Plantronics + Polycom. Now together as Poly Logo

[FAQ] How can I add a 802.1x EAP-PEAPv0/MSCHAPv2 Certificate or use the feature?

Polycom Employee & Community Manager

[FAQ] How can I add a 802.1x EAP-PEAPv0/MSCHAPv2 Certificate or use the feature?

Please be aware that the below example will only work with UC Software 4.0.0 or higher.


Trio UC Software 5.7.2 and VVX UC Software 5.9.0 introduced the Simple Certificate Enrolment Protocol also known as => here <=


For further details please check => here <=


Option 1 using Configuration Files


NOTE: In order to use below Parameters the device.set="1" Parameter must be used.


The Parameters needed for this example are as follows:



 above should be sufficient to enable 802.1x functionality"1""EAP-PEAPv0-MSCHAPv2" 

above sets the EAP-PEAPv0-MSCHAPv2 as the 802.1x method


device.sec.TLS.customCaCert2.set="1" device.sec.TLS.customCaCert2="<Certificate…….>" 

above adds the Certificate and the <Certificate…….> needs to be replaced with the actual certificate content.


It should be a DER-encoded certificate in PEM format. PEM certificates usually have extension such as .pem, .crt, .cer, and .key. They are Base64 encoded ASCII files and contain "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" statements.



device.sec.TLS.profile.caCertList1.set="1" device.sec.TLS.profile.caCertList1="All"

 above links the TLS Profile with the Platform 1 used in this example as Platform 2 supports 4096 bytes and Platform 1 only 1536 Bytes."Add a Password""1""Add a Username""1"

 above ensures that the Phone itself and a PC connected to the switch Port can authenticate themselves.


sec.dot1x.eapollogoff.enabled="1" sec.dot1x.eapollogoff.lanlinkreset="1"

 above ensures that the EAPOL logoff features for a PC connected via the Phone is enabled.


NOTE: Please ensure to consult the UCS Admin Guide for details on individual parameters.


Option 2 using the Phone Web Interface 






Above links the TLS Profile with the Platform 1 used in this example as Platform 2 supports 4096 bytes and Platform 1 only 1536 Bytes.


The Certificate can either be imported via the Web Interface as described => here <= or simply place a URL into the field and click install:




Platform Credentials:


Settings > Network > TLS > Device Certificates




Specifying in either Platform 1 or Platform 2 a valid certificate




and clicking on Install will prompt the Phone to request the relevant key location:




The same can be provisioned via a configuration file for either the Platform Certificate 1:



or the Platform Certificate 2





Relationship between Platform Profiles:




  • In the above example, we selected within the TLS Applications the TLS Platform Profile 2 for 802.1x as we are using a larger certificate.


  • We are assigning the Device Credentials for Platform  Credential 2 within the TLS Profile

  • The CA Certificate within the TLS Profile is set to use All Certificates which means any added CA Certificate within the Certificate Configuration and in addition, all built-in certificates that are already on the phone (most common like GoDaddy/Symantec etc.).

  • For Syslog the phone would use any Platform CA 1 assigned Certificate added via the Certificate Configuration.

A current overview of all certificates can be found => here <= usually within the Certificate Updates for Polycom UC Software




  •  Missing or wrong Certificate




000021.234|dot1x|1|00|SSL: SSL_connect:SSLv3 read server hello A
000021.238|dot1x|4|00|TLS: Certificate verification failed, error 20 (unable to get local issuer certificate) depth 0 for '/C=GB/ST=London/L=London/O=Polycom Inc/OU=PGS/CN=nps.sbaierhome.lab'
000021.238|dot1x|4|00|CTRL-EVENT-EAP-CERT-ERR TLS: Certificate verification failed, error 20 (unable to get local issuer certificate)#20
000021.239|dot1x|0|00|CTRL_IFACE monitor send - hexdump(len=21): 2f 74 6d 70 2f 77 70 61 5f 63 74 72 6c 5f 35 36 35 2d 31 30 00
000021.239|dot1x|1|00|tls_verify_cb tls_check_cert_time_get()=0
000021.243|dot1x|1|00|SSL: (where=0x4008 ret=0x230)
000021.243|dot1x|2|00|SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
000021.243|dot1x|2|00|CTRL-EVENT-EAP-ALERT SSL: SSL3 alert: fatal:unknown CA#48
000021.243|dot1x|0|00|CTRL_IFACE monitor send - hexdump(len=21): 2f 74 6d 70 2f 77 70 61 5f 63 74 72 6c 5f 35 36 35 2d 31 30 00
000021.245|dot1x|1|00|SSL: (where=0x1002 ret=0xffffffff)
000021.245|dot1x|3|00|SSL: SSL_connect:error in error
000021.245|dot1x|3|00|OpenSSL: tls_connection_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed


  • Missing or incorrect 802.1x identity or password


000621.536|dot1x|1|00|EAP-MSCHAPV2: error 691



000021.087|dot1x|1|00|EAP: EAP entering state FAILURE



PC Port


1209183441|so   |3|00|soNetworkChanged_HostMovementDetection:LAN Port:UP, Speed:1000Mbps, duplex:full, PC Port:UP, Speed:100Mbps, duplex:full
1209183441|so   |3|00|SoNcasC::soPpsIsStackStarted
1209183441|dot1x|1|00|soHostMovementDetectionHandle entered.
1209183443|cdp  |1|00|Sending CDP packet with length (cdpPktLen= 152)
1209183443|cdp  |1|00|Received CDP packet from 00 0c 85 2e 24 c4.
1209183443|cdp  |2|00|Ignoring CDP packet with no VLAN Id.
1209183443|cdp  |2|00| Received CDP without voice and Native VLAN, Assuming Trunk Port
1209183445|dot1x|1|00|dot1xWpaSupplicantcommand [PING ] try to open control interface...
1209183445|dot1x|1|00|dot1xWpaSupplicantcommand [PING ] sent...
1209183449|so   |3|00|soNetworkChanged_HostMovementDetection:LAN Port:UP, Speed:1000Mbps, duplex:full, PC Port: DOWN
1209183449|so   |3|00|SoNcasC::soPpsIsStackStarted
1209183449|dot1x|1|00|soHostMovementDetectionHandle entered.



Notice: This community forum is not an official Poly support resource, thus responses from Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge. If you need immediate and/or official assistance please open a service ticket through your proper support channels.
Please also ensure you always check the VoIP , Video Endpoint , Skype for Business , PSTN or RPM FAQ's