Cisco IP Phone MIC Certificate 802.1x Configuration

MIC Certificate 802.1x Configuration

1.     Navigate to the CUCM Publisher server Cisco OS Administration page

2.     Go to Security > Certificate Management

3.     Download the Call-Manager-Trust CAP-RTP-001 and CAP-RTP-002 PEM certs

4.     On ISE navigate to Administration > System > Certificates >  Trusted Certificates and click Import

5.     Browse the .pem file downloaded from CUCM

6.     Give it a friendly name, CAP-RTP-001

7.     Trusted For – check Trust for authentication within ISE and Trust for client authentication and Syslog

8.     Do steps 4 thru 7 for the other .pem cert

9.     Cisco CA Manufacturing and Cisco Root CA 2048 are already listed as Trusted Certs but may be disabled.  Enable them

10.  Navigate to Policy > Policy Elements > Conditions > Authentication > Compound Conditions > Add

a.      Name - Phone_802.1X

b.     Add compound condition - CERTIFICATE:Subject - Common Name = Starts With – CP-

c.      Add Attribute/Value - CERTIFICATE:Subject - Organization Unit = equals – evvbu

11.  Navigate to Policy > Policy Elements > Conditions > Authorization > Compound Conditions > Add

a.      Name - Phone_802.1X

b.     Add compound condition - CERTIFICATE:Subject - Common Name = Starts With – CP-

c.      Add Attribute/Value - CERTIFICATE:Subject - Organization Unit = equals – evvbu

12.  Navigate to Policy > Policy Sets and click on the existing Wired Dot1x policy

13.  Click Edit on the Wired Dot1x Authentication rule

14.  Insert a new rule below the AD Certificate rule

a.      Name – IP Phone

b.     If – Existing condition Phone_802.1X

c.      Use - Preloaded_Certificate_Profile

15.  Insert a new rule above the Cisco IP Phones Authorization rule

a.      Name – IP Phone MIC

b.     If <any>

c.      Conditions – select existing condition from library – Phone_802.1X

d.     Then – Cisco_IP_Phones

16.  Go to CUCM and navigate to a phone you want to enable for 802.1x

17.  In the Cisco Unified CM Administration window, choose Device > Phone

18.  Find and select the phone you wish to enable for 802.1X

19.  Scroll down to the line titled 802.1x Authentication. From the drop-down menu, select Enabled

20.  Click Save and then Apply Config to enable 802.1X on the phone

21.  More than one phone can be enabled for 802.1X by using the BULK ADMINISTRATION TOOL – Using this tool is beyond the scope of this document.

 

TACACS Configuration for Device Access

1.     Make sure the Device Access license is installed - Administration > System > Deployment

2.     Administration > System > Deployment. Select required Node. Select Enable Device Admin Service checkbox and click Save

3.     Work Centers > Device Administration > Policy Results > TACACS Command Sets. Click Add.

name = Permit_all_commands

check “permit any command that is not listed below”

4.     Click Add to add another TACACS Command set

name = Permit_show_commands

click on ADD - grant permit for “show” and “exit” - (By default if Arguments is left blank, all arguments are be included)

5.     Work Centers > Device Administration > Policy Results > TACACS Profiles. Click Add

name = Shell_profile

default Privilege = 15

Maximum Privilege = 15

6.     Work Centers > Device Administration > Policy Sets > Default > Authorization Policy > Edit > Insert New Rule Above

a. rule 1 = PermitAllCommands, conditions = AD:ExternalGroups EQUALS example.com/network Admins, then command sets = Permit_all_commands AND shell profiles = shell_profile

b. rule 2 = permitShowCommands, conditions = AD:ExternalGroups EQUALS example.com/network maintenance team, then commands sets = permit_show_commands AND shell profiles = shell_profile

c. Tacacs_Default = if not match, then DenyAllCommands

7.     On the IOS Device

aaa new-model

tacacs server ISE

 address ipv4 10.48.17.88

 key cisco

aaa group server tacacs+ ISE_GROUP

 server name ISE

test aaa group tacacs+ admin Krakow123 legacy

aaa authentication login AAA group ISE_GROUP local

aaa authentication enable default group ISE_GROUP enable

aaa authorization exec AAA group ISE_GROUP local

aaa authorization commands 0 AAA group ISE_GROUP local

aaa authorization commands 1 AAA group ISE_GROUP local

aaa authorization commands 15 AAA group ISE_GROUP local

aaa authorization config-commands

line vty 0 4

 authorization commands 0 AAA

 authorization commands 1 AAA

 authorization commands 15 AAA

 authorization exec AAA

 login authentication AAA

8.     To enable TACACS on a WLC

9.     Work Centers > Device Administration > Policy Results > TACACS Profiles

a. new profile - WLC_ADMIN

b. Custom Attributes - type MANDATORY, Name role1, Value ALL

10.  Work Centers > Device Administration > Device Admin Policy Sets

a. new Policy Set = WirelessLanControllers

b. Condition = DEVICE:Device Type EQUALS Device Type#All Device Types#Network Device#Wireless Devices

c. Authentication Policy - Default Rule , use All identity store

d. Authorization Policy - Rule name WLC, Conditions = AD:ExternalGroups EQUAL domain/admins , shell profile = WLC_ADMIN

e. authorization policy = add rule for internal ISE users, shell profile - WLC_ADMIN

11.  ON the WLC navigate to Security > AAA > TACACS+ > Authentication, and click New

a. IP Address of ISE

b. Shared secret

12.  Security > AAA > TACACS+ > Authorization, and click New

a. IP address of ISE

b. Shared secret

13.  Security > AAA > TACACS+ > Accounting, and click New

a. ip address of ISE

b. shared secret

4. Security > Priority Order > Management User - change order of authentication