Plantronics + Polycom. Now together as Poly Logo

802.1x via RPRM?

SOLVED
Highlighted
Advisor

802.1x via RPRM?

Hi

 

I was stumbling over this post about 802.1x here: https://community.polycom.com/t5/VoIP-SIP-Phones/FAQ-How-can-I-add-a-802-1x-EAP-PEAPv0-MSCHAPv2-Cert...

 

Is it also possible to install/upload 802.1x certificates to an endpoint (Trio) via the RPRM or has this always to be done via the Webutility of each end point?

 

Thank you

 

Message 1 of 11
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Polycom Employee & Community Manager

Re: 802.1x via RPRM?

Hello @mrbird 

 

I am not sure you made it clear that you need a separate certificate per device.

 

The only way to do this per phone is either use the Web IF aka:

 

  • Settings > Network > TLS > Certificate Configuration > Platform CA > Copy URL to certificate location > Install

Or use the CSV import as already explained for all phones or you could look at the REST API for compatible phones => here <= as this would allow you to script this as per example for Setting Device Parameters.

 

Best regards

 

Steffen Baier

----------------

Notice: This community forum is not an official Poly support resource, thus responses from Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge. If you need immediate and/or official assistance please open a service ticket through your proper support channels.
Please also ensure you always check the VoIP , Video Endpoint , Skype for Business , PSTN or RPM FAQ's

View solution in original post

Message 10 of 11
10 REPLIES 10
Highlighted
Polycom Employee & Community Manager

Re: 802.1x via RPRM?

Hello @mrbird ,

 

Welcome back to the Poly Community.


Everything that can be manually configured via the Web Interface and/or configuration files can be archived by RPRM/PDMS-E

 

You can use SCEP to get the certificate automatically on the endpoint. In addition, you can also create your own 802.1x Dot1x Configuration:

 

RPRM_Dot1x_01.png

 

Please ensure to provide some feedback if this reply has helped you so other users can profit from your experience.

Best Regards

Steffen Baier

----------------

Notice: This community forum is not an official Poly support resource, thus responses from Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge. If you need immediate and/or official assistance please open a service ticket through your proper support channels.
Please also ensure you always check the VoIP , Video Endpoint , Skype for Business , PSTN or RPM FAQ's
Message 2 of 11
Highlighted
Advisor

Re: 802.1x via RPRM?

Steffen, is there a way to upload 802.1x certificates through RPRM?

I was looking for the variable "device.sec.TLS.customDeviceCert1.publicCert" to upload it via RPRM, but this variable is not showing up, only "device.sec.tls.customdevicecert1.set" is available. I'm just assuming that either I need to upload the certs in the webutility of each phone, or to enable SCEP.

 

SCEP is on the list to  be completed, to avoid the hassle of rolling out certs manually.

 

Thank you

Message 3 of 11
Highlighted
Polycom Employee & Community Manager

Re: 802.1x via RPRM?

Hello @mrbird ,

 

The FAQ post here:

 

Dec 06, 2017 Question: Is there an FAQ for RealPresence Resource Manager RPRM to provision Poly or Troubleshoot phones?

Resolution: Please check => here <=

 

covers this as you can simply copy and paste working XML into the "Paste Configuration XML" section if a parameter is not available.

 

EDIT: An easy method is to configure 1 phone using the Web Interface and then to create a backup and copy the new parts into RPRM.


Please ensure to provide some feedback if this reply has helped you so other users can profit from your experience.

Best Regards

Steffen Baier

----------------

Notice: This community forum is not an official Poly support resource, thus responses from Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge. If you need immediate and/or official assistance please open a service ticket through your proper support channels.
Please also ensure you always check the VoIP , Video Endpoint , Skype for Business , PSTN or RPM FAQ's
Message 4 of 11
Highlighted
Advisor

Re: 802.1x via RPRM?

Hello Steffen

If I were to upload the certificate content through the XML option, I will need to create a profile for each single endpoint.

I found Endpoint --> Monitor View --> Upload Phone File, where I could select the Certificate Directory.

 

Is it possible to upload the certificates into that folder and activate them? I have not tried it yet since I'm fearing to "harm" the phone. Or is SCEP my only choice to deploy certs without log into the webutility of each phone..?

 

Thanks a lot for your help.

Message 5 of 11
Highlighted
Polycom Employee & Community Manager

Re: 802.1x via RPRM?

Hello @mrbird ,

 

Welcome back to the Poly Community.

RPRM can configure single phones or a group of phones. It is the same process as explained above or in the linked FAQ and a single configuration profile can be used to configure multiple phones.

 

More details on the sub directories can be found here:

 

Oct 7, 2011 Question: What is the relevance of the 000000000000.cfg or <mac>.cfg?

Resolution: Please check => here <=

 

If you have more questions please work with your reseller as they can get this into support.


In order to raise a support ticket, you need to work with your Poly reseller as they may need to do this for you.

