[T57W] 802.1X EAP-TLS Authentication problem - Printable Version +- Yealink Forums (http://forum.yealink.com/forum) +-- Forum: IP Phone Series (/forumdisplay.php?fid=4) +--- Forum: T5X Series (/forumdisplay.php?fid=58) +--- Thread: [T57W] 802.1X EAP-TLS Authentication problem (/showthread.php?tid=46806)

[T57W] 802.1X EAP-TLS Authentication problem - HelmiSokrates - 08-08-2023 01:38 PM Hello, we are struggling with implementing 802.1x Authentication on our T57W phones. But NPS denies the connection due to different reasons. I'll try to explain our config as simple as possible: Active Directory Created AD user with MAC address as username Microsoft CA (server role) General / Publish in AD: yes Certificate template for Client Authentication Subject Name / Build from AD information: yes Subject Name / Build from AD information / settings: Fully dist. name, include UPN Issuance Requirements / This number of authorized signatures: 1 Request Handling / Purpose: Signature and encryption Request Handling / Allow private key to be exported: yes Request Handling / Enroll subject without requiring user input: yes Cryptography / Provider Category: Key Storage Provider Cryptography / Algorithm: ECDH_P384 Cryptography / Minimum size: 384 Cryptography / Provider: Microsoft Software Key Storage Provider Cryptography / Request Hash: SHA256 -> I created a cert from this template on behalf of the user created before and this cert is available in the users "Published Certificates" tab Phone UI settings For testing I configured the settings directly via the Phone UI (attachment 802.1x_DeviceSettings.png). here i uploaded the user certificate as device certificate CA cert is our root CA certificate identity is the MAC adress of the phone MD5 pwd is empty Microsoft NPS NPS Connection Request Policy Conditions User Name regex MAC address Settings Authentication: Local Computer -> this works NPS Network Policy Conditions Nas Port Type = Ethernet User Groups = AD group that contains specified AD user Constraints Authentication Methods = EAP/PEAP (with EAP type "smartcard or certificate") Certificate for identification: server cert of NPS server Result NPS show following in the event log (shortened): Network Policy Server denied access to a user. Contact the Network Policy Server administrator for more information. User: Security ID: DOMAIN\123456789012 Account Name: 123456789012 Account Domain: DOMAIN Fully Qualified Account Name: domain.local/802.1X/Phones/123456789012 Client Machine: Security ID: NULL SID Account Name: - Fully Qualified Account Name: - Called Station Identifier: 10-4f-58-97-ba-00 Calling Station Identifier: 12-34-56-78-90-12 Authentication Details: Connection Request Policy Name: ConReqPolPhone Network Policy Name: NetPolPhone Authentication Provider: Windows Authentication Server: server.domain.local Authentication Type: PEAP EAP Type: - Account Session Identifier: - Logging Results: Accounting information was written to the local log file. Reason Code: 300 Reason: No credentials are available in the security package I think I missed a simple setting or something like that, but I don't have any idea what I can try else. I also read the Whitepaper before, but that doesn't help me: https://support.yealink.com/forward2download?path=ZIjHOJbWuW/DFrGTLnGyppoY/fcvJPPAQdRO4ZguW3GP5TJCDqU9tZG3OMukM8lgtmVF0PNJG5M43LZrmBAsEwOQloHhzAygB9UhOr2p9​T451QJzxxD49dnbZvM0vR1Qil8apeJJtP8= Regards Florian