Plantronics + Polycom. Now together as Poly Logo

[FAQ] How can I add a 802.1x EAP-PEAPv0/MSCHAPv2 Certificate or use the feature?

Highlighted
Polycom Employee & Community Manager

[FAQ] How can I add a 802.1x EAP-PEAPv0/MSCHAPv2 Certificate or use the feature?

Please be aware that below example will only work with UC Software 4.0.0 or higher.

 

For further details please check => here <=

 

Option 1 using Configuration Files

 

NOTE: In order to use below Parameters the device.set="1" Parameter must be used.

 

The Parameters needed for this example are as follows:

 

device.set="1" device.net.dot1x.enabled="1" device.net.dot1x.enabled.set="1"

 above should be sufficient to enable 802.1x functionality 

 

device.net.dot1x.method.set="1" device.net.dot1x.method="EAP-PEAPv0-MSCHAPv2" 

above sets the EAP-PEAPv0-MSCHAPv2 as the 802.1x method

 

device.sec.TLS.customCaCert2.set="1" device.sec.TLS.customCaCert2="<Certificate…….>" 

above adds the Certificate and the <Certificate…….> needs to be replaced with the actual certificate content.

 

It should be a DER encoded certificate in PEM format. PEM certificates usually have extension such as .pem, .crt, .cer, and .key. They are Base64 encoded ASCII files and contain "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" statements.

 

 

device.sec.TLS.profile.caCertList1.set="1" device.sec.TLS.profile.caCertList1="All"

 above links the TLS Profile with the Platform 1 used in this example as Platform 2 supports 4096 bytes and Platform 1 only 1536 Bytes.

 

 

device.net.dot1x.password="Add a Password" device.net.dot1x.password.set="1" 
device.net.dot1x.identity="Add a Username" device.net.dot1x.identity.set="1"

 above ensures that the Phone itself and a PC connected to the switch Port can authenticate themselves.

 

sec.dot1x.eapollogoff.enabled="1" sec.dot1x.eapollogoff.lanlinkreset="1"

 above ensures that the EAPOL logoff features for a PC connected via the Phone is enabled.

 

NOTE: please ensure to consult the UCS Admin Guide for details on individual parameters.

 

Option 2 using the Phone Web Interface 

 

802dot1x_01.PNG

 

802dot1x_02.PNG

 

Above links the TLS Profile with the Platform 1 used in this example as Platform 2 supports 4096 bytes and Platform 1 only 1536 Bytes.

 

The Certificate can either be imported via the Web Interface as described => here <= or simply place a URL into the field and click install:

 

802dot1x_03.PNG

 

Platform Credentials:

 

Settings > Network > TLS > Device Certificates

 

PlatformCredentialsCertificateKey.png

 

Specifying in either Platform 1 or Platform 2 a valid certificate

 

PlatformCredentialsCertificateKey_02.png

 

and clicking on Install will prompt the Phone to request the relevant key location:

 

PlatformCredentialsCertificateKey_03.png

 

The same can be provisioned via a configuration file for either the Platform Certificate 1:

 

device.sec.TLS.customDeviceCert1.set="1"
device.sec.TLS.customDeviceCert1.publicCert=""
device.sec.TLS.customDeviceCert1.privateKey=""

or the Platform Certificate 2

 

device.sec.TLS.customDeviceCert2.set="1"
device.sec.TLS.customDeviceCert2.publicCert=""
device.sec.TLS.customDeviceCert2.privateKey=""

PlatformCredentialsCertificateKey_04.png

 

Realtionship between Platform Profiles:

 

PlatformCredentialsCertificateKey_05.png

 

  • In the above example we selected within the TLS Applications the TLS Platform Profile 2 for 802.1x as we are using a larger certificate.

 

  • We are assigning the Device Credentials for Platform  Credential 2 within the TLS Profile

  • The CA Certificate within the TLS Profile is set to use All Certificates which means any added CA Certificate within the Certificate Configuration and in addition all built in certificates that are already on the phone (most common like GoDaddy/Symantec etc.).

  • For Syslog the phone would use any Platform CA 1 assigned Certificate added via the Certificate Configuration.

