Hi
I was stumbling over this post about 802.1x here: https://community.polycom.com/t5/VoIP-SIP-Phones/FAQ-How-can-I-add-a-802-1x-EAP-PEAPv0-MSCHAPv2-Cert...
Is it also possible to install/upload 802.1x certificates to an endpoint (Trio) via the RPRM or has this always to be done via the Webutility of each end point?
Thank you
Solved! Go to Solution.
Hello @mrbird
I am not sure you made it clear that you need a separate certificate per device.
The only way to do this per phone is either use the Web IF aka:
Or use the CSV import as already explained for all phones or you could look at the REST API for compatible phones => here <= as this would allow you to script this as per example for Setting Device Parameters.
Best regards
Steffen Baier
Hello @mrbird ,
Welcome back to the Poly Community.
Everything that can be manually configured via the Web Interface and/or configuration files can be archived by RPRM/PDMS-E
You can use SCEP to get the certificate automatically on the endpoint. In addition, you can also create your own 802.1x Dot1x Configuration:
Please ensure to provide some feedback if this reply has helped you so other users can profit from your experience.
Best Regards
Steffen Baier
Steffen, is there a way to upload 802.1x certificates through RPRM?
I was looking for the variable "device.sec.TLS.customDeviceCert1.publicCert" to upload it via RPRM, but this variable is not showing up, only "device.sec.tls.customdevicecert1.set" is available. I'm just assuming that either I need to upload the certs in the webutility of each phone, or to enable SCEP.
SCEP is on the list to be completed, to avoid the hassle of rolling out certs manually.
Thank you
Hello @mrbird ,
The FAQ post here:
Dec 06, 2017 Question: Is there an FAQ for RealPresence Resource Manager RPRM to provision Poly or Troubleshoot phones?
Resolution: Please check => here <=
covers this as you can simply copy and paste working XML into the "Paste Configuration XML" section if a parameter is not available.
EDIT: An easy method is to configure 1 phone using the Web Interface and then to create a backup and copy the new parts into RPRM.
Please ensure to provide some feedback if this reply has helped you so other users can profit from your experience.
Best Regards
Steffen Baier
Hello Steffen
If I were to upload the certificate content through the XML option, I will need to create a profile for each single endpoint.
I found Endpoint --> Monitor View --> Upload Phone File, where I could select the Certificate Directory.
Is it possible to upload the certificates into that folder and activate them? I have not tried it yet since I'm fearing to "harm" the phone. Or is SCEP my only choice to deploy certs without log into the webutility of each phone..?
Thanks a lot for your help.
Hello @mrbird ,
Welcome back to the Poly Community.
RPRM can configure single phones or a group of phones. It is the same process as explained above or in the linked FAQ and a single configuration profile can be used to configure multiple phones.
More details on the sub directories can be found here:
Oct 7, 2011 Question: What is the relevance of the 000000000000.cfg or <mac>.cfg?
Resolution: Please check => here <=
If you have more questions please work with your reseller as they can get this into support.
In order to raise a support ticket, you need to work with your Poly reseller as they may need to do this for you.
End Customers are usually unable to open a ticket directly with Poly support. Available End User Poly services offerings are detailed here
If this is some sort of an Internet discounter providing your MAC address or your Poly devices serial will enable us to look up who would be able to support you. This may not be who you purchased the Poly device from.
If the unit is no longer within the warranty please be prepared to Pay Per Incident / PPI. This is all outlined in detail here
Please ensure to provide some feedback if this reply has helped you so other users can profit from your experience.
Best Regards
Steffen Baier
Steffen,
I found that if a variable is not available in Get/Set Parameters function, it can still be added with the XML Function - that works.
So, I could add the whole content of a certificate through XML, although getting the certificate content/fingerprint and remove unnecessary overhead is almost as sophisticated as uploading the certificate through the web-utility.
Quoting from your post "Everything that can be manually configured via the Web Interface and/or configuration files can be archived by RPRM".
This can be easily done in the web-utility, however, I'm still not clear how to upload a certificate file (instead the content of the certificate itself) to a phone via RPRM. Do you have any other hint how this could be achieved?
That would be great, thanks so much.
Best regards, mrbird
Hello @mrbird
I cannot provide training via the community to teach how to use RPRM. I do not think hosting a certificate is a supported scenario.
I already replied to answer your most common questions and I also shared the FAQ posts created by community volunteers.
Usually, I would suggest to a customer to set up a DHCP option 160/161 to point to HTTP://FQDN_or_IP/phoneservice/configfiles/
Use the Endpoint > Endpoint View > More > Import/Export UC Managed Endpoints and simply create a CSV file with all the MAC addresses and/or the SIP registration details etc.
Then create a single new Configuration Profile using the exported working parts of a PBU Backup File containing the certificate via:
Once this has been done factory reset the phone in question and/or unbox all new phones and they will automatically be provisioned and work.
The above should not take longer as posting a reply within the community.
If you are unable to follow the above you could also use the CSV file Import described in the >FAQ< to contain the certificate as well.
If both of the above is not what you are after you can either:
Other volunteers can try and help as well.
Best Regards
Steffen Baier
Hi Steffen
Thanks for your extensive reply. Creating profiles for all phones including parameters has been setup for endpoint groups, that works. I could also upload the CA root cert via XML parameter to all phones. However when it comes down to individual endpoint certificates, this is something where I (or RPRM) struggles (unless an individual profile for individual phones shall be created but again, that effort is just too much).
Anyway, I will push internally for the SCEP process so that we move to a better automation of deploying devices.
Thanks again for your help.
Hello @mrbird
I am not sure you made it clear that you need a separate certificate per device.
The only way to do this per phone is either use the Web IF aka:
Or use the CSV import as already explained for all phones or you could look at the REST API for compatible phones => here <= as this would allow you to script this as per example for Setting Device Parameters.
Best regards
Steffen Baier