Plantronics + Polycom. Now together as Poly Logo

Poly Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

[FAQ] How can I add a 802.1x EAP-PEAPv0/MSCHAPv2 Certificate or use the feature?

SteffenBaierUK
Polycom Employee & Community Manager Polycom Employee & Community Manager
Polycom Employee & Community Manager
‎07-25-2012 06:51 AM
‎07-25-2012 06:51 AM

[FAQ] How can I add a 802.1x EAP-PEAPv0/MSCHAPv2 Certificate or use the feature?

Please be aware that the below example will only work with UC Software 4.0.0 or higher.

 

Trio UC Software 5.7.2 and VVX UC Software 5.9.0 introduced the Simple Certificate Enrolment Protocol also known as => here <=

 

For further details please check => here <=

 

Our Poly Employee Brannon Kwok provides detailed instructions >part 1< and >part 2< around the full working setup.

 

Supported EAP Authentication Protocols and Requirements

 

EAP-TLS
• Device certificate
• Trusted Root Certificate Authority and Client/Device certificates
• Identity (user name)


EAP-PEAPv0/EAP-MSCHAPv2 and EAP-PEAPv0/EAP-GTC
• Trusted Root Certificate Authority and Client/Device certificates
• Identity (user name)
• Password


EAP-TTLS/EAP-MSCHAPv2 and EAP-TTLS/EAP-GTC
• Trusted Root Certificate Authority and Client/Device certificates
• Identity (user name)
• Password


EAP-MD5
• Identity (user name)
• Password


EAP-FAST
• Identity (user name)
• Password
• Optional PAC file, provisioned automatically through the network or manually using a PAC file password.

 

Option 1 using Configuration Files

 

NOTE: In order to use the below Parameters the device.set="1" Parameter must be used.

 

The Parameters needed for this example are as follows:

 

<web device.set="1" device.net.dot1x.enabled="1" device.net.dot1x.enabled.set="1" />

 above should be sufficient to enable 802.1x functionality 

 

<web device.net.dot1x.method.set="1" device.net.dot1x.method="EAP-PEAPv0-MSCHAPv2" />

above sets the EAP-PEAPv0-MSCHAPv2 as the 802.1x method

 

<web device.sec.TLS.customCaCert2.set="1" device.sec.TLS.customCaCert2="<Certificate…….>" />

above adds the Certificate and the <Certificate…….> needs to be replaced with the actual certificate content.

 

It should be a DER-encoded certificate in PEM format. PEM certificates usually have extension such as .pem, .crt, .cer, and .key. They are Base64 encoded ASCII files and contain "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" statements.

 

 

<web device.sec.TLS.profile.caCertList1.set="1" device.sec.TLS.profile.caCertList1="All" />

 above links the TLS Profile with Platform 1 used in this example as Platform 2 supports 4096 bytes and Platform 1 only 1536 Bytes.

 

 

<web device.net.dot1x.password="Add a Password" device.net.dot1x.password.set="1" 
device.net.dot1x.identity="Add a Username" device.net.dot1x.identity.set="1" />

 above ensures that the Phone itself and a PC connected to the switch Port can authenticate themselves.

 

<web sec.dot1x.eapollogoff.enabled="1" sec.dot1x.eapollogoff.lanlinkreset="1" />

 above ensures that the EAPOL logoff features for a PC connected via the Phone is enabled.

 

NOTE: Please ensure to consult the UCS Admin Guide for details on individual parameters.

 

Option 2 using the Phone Web Interface 

 

802dot1x_01.PNG

 

802dot1x_02.PNG

 

Above links the TLS Profile with Platform 1 used in this example as Platform 2 supports 4096 bytes and Platform 1 only 1536 Bytes.

 

The Certificate can either be imported via the Web Interface as described => here <= or simply place a URL into the field and click install:

 

802dot1x_03.PNG

 

Platform Credentials:

 

Settings > Network > TLS > Device Certificates

 

PlatformCredentialsCertificateKey.png

 

Specifying in either Platform 1 or Platform 2 a valid certificate

 

PlatformCredentialsCertificateKey_02.png

 

and clicking on Install will prompt the Phone to request the relevant key location:

 

PlatformCredentialsCertificateKey_03.png

 

The same can be provisioned via a configuration file for either the Platform Certificate 1:

 

device.sec.TLS.customDeviceCert1.set="1"
device.sec.TLS.customDeviceCert1.publicCert=""
device.sec.TLS.customDeviceCert1.privateKey=""

or the Platform Certificate 2

 

device.sec.TLS.customDeviceCert2.set="1"
device.sec.TLS.customDeviceCert2.publicCert=""
device.sec.TLS.customDeviceCert2.privateKey=""

NOTE: Please ensure the certificate does not contain the -----BEGIN CERTIFICATE----- / -----END CERTIFICATE----- or -----BEGIN RSA PRIVATE KEY----- / -----END RSA PRIVATE KEY----- statements and is in one line without any carriage return or line feed.

PlatformCredentialsCertificateKey_04.png

 

Relationship between Platform Profiles:

 

PlatformCredentialsCertificateKey_05.png

 

  • In the above example, we selected within the TLS Applications the TLS Platform Profile 2 for 802.1x as we are using a larger certificate.