A current overview of all certificates can be found => here <= usually within the Certificate Updates for Polycom UC Software

 

Troubleshooting:

 

  •  Missing or wrong Certificate

 

802dot1x_04.PNG

 

000021.234|dot1x|1|00|SSL: SSL_connect:SSLv3 read server hello A
000021.238|dot1x|4|00|TLS: Certificate verification failed, error 20 (unable to get local issuer certificate) depth 0 for '/C=GB/ST=London/L=London/O=Polycom Inc/OU=PGS/CN=nps.sbaierhome.lab'
000021.238|dot1x|4|00|CTRL-EVENT-EAP-CERT-ERR TLS: Certificate verification failed, error 20 (unable to get local issuer certificate)#20
000021.239|dot1x|0|00|CTRL_IFACE monitor send - hexdump(len=21): 2f 74 6d 70 2f 77 70 61 5f 63 74 72 6c 5f 35 36 35 2d 31 30 00
000021.239|dot1x|1|00|tls_verify_cb tls_check_cert_time_get()=0
000021.243|dot1x|1|00|SSL: (where=0x4008 ret=0x230)
000021.243|dot1x|2|00|SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
000021.243|dot1x|2|00|CTRL-EVENT-EAP-ALERT SSL: SSL3 alert: fatal:unknown CA#48
000021.243|dot1x|0|00|CTRL_IFACE monitor send - hexdump(len=21): 2f 74 6d 70 2f 77 70 61 5f 63 74 72 6c 5f 35 36 35 2d 31 30 00
000021.245|dot1x|1|00|SSL: (where=0x1002 ret=0xffffffff)
000021.245|dot1x|3|00|SSL: SSL_connect:error in error
000021.245|dot1x|3|00|OpenSSL: tls_connection_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

 

  • Missing or incorrect 802.1x identity or password

802dot1x_05.PNG

000621.536|dot1x|1|00|EAP-MSCHAPV2: error 691
000621.536|dot1x|2|00|CTRL-EVENT-EAP-WRONG-UNAME-OR-PASSWD

or

 

000021.087|dot1x|1|00|EAP: EAP entering state FAILURE
000021.087|dot1x|2|00|CTRL-EVENT-EAP-WRONG-USERNAME

 

 

PC Port

 

1209183441|so   |3|00|soNetworkChanged_HostMovementDetection:LAN Port:UP, Speed:1000Mbps, duplex:full, PC Port:UP, Speed:100Mbps, duplex:full
1209183441|so   |3|00|SoNcasC::soPpsIsStackStarted
1209183441|dot1x|1|00|soHostMovementDetectionHandle entered.
1209183443|cdp  |1|00|Sending CDP packet with length (cdpPktLen= 152)
1209183443|cdp  |1|00|Received CDP packet from 00 0c 85 2e 24 c4.
1209183443|cdp  |2|00|Ignoring CDP packet with no VLAN Id.
1209183443|cdp  |2|00| Received CDP without voice and Native VLAN, Assuming Trunk Port
1209183445|dot1x|1|00|dot1xWpaSupplicantcommand [PING ] try to open control interface...
1209183445|dot1x|1|00|dot1xWpaSupplicantcommand [PING ] sent...
1209183449|so   |3|00|soNetworkChanged_HostMovementDetection:LAN Port:UP, Speed:1000Mbps, duplex:full, PC Port: DOWN
1209183449|so   |3|00|SoNcasC::soPpsIsStackStarted
1209183449|dot1x|1|00|soHostMovementDetectionHandle entered.

 




<======== Signature / Disclaimer ========>
Please be aware:For questions about the type of support to expect please check here

Please also ensure you always check the VoIP , Video Endpoint , Skype for Business , PSTN or RPM FAQ's

Please remember, if you see a post that helped you , and it answers your question, please mark it as an "Accept as Solution".

The title Polycom Employee & Community Manager is an automatic setting within the community and any forum reply or post is based upon my personal experience and does not reflect the opinion or view of my employer.
Poly employee participation within this community is not mandatory and any post or FAQ article provided by myself is done either during my working hours or outside working hours, in my private time, and maybe answered on weekends, bank holidays or personal holidays.