802.1x EAP-TLS on Alcatel-Lucent VoIP-Phones with NPS 2016

Post Reply
JochenReinecke
Member
Posts: 2
Joined: 25 Apr 2018 03:26

802.1x EAP-TLS on Alcatel-Lucent VoIP-Phones with NPS 2016

Post by JochenReinecke » 25 Apr 2018 03:29

Hello,
we are currently trying to bring up AAA via dot1x with our Alcatel-Lucent VoIP-Phones and Microsofts NPS 2016. EAP-TLS with Certificates is supported and certificates with the correct chain were imported on the phones.

But if we take a look into the Event Manager of NPS we can see that there is a request for an ad-user account named like the phone. So we created this user account in AD, as well. But Event Manager throws Event 6272 with Code 16 "Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect."

So we're considering, that the user account is searched and selected correctly but the Password might be wrong. Alcatel tells a lot about "using the mac address as the password" (but in fact only for MAC Bypass mode) or using the userneme or just the a string "password".
Taking a closer look in wireshark Shows that there might not be a Password in the RADIUS-Requst? Here is a short snipped.

AVP: l=8 t=User-Name(1): ALCIPT
AVP: l=6 t=Service-Type(6): Framed(2)
AVP: l=27 t=Vendor-Specific(26) v=ciscoSystems(9)

Normally, for example on other Windows machines, there will be a encrypted Password AVP right behind the user Name. Is this the correct behaviour? Any ideas? Can we ignore the Password in NPS? Is this a Topic for Alcatel?

Thanks and regards,

Jochen

JochenReinecke
Member
Posts: 2
Joined: 25 Apr 2018 03:26

Re: 802.1x EAP-TLS on Alcatel-Lucent VoIP-Phones with NPS 2016

Post by JochenReinecke » 26 Apr 2018 03:53

Hi,
we were able to finally get a solution. The Password isn't necessary at all. The machine certificate must be linked to the user account in active directory.
Regards,
Jochen

Post Reply

Return to “System”