I'm trying to use a 2008 NPS radius server to authenticate my Cisco IP phones, which support 802.1x. The phone is handing off its cert to use for authentication. I've got the Cisco MIC CA cert imported as a trusted CA, but that doesn't seem to be enough. The radius server logs it as reason 8, The specified user account does not exist. I can use certs to authenticate my laptops, so the basic layer of using certificates is working. I just can't seem to be able to use the Cisco phone's MIC. Any ideas?

Hi, As you can authenticate your laptops with EAP-TLS, it seems the issue is more related to Cisco. I suggest that you contact Cisco for assistance. I also searched the Internet and got the following post: 802.1x phone authentication for EAP-TLS via MIC only? https://supportforums.cisco.com/thread/2033771 Hope it is helpful for your work. This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, Have you found a solution for authencication whit EAP-TLS using MIc through radius NPS? I have the same problem. Any help would be great

Hi - I'm trying to do this as well and I have the same problem, did you manager to find the answer? Michael.

Try this: First you need to trust the issuer of the MIC in AD, this can be done using GPO or the "certutil -dspublish" command Second you need to configure explicit certificate mapping per user object in AD, the mapping can be a one-to-one based mapping one certificate to one user account or one-to-many effectively mapping all certificates from that issuer to one single account in AD The procedure to enable certificate mapping per user object in AD: Start the Active Directory Users and Computers snap-in, right-click your domain, and then click Advanced Options on the View menu. Open the Users container or the organizational unit where the user account resides, right-click the user account, and then click Name Mapping. Click Add to link the user's certificate to the Active Directory user account. Click the folder where the certificate was saved, click the certificate, and then click Open. Click to select the Use Subject for alternate security identity check box if you want to configure one-to-one mapping Click OK to accept the mapped certificate. Click OK to close the Identity Mapping dialog box. /Hasain