Guest

Preview Tool

Cisco Bug: CSCuo47784 - 6921 sip phones fail to authenticate with ACS 5.X with 802.1x

Last Modified

Apr 26, 2014

Products (11)

  • Cisco IP Phone 8800 Series
  • Cisco Unified IP Phone 9951
  • Cisco Unified SIP Phone 3905
  • Cisco Unified IP Phone 6961
  • Cisco Unified IP Phone 6941
  • Cisco Unified IP Phone 8961
  • Cisco Unified IP Phone 8941
  • Cisco Unified IP Phone 9971
  • Cisco Unified IP Phone 8945
  • Cisco Unified IP Phone 6945
View all products in Bug Search Tool Login Required

Known Affected Releases

9.4(1)

Description (partial)

Symptom:
All the Cisco 78xx phones fail DOT1X authentication with Cisco ACS 5.x when method is set NOT to EAP-TLS 
ACS supports: 
+EAP-PEAP 
+EAP-TLS

Cisco phone supports: 
+EAP-FAST 
+EAP-TLS

Both support EAP-TLS and if we select preferred method on ACS to EAP-TLS all works fine. 
EAP-PEAP has to be preferred method on ACS. The negotiation can never success and looks like that:

EAP-Request, Identity ->

Behavior: 
Phone sends only one method - 1st from list its supports 
ACS tries the method which received in NAK if supports this method. If ACS doesn't support the method received in NAK it sends EAP-Failure. 
Negotiation can never success even if there is method that both devices supports.

Conditions:
none
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.