 

  • We are assigning the Device Credentials for Platform  Credential 2 within the TLS Profile

  • The CA Certificate within the TLS Profile is set to use All Certificates which means any added CA Certificate within the Certificate Configuration and in addition, all built-in certificates that are already on the phone (most common like GoDaddy/Symantec, etc.).

  • For Syslog the phone would use any Platform CA 1 assigned Certificate added via the Certificate Configuration.

A current overview of all certificates can be found => here <= usually within the Certificate Updates for Polycom UC Software

 

Outer ID / Anonymous ID authentication

Dot1x_OuterID-AnonymousID.png

 

The Anonymous ID is the outer ID

 

 

 

<web device.net.dot1x.anonid.set="1" device.net.dot1x.anonid="replace_with_outerID" />

 

 

 

 

Option 3 using RPRM / PDMS-E

 

  • On RealPresence RessourceManager browse to Endpoint > UC Management > Configuration Profiles and either add the needed parameters or copy a working config via "Paste Configuration XML"

 

RPRM_Dot1x_01.png

 

  • On PDMS-E got to and add a new Profile Configuration and follow the above example

 

PDMS-E_dot1x_01.png

 

As explained above SCEP => here <= can be used to supply the certificate already

 

Troubleshooting:

 

  •  Missing or wrong Certificate

 

802dot1x_04.PNG

 

000021.234|dot1x|1|00|SSL: SSL_connect:SSLv3 read server hello A
000021.238|dot1x|4|00|TLS: Certificate verification failed, error 20 (unable to get local issuer certificate) depth 0 for '/C=GB/ST=London/L=London/O=Polycom Inc/OU=PGS/CN=nps.sbaierhome.lab'
000021.238|dot1x|4|00|CTRL-EVENT-EAP-CERT-ERR TLS: Certificate verification failed, error 20 (unable to get local issuer certificate)#20
000021.239|dot1x|0|00|CTRL_IFACE monitor send - hexdump(len=21): 2f 74 6d 70 2f 77 70 61 5f 63 74 72 6c 5f 35 36 35 2d 31 30 00
000021.239|dot1x|1|00|tls_verify_cb tls_check_cert_time_get()=0
000021.243|dot1x|1|00|SSL: (where=0x4008 ret=0x230)
000021.243|dot1x|2|00|SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
000021.243|dot1x|2|00|CTRL-EVENT-EAP-ALERT SSL: SSL3 alert: fatal:unknown CA#48
000021.243|dot1x|0|00|CTRL_IFACE monitor send - hexdump(len=21): 2f 74 6d 70 2f 77 70 61 5f 63 74 72 6c 5f 35 36 35 2d 31 30 00
000021.245|dot1x|1|00|SSL: (where=0x1002 ret=0xffffffff)
000021.245|dot1x|3|00|SSL: SSL_connect:error in error
000021.245|dot1x|3|00|OpenSSL: tls_connection_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

 

  • Missing or incorrect 802.1x identity or password

802dot1x_05.PNG

000621.536|dot1x|1|00|EAP-MSCHAPV2: error 691
000621.536|dot1x|2|00|CTRL-EVENT-EAP-WRONG-UNAME-OR-PASSWD

or

 

000021.087|dot1x|1|00|EAP: EAP entering state FAILURE
000021.087|dot1x|2|00|CTRL-EVENT-EAP-WRONG-USERNAME

 

 

PC Port

 

1209183441|so   |3|00|soNetworkChanged_HostMovementDetection:LAN Port:UP, Speed:1000Mbps, duplex:full, PC Port:UP, Speed:100Mbps, duplex:full
1209183441|so   |3|00|SoNcasC::soPpsIsStackStarted
1209183441|dot1x|1|00|soHostMovementDetectionHandle entered.
1209183443|cdp  |1|00|Sending CDP packet with length (cdpPktLen= 152)
1209183443|cdp  |1|00|Received CDP packet from 00 0c 85 2e 24 c4.
1209183443|cdp  |2|00|Ignoring CDP packet with no VLAN Id.
1209183443|cdp  |2|00| Received CDP without voice and Native VLAN, Assuming Trunk Port
1209183445|dot1x|1|00|dot1xWpaSupplicantcommand [PING ] try to open control interface...
1209183445|dot1x|1|00|dot1xWpaSupplicantcommand [PING ] sent...
1209183449|so   |3|00|soNetworkChanged_HostMovementDetection:LAN Port:UP, Speed:1000Mbps, duplex:full, PC Port: DOWN
1209183449|so   |3|00|SoNcasC::soPpsIsStackStarted
1209183449|dot1x|1|00|soHostMovementDetectionHandle entered.

 

----------------
The title Polycom Employee & Community Manager is a community setting and does not reflect my role. I am just a simple volunteer in the community like everybody else. All posts and words are my own & do not represent the views of Employer.

----------------

Notice: This community forum is not an official Poly support resource, thus responses from Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge. If you need immediate and/or official assistance please open a service ticket through your proper support channels.
Please also ensure you always check the VoIP , Video Endpoint , Skype for Business , PSTN or RPM FAQ's
Message 1 of 1
0 Kudos