Has anyone gotten this working? I've uploaded "Cisco Root CA 2048" and the "Cisco Manufacturing CA" onto the IC under trusted client CAs. I've created a new realm for Cisco phones and I'm using the default Certificate_Auth as the authentication method with no other restraints yet I see the following in the user log (I've X'ed out the mac which is irrelevant):
Radius authentication rejected for CP-7961G-SEP00XXXXXXX (realm '') from location-group 'Agented_Location_Group' and attributes are: NAS-IP-Address = 10.81.188.253,NAS-Port = 50135,NAS-Port-Type = 15
What am I to gain with this error message? Any help appreciated. Thanks
After a day of tinkering we finally got this working. Oddly enough ONLY 'EAP-TLS' should be listed as the authentication protocol for 802.1x phones. We orginally had 'EAP-MD5-Challenge' and 'EAP-TLS' in order of preferred protocols. Once we removed EAP-MD5-Challenge, it worked like a charm. Not sure if this is a bug.
This is not a bug, EAP-TLS is required for certficate based authentication and EAP-MD5 challenge is not supported for certificate based authentication. This is an expected result.
That is correct, but I thought the assumption was once EAP-MD5-Challenge fails, EAP-TLS should kick in since they were listed in order of preferred protocols. Thanks
Yes negotiation of next available EAP protocol should happen if a particular protocol is not configured at either server of client.
I reckon in your case, both server and client already agreed upon EAP-MD5 and then eventually authentication failed.
Once after agreeing to a protocol, further negotiation is not allowed RFC per se.
Hope this clarifies!