Manufacturing Installed Certificate; User-Installed Certificate; Install Eap-Tls Authentication Certificates; Cisco Unified Wireless Ip Phone 7925G, 7925G-Ex, And 7926G Administration Guide - Cisco 7925G Administration Manual

Wireless Security Credentials
The EAP-TLS certificate-based authentication requires that the internal clock on the Cisco Unified Wireless
Note
IP Phone be set correctly. Use the phone web page to set the clock on the phone before using EAP-TLS
authentication.
To use EAP-TLS, both the Cisco Unified Wireless IP Phone and the Cisco Secure Access Control Server
(ACS) must have certificates installed and configured properly. If your wireless network uses EAP-TLS for
authentication, you can use the Manufacturing Installed Certificate (MIC) or a user installed certificate for
authentication on the phone.

Manufacturing Installed Certificate

Cisco has included a Manufacturing Installed Certificate (MIC) in the phone at the factory.
During EAP-TLS authentication, the ACS server needs to verify the trust of the phone and the phone needs
to verify the trust of the ACS server.
To verify the MIC, the Manufacturing Root Certificate and Manufacturing Certificate Authority (CA) Certificate
must be exported from a Cisco Unified Wireless IP Phone and installed on the Cisco ACS server. These two
certificates are part of the trusted certificate chain used to verify the MIC by the Cisco ACS server.
To verify the Cisco ACS certificate, a trusted subordinate certificate (if any) and root certificate (created from
a CA) on the Cisco ACS server must be exported and installed on the phone. These certificates are part of the
trusted certificate chain used to verify the trust of the certificate from the ACS server.

User-Installed Certificate

To use a user-installed certificate, a Certificate Signing Request (CSR) is generated on the phone, sent to the
CA for approval, and the approved certificate installed on the Cisco Unified Wireless IP Phone.
During EAP-TLS authentication, the ACS server verifies the trust of the phone and the phone verifies the
trust of the ACS server.
To verify the authenticity of the user-installed certificate, you must install a trusted subordinate certificate (if
any) and root certificate from the CA that approved the user certificate on the Cisco ACS server. These
certificates are part of the trusted certificate chain used to verify the trust of the user installed certificate.
To verify the Cisco ACS certificate, you export a trusted subordinate certificate (if any) and root certificate
(created from a CA) on the Cisco ACS server and the exported certificates are installed on the phone. These
certificates are part of the trusted certificate chain used to verify the trust of the certificate from the ACS
server.

Install EAP-TLS Authentication Certificates

To install authentication certificates for EAP-TLS, perform the following steps.
Procedure
Step 1 From the phone web page, set the Cisco Unified Communications Manager date and time on the phone.
Step 2 If using the Manufacturing Installed Certificate (MIC):
a) From the phone web page, export the CA root certificate and manufacturing CA certificate.

Cisco Unified Wireless IP Phone 7925G, 7925G-EX, and 7926G Administration Guide

86
Cisco Unified Wireless IP Phone 7925G, 7925G-EX, and 7926G Web Pages