Eap-Tls Authentication Certificates - Cisco 8800 Series Administration Manual

• 40
• 128
Step 5 In the Encryption Key field, enter the appropriate key string based on the selected Key Type and Key Size.
See WEP Key Formats, on page
Step 6
Click Save to make the change.

EAP-TLS Authentication Certificates

EAP-TLS is a certificate-based authentication that requires a trust relationship between two or more entities.
Each entity has a certificate proving its identity and is signed by a trusted authority. These certificates are
exchanged and verified during EAP-TLS authentication.
The EAP-TLS certificate-based authentication requires that the internal clock on the Cisco IP Phone be
Note
set correctly. Use the phone web page to set the clock on the phone before using EAP-TLS authentication.
To use EAP-TLS, both the Cisco IP Phone and the Cisco Secure Access Control Server (ACS) must have
certificates installed and configured properly. If your wireless network uses EAP-TLS for authentication, you
can use the Manufacturing Installed Certificate (MIC) or a user installed certificate for authentication on the
phone.
Manufacturing Installed Certificate
Cisco has included a Manufacturing Installed Certificate (MIC) in the phone at the factory.
During EAP-TLS authentication, the ACS server needs to verify the trust of the phone and the phone needs
to verify the trust of the ACS server.
To verify the MIC, the Manufacturing Root Certificate and Manufacturing Certificate Authority (CA) Certificate
must be exported from a Cisco IP Phone and installed on the Cisco ACS server. These two certificates are
part of the trusted certificate chain used to verify the MIC by the Cisco ACS server.
To verify the Cisco ACS certificate, a trusted subordinate certificate (if any) and root certificate (created from
a CA) on the Cisco ACS server must be exported and installed on the phone. These certificates are part of the
trusted certificate chain used to verify the trust of the certificate from the ACS server.
User-Installed Certificate
To use a user-installed certificate, a Certificate Signing Request (CSR) is generated on the phone, sent to the
CA for approval, and the approved certificate installed on the Cisco IP Phone.
During EAP-TLS authentication, the ACS server verifies the trust of the phone and the phone verifies the
trust of the ACS server.
To verify the authenticity of the user-installed certificate, you must install a trusted subordinate certificate (if
any) and root certificate from the CA that approved the user certificate on the Cisco ACS server. These
certificates are part of the trusted certificate chain used to verify the trust of the user installed certificate.
To verify the Cisco ACS certificate, you export a trusted subordinate certificate (if any) and root certificate
(created from a CA) on the Cisco ACS server and the exported certificates are installed on the phone. These
certificates are part of the trusted certificate chain used to verify the trust of the certificate from the ACS
server.
146.
Cisco IP Phone 8800 Series Administration Guide for Cisco Unified Communications Manager
Supported Security Features
147