Hi. In this case you need to configure eap module to authenticate those phones using md5 and supply password (that is configured on the phone) in control:Cleartext-Password attribute in authorize section of radiusd.conf before calling eap module. On 28.09.2017 12:22, Vacheslav wrote:
Thanks for the valuable information, and I have 3905, and it turns they use eap-md5 authentication. From the documentation, I understood that the shared secret is the one configured on the cisco nas, but it didn't work. Is it some other secret password and where is it configured?
-----Original Message----- From: Boris Lytochkin [mailto:lytboris@yandex-team.ru] Sent: Monday, September 25, 2017 3:07 PM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org>; Vacheslav <m_zouhairy@skno.by> Subject: Re: cucm and ip phones
Hi.
Cisco IP phones (all modern) have Manufacturer Installed Certificate (MIC) so you can authenticate them using EAP-TLS. You need to import their crcam* cert chains into your FreeRADIUS installation from https://www.cisco.com/security/pki/
On 25.09.2017 14:52, Vacheslav wrote:
Peace, I configured my ip phones to use mab, but I read that with Radius it is possible to authenticate capable ip phones with tls. I searched the internet on how to do it but found almost nothing. Should I import the created self signed certificates from the freeradius server to the cucm? Or is that I have to export the cucm certificates to the cert directory of the freeradius server? Anyone has experience in configuring cucm with dot1x?
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Boris Lytochkin Yandex NOC +7 (495) 739 70 00 ext. 7671