[T57W] 802.1X EAP-TLS Authentication problem - Printable Version +- Yealink Forums (http://forum.yealink.com/forum) +-- Forum: IP Phone Series (/forumdisplay.php?fid=4) +--- Forum: T5X Series (/forumdisplay.php?fid=58) +--- Thread: [T57W] 802.1X EAP-TLS Authentication problem (/showthread.php?tid=46806) |
[T57W] 802.1X EAP-TLS Authentication problem - HelmiSokrates - 08-08-2023 01:38 PM Hello, we are struggling with implementing 802.1x Authentication on our T57W phones. But NPS denies the connection due to different reasons. I'll try to explain our config as simple as possible: Active Directory Created AD user with MAC address as username Microsoft CA (server role) General / Publish in AD: yes Certificate template for Client Authentication Subject Name / Build from AD information: yes Subject Name / Build from AD information / settings: Fully dist. name, include UPN Issuance Requirements / This number of authorized signatures: 1 Request Handling / Purpose: Signature and encryption Request Handling / Allow private key to be exported: yes Request Handling / Enroll subject without requiring user input: yes Cryptography / Provider Category: Key Storage Provider Cryptography / Algorithm: ECDH_P384 Cryptography / Minimum size: 384 Cryptography / Provider: Microsoft Software Key Storage Provider Cryptography / Request Hash: SHA256 -> I created a cert from this template on behalf of the user created before and this cert is available in the users "Published Certificates" tab Phone UI settings For testing I configured the settings directly via the Phone UI (attachment 802.1x_DeviceSettings.png).
Microsoft NPS NPS Connection Request Policy Conditions User Name regex MAC address Settings Authentication: Local Computer -> this works NPS Network Policy Conditions Nas Port Type = Ethernet User Groups = AD group that contains specified AD user Constraints Authentication Methods = EAP/PEAP (with EAP type "smartcard or certificate") Certificate for identification: server cert of NPS server Result NPS show following in the event log (shortened): Network Policy Server denied access to a user. Contact the Network Policy Server administrator for more information. User: Security ID: DOMAIN\123456789012 Account Name: 123456789012 Account Domain: DOMAIN Fully Qualified Account Name: domain.local/802.1X/Phones/123456789012 Client Machine: Security ID: NULL SID Account Name: - Fully Qualified Account Name: - Called Station Identifier: 10-4f-58-97-ba-00 Calling Station Identifier: 12-34-56-78-90-12 Authentication Details: Connection Request Policy Name: ConReqPolPhone Network Policy Name: NetPolPhone Authentication Provider: Windows Authentication Server: server.domain.local Authentication Type: PEAP EAP Type: - Account Session Identifier: - Logging Results: Accounting information was written to the local log file. Reason Code: 300 Reason: No credentials are available in the security package I think I missed a simple setting or something like that, but I don't have any idea what I can try else. I also read the Whitepaper before, but that doesn't help me: https://support.yealink.com/forward2download?path=ZIjHOJbWuW/DFrGTLnGyppoY/fcvJPPAQdRO4ZguW3GP5TJCDqU9tZG3OMukM8lgtmVF0PNJG5M43LZrmBAsEwOQloHhzAygB9UhOr2p9T451QJzxxD49dnbZvM0vR1Qil8apeJJtP8= Regards Florian |