  RE: Cisco IP phone - 802.1X

    EMPLOYEE
    Posted Feb 20, 2020 10:13 AM

    Are you seeing this log in IP Phone?

    It looks client not supporting this version,can you change version on client itself and check or use EAP-PEAP protocol.

     

    You can take packet capture from Administration » Server Manager » Server Configuration  or set radius log in debug mode from Administration » Server Manager » Log Configuration and check Access tracker log and packet capture for more details related to EAP-FAST version.

     

     

    Service Parameters > RADIUS Server Service

    Service Parameter

    Action/Description

    EAP-FAST

    Master Key Expire Time

    Specify the lifetime of a generated EAP-FAST master key.

    Master Key Grace Time

    Specify the grace period for an EAP-FAST master key after its lifetime expires. The default is 3 weeks.

    If a client presents a PAC (Protected Access Credential) that is encrypted using the master key in this period after its TTL (Time-to-Live), it is accepted and a new PAC encrypted with the latest master key is provisioned on the client.

    PACs are valid across cluster

    If PACs (Protected Access Credentials) generated by this server are valid across the cluster, set to TRUE (the default setting).

    If not, select FALSE.



  • 14.  RE: Cisco IP phone - 802.1X

    Posted Feb 20, 2020 11:28 AM

    It looks like CPPM is selecting the correct version -

    2020-02-20 15:04:18,047 [Th 193 Req 18186874 SessId R001d4377-01-5e4e9ff0] DEBUG RadiusServer.Radius - rlm_eap_tls: Server version 1 Peer Version 0 Choosing 0

     

    Phone provider says they cannot change the version even on the latest Cisco phone version and won't give me an answer as to whether they can use another EAP version.



  • 15.  RE: Cisco IP phone - 802.1X

    EMPLOYEE
    Posted Feb 20, 2020 11:37 AM

    If client is not supporting the EAP-FAST version then try use EAP-PEAP Protocol.



  • 16.  RE: Cisco IP phone - 802.1X

    Posted Feb 26, 2020 09:24 AM

    OK I've got the phone performing EAP-TLS but now got an "Unknown CA" failure.

    I've installed and enabled the four Cisco certificates supplied by phone provider and what the phone is supplying looks the same, form access tracker - 

    Certificate:Issuer-CNCisco Manufacturing CA
    Certificate:Issuer-DNCN=Cisco Manufacturing CA,O=Cisco Systems
    Certificate:Issuer-OCisco Systems
    Certificate:Not-Valid-After2026-06-07 02:25:38

     Alerts for this Request 

    RADIUS[Local User Repository] - localhost: User not found.
    EAP-TLS: fatal alert by server - unknown_ca
    TLS Handshake failed in SSL_read with error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
    eap-tls: Error in establishing TLS session

     



  • 17.  RE: Cisco IP phone - 802.1X

    Posted Feb 26, 2020 09:28 AM

    Additional access tracker logs -

    2020-02-26 13:54:26,556[Th 193 Req 18757269 SessId R001e1f6e-01-5e567891] ERROR RadiusServer.Radius - --> verify error:num=20:unable to get local issuer certificate
    2020-02-26 13:54:26,556[Th 193 Req 18757269 SessId R001e1f6e-01-5e567891] ERROR RadiusServer.Radius - TLS Alert write:fatal:unknown CA
    2020-02-26 13:54:26,556[Th 193 Req 18757269 SessId R001e1f6e-01-5e567891] ERROR RadiusServer.Radius - rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
    2020-02-26 13:54:26,556[Th 193 Req 18757269 SessId R001e1f6e-01-5e567891] ERROR RadiusServer.Radius - rlm_eap_tls: TLS Handshake failed


  • 18.  RE: Cisco IP phone - 802.1X

    EMPLOYEE
    Posted Feb 26, 2020 04:24 PM

    Hi,

     

    The ClearPass server is not able to verify the CA who signed the client certificate. Ensure the correct CA is added in the ClearPass trust list and the subject of CA matches the below CommonName (CN) and Organization(O) and the expiration is also the same.

     

    Certificate:Issuer-CNCisco Manufacturing CA
    Certificate:Issuer-DNCN=Cisco Manufacturing CA,O=Cisco Systems
    Certificate:Issuer-OCisco Systems
    Certificate:Not-Valid-After2026-06-07 02:25:38

    If your trust list validation matches but still the authentication fails with the same error, then share the trust list screen capture and the access tracker export of the failure. You may also open a TAC case and work with the TAC engineers.



  • 19.  RE: Cisco IP phone - 802.1X

    Posted Mar 03, 2020 06:18 AM

    Hi Saravanan, I'm having trouble getting this across to the phone provider, so in simple terms -

    Client certificate has -
    Certificate: Issuer-DN CN=Cisco Manufacturing CA


    Certificate on ClearPass has -
    Subject DN: CN=Cisco Manufacturing CA SHA2

    and these two don't match.



  • 20.  RE: Cisco IP phone - 802.1X

    MVP
    Posted Mar 23, 2020 07:40 AM

    You can https browse to the phone's ip address and save the certificates in the chain from its https certificate. Save them in the CPPM trust list. I am currently using EAP-TLS in this fashion. Sometimes different phones have different trust chains.

     

    I am moving away from this because we keep the phones longer than the manufacturer's installed certificate expiry.