Cisco IP Phone 802.1x EAP-TLS troubles
aland at deployingradius.com
Mon Oct 10 18:33:56 CEST 2016
On Oct 10, 2016, at 12:30 PM, Ryan <directionless at gmail.com> wrote:
> I'm running freeRADIUS v3.0.8. My first goal is just to get all our
> Cisco phones authorized. I want freeRADIUS to accept all phones based
> on the certificate presented by the supplicant. The phones should
> present Cisco's manufacturer-installed-certificate, and Cisco provides
> the CA certs for download, which I have done. I put the Cisco CA
> certs into /etc/freeradius/certs, changed eap config to use ca_path
> instead of ca_file, but I still get this:
> (4) eap_tls: >>> TLS 1.2 [length 0002]
> (4) eap_tls: ERROR: TLS Alert write:fatal:unknown CA
> tls: TLS_accept: Error in error
That's the phone saying it doesn't know about the CA.
> I'm a total noob at PKI and I can't figure out what I'm doing wrong.
> Is this even possible to do?
The server also has to present a certificate to the phone. And the servers certificate has to be signed by a CA.
If Cisco isn't going to sign the server cert (and they won't), then you'll need to get your CA onto the phone somehow.
More information about the Freeradius-Users