cancel
Showing results for 
Search instead for 
Did you mean: 

Cisco 7961 IP Phone 802.1x auth with MIC

Tulin.R_
New Contributor

Cisco 7961 IP Phone 802.1x auth with MIC

Has anyone gotten this working? I've uploaded "Cisco Root CA 2048" and the "Cisco Manufacturing CA" onto the IC under trusted client CAs. I've created a new realm for Cisco phones and I'm using the default Certificate_Auth as the authentication method with no other restraints yet I see the following in the user log (I've X'ed out the mac which is irrelevant):

 

Radius authentication rejected for CP-7961G-SEP00XXXXXXX (realm '') from location-group 'Agented_Location_Group' and attributes are: NAS-IP-Address = 10.81.188.253,NAS-Port = 50135,NAS-Port-Type = 15

 


What am I to gain with this error message? Any help appreciated. Thanks

4 REPLIES 4
Tulin.R_
New Contributor

Re: Cisco 7961 IP Phone 802.1x auth with MIC

After a day of tinkering we finally got this working. Oddly enough ONLY 'EAP-TLS' should be listed as the authentication protocol for 802.1x phones. We orginally had 'EAP-MD5-Challenge' and 'EAP-TLS' in order of preferred protocols. Once we removed EAP-MD5-Challenge, it worked like a charm. Not sure if this is a bug.

kalagesan_
Super Contributor

Re: Cisco 7961 IP Phone 802.1x auth with MIC

Hi Tulin,

 

This is not a bug, EAP-TLS is required for certficate based authentication and EAP-MD5 challenge is not supported for certificate based authentication. This is an expected result.

 

Regards,

Kannan

Tulin.R_
New Contributor

Re: Cisco 7961 IP Phone 802.1x auth with MIC

Hi Kalagesan,

That is correct, but I thought the assumption was once EAP-MD5-Challenge fails, EAP-TLS should kick in since they were listed in order of preferred protocols. Thanks

Raveen_
Regular Contributor

Re: Cisco 7961 IP Phone 802.1x auth with MIC

Hi Tulin,

 

Yes negotiation of next available EAP protocol should happen if a particular protocol is not configured at either server of client.

I reckon in your case, both server and client already agreed upon EAP-MD5 and then eventually authentication failed.

Once after agreeing to a protocol, further negotiation is not allowed RFC per se.

 

Hope this clarifies!

 

Regards,

Raveen