End Customers are usually unable to open a ticket directly with Poly support. Available End User Poly services offerings are detailed here

If this is some sort of an Internet discounter providing your MAC address or your Poly devices serial will enable us to look up who would be able to support you. This may not be who you purchased the Poly device from.

If the unit is no longer within the warranty please be prepared to Pay Per Incident / PPI. This is all outlined in detail here


Please ensure to provide some feedback if this reply has helped you so other users can profit from your experience.

Best Regards

Steffen Baier

----------------

Notice: This community forum is not an official Poly support resource, thus responses from Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge. If you need immediate and/or official assistance please open a service ticket through your proper support channels.
Please also ensure you always check the VoIP , Video Endpoint , Skype for Business , PSTN or RPM FAQ's
Message 6 of 11
Highlighted
Advisor

Re: 802.1x via RPRM?

Steffen, 

 

I found that if a variable is not available in Get/Set Parameters function, it can still be added with the XML Function - that works.

So, I could add the whole content of a certificate through XML, although getting the certificate content/fingerprint and remove unnecessary overhead is almost as sophisticated as uploading the certificate through the web-utility.

 

Quoting from your post "Everything that can be manually configured via the Web Interface and/or configuration files can be archived by RPRM".

 

This can be easily done in the web-utility, however, I'm still not clear how to upload a certificate file (instead the content of the certificate itself) to a phone via RPRM. Do you have any other hint how this could be achieved?

That would be great, thanks so much.

 

Best regards, mrbird

Message 7 of 11
Highlighted
Polycom Employee & Community Manager

Re: 802.1x via RPRM?

Hello @mrbird 

 

I cannot provide training via the community to teach how to use RPRM. I do not think hosting a certificate is a supported scenario.

 

I already replied to answer your most common questions and I also shared the FAQ posts created by community volunteers.

 

Usually, I would suggest to a customer to set up a DHCP option 160/161 to point to HTTP://FQDN_or_IP/phoneservice/configfiles/

 

Use the Endpoint > Endpoint View > More > Import/Export UC Managed Endpoints and simply create a CSV file with all the MAC addresses and/or the SIP registration details etc.

 

Then create a single new Configuration Profile using the exported working parts of a PBU Backup File containing the certificate via:

 

  • Endpoint > UC Management > Configuration Profiles
  • New
  • Add new Configuration Profile
  • provide the details in General Information
  • Copy & paste the content of the above-mentioned file via Paste Configuration XML within Configuration Attributes
  • Save
  • Now assigned the new Profile via Endpoint > UC Management > Profiles Deployment to either:
    Global, User Groups, Users/Rooms, Endpoint Groups, Endpoint Models, Sites or Endpoints

 

Once this has been done factory reset the phone in question and/or unbox all new phones and they will automatically be provisioned and work.

 

The above should not take longer as posting a reply within the community.

 

If you are unable to follow the above you could also use the CSV file Import described in the >FAQ< to contain the certificate as well.

 

If both of the above is not what you are after you can either:

 

  • Configure every single phone by hand
  • Work with a Poly reseller either on Training on RPRM or how to purchase professional services via Poly PGS

Other volunteers can try and help as well.

 

Best Regards

 

Steffen Baier

----------------

Notice: This community forum is not an official Poly support resource, thus responses from Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge. If you need immediate and/or official assistance please open a service ticket through your proper support channels.
Please also ensure you always check the VoIP , Video Endpoint , Skype for Business , PSTN or RPM FAQ's
Message 8 of 11
Highlighted
Advisor

Re: 802.1x via RPRM?

Hi Steffen

 

Thanks for your extensive reply. Creating profiles for all phones including parameters has been setup for endpoint groups, that works. I could also upload the CA root cert via XML parameter to all phones. However when it comes down to individual endpoint certificates, this is something where I (or RPRM) struggles (unless an individual profile for individual phones shall be created but again, that effort is just too much).

 

Anyway, I will push internally for the SCEP process so that we move to a better automation of deploying devices.

 

Thanks again for your help.

Message 9 of 11
Highlighted
Polycom Employee & Community Manager

Re: 802.1x via RPRM?

Hello @mrbird 

 

I am not sure you made it clear that you need a separate certificate per device.

 

The only way to do this per phone is either use the Web IF aka:

 

  • Settings > Network > TLS > Certificate Configuration > Platform CA > Copy URL to certificate location > Install

Or use the CSV import as already explained for all phones or you could look at the REST API for compatible phones => here <= as this would allow you to script this as per example for Setting Device Parameters.

 

Best regards

 

Steffen Baier

----------------

Notice: This community forum is not an official Poly support resource, thus responses from Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge. If you need immediate and/or official assistance please open a service ticket through your proper support channels.
Please also ensure you always check the VoIP , Video Endpoint , Skype for Business , PSTN or RPM FAQ's

View solution in original post

Message 10 of 11