To my understanding, and as depicted in the diagram here: https://securew2.com/blog/802-1x-eap-tls-authentication-flow-explained
...EAP-TLS authentication requires that the supplicant be able to validate/trust the RADIUS server identity cert, before it sends its client cert for the server to validate, essentially creating a 2-way trust.
As part of our migration to a new PKI, I'm assisting our CUCM admin in replacing his LSCs for all the IP phones in the environment, by using a CAPF cert that is signed by our new Windows PKI. My question is how does the phone validate the server identity certificate? I'd like to somehow verify what CAs the phone currently trusts. Part of this migration is eventually to replace the server identity cert with one also signed in this new PKI environment, but as part of the transition, the server identity cert will be signed by a *different* CA than the new CAPF cert (and ultimately the phone cert) for a period of time.
I found this link: https://www.ipstorming.com/cisco-ise-ip-phones-and-eap-tls-authentication/
Which only discusses the RADIUS server trusting the CAPF cert for authentication, which is just the second part of the authentication. Maybe this is all that happens with IP phones?
Thanks in advance to anyone who answers. My fear is that the phone will only trust the chain that signed it's LSC, meaning I will have a period in time between assigning the new LSCs where EAP-TLS authc is broken until I replace the RADIUS server identity cert to one signed by the same CA.
No comments:
Post a Comment