Please be aware that the below example will only work with UC Software 4.0.0 or higher.
Trio UC Software 5.7.2 and VVX UC Software 5.9.0 introduced the Simple Certificate Enrolment Protocol also known as => here <=
For further details please check => here <=
Supported EAP Authentication Protocols and Requirements
EAP-TLS
• Device certificate
• Trusted Root Certificate Authority and Client/Device certificates
• Identity (user name)
EAP-PEAPv0/EAP-MSCHAPv2 and EAP-PEAPv0/EAP-GTC
• Trusted Root Certificate Authority and Client/Device certificates
• Identity (user name)
• Password
EAP-TTLS/EAP-MSCHAPv2 and EAP-TTLS/EAP-GTC
• Trusted Root Certificate Authority and Client/Device certificates
• Identity (user name)
• Password
EAP-MD5
• Identity (user name)
• Password
EAP-FAST
• Identity (user name)
• Password
• Optional PAC file, provisioned automatically through the network or manually using a PAC file password.
Option 1 using Configuration Files
NOTE: In order to use below Parameters the device.set="1" Parameter must be used.
The Parameters needed for this example are as follows:
<web device.set="1" device.net.dot1x.enabled="1" device.net.dot1x.enabled.set="1" />
above should be sufficient to enable 802.1x functionality
<web device.net.dot1x.method.set="1" device.net.dot1x.method="EAP-PEAPv0-MSCHAPv2" />
above sets the EAP-PEAPv0-MSCHAPv2 as the 802.1x method
<web device.sec.TLS.customCaCert2.set="1" device.sec.TLS.customCaCert2="<Certificate…….>" />
above adds the Certificate and the <Certificate…….> needs to be replaced with the actual certificate content.
It should be a DER-encoded certificate in PEM format. PEM certificates usually have extension such as .pem, .crt, .cer, and .key. They are Base64 encoded ASCII files and contain "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" statements.
<web device.sec.TLS.profile.caCertList1.set="1" device.sec.TLS.profile.caCertList1="All" />
above links the TLS Profile with the Platform 1 used in this example as Platform 2 supports 4096 bytes and Platform 1 only 1536 Bytes.
<web device.net.dot1x.password="Add a Password" device.net.dot1x.password.set="1"
device.net.dot1x.identity="Add a Username" device.net.dot1x.identity.set="1" />
above ensures that the Phone itself and a PC connected to the switch Port can authenticate themselves.
<web sec.dot1x.eapollogoff.enabled="1" sec.dot1x.eapollogoff.lanlinkreset="1" />
above ensures that the EAPOL logoff features for a PC connected via the Phone is enabled.
NOTE: Please ensure to consult the UCS Admin Guide for details on individual parameters.
Option 2 using the Phone Web Interface
Above links the TLS Profile with the Platform 1 used in this example as Platform 2 supports 4096 bytes and Platform 1 only 1536 Bytes.
The Certificate can either be imported via the Web Interface as described => here <= or simply place a URL into the field and click install:
Platform Credentials:
Settings > Network > TLS > Device Certificates
Specifying in either Platform 1 or Platform 2 a valid certificate
and clicking on Install will prompt the Phone to request the relevant key location:
The same can be provisioned via a configuration file for either the Platform Certificate 1:
device.sec.TLS.customDeviceCert1.set="1" device.sec.TLS.customDeviceCert1.publicCert="" device.sec.TLS.customDeviceCert1.privateKey=""
or the Platform Certificate 2
device.sec.TLS.customDeviceCert2.set="1" device.sec.TLS.customDeviceCert2.publicCert="" device.sec.TLS.customDeviceCert2.privateKey=""
Relationship between Platform Profiles:
A current overview of all certificates can be found => here <= usually within the Certificate Updates for Polycom UC Software
Outer ID / Anonymous ID authentication
The Anonymous ID is the outer ID
<web device.net.dot1x.anonid.set="1" device.net.dot1x.anonid="replace_with_outerID" />
Option 3 using RPRM / PDMS-E
As explained above SCEP => here <= can be used to supply the certificate already
Troubleshooting:
000021.234|dot1x|1|00|SSL: SSL_connect:SSLv3 read server hello A 000021.238|dot1x|4|00|TLS: Certificate verification failed, error 20 (unable to get local issuer certificate) depth 0 for '/C=GB/ST=London/L=London/O=Polycom Inc/OU=PGS/CN=nps.sbaierhome.lab' 000021.238|dot1x|4|00|CTRL-EVENT-EAP-CERT-ERR TLS: Certificate verification failed, error 20 (unable to get local issuer certificate)#20 000021.239|dot1x|0|00|CTRL_IFACE monitor send - hexdump(len=21): 2f 74 6d 70 2f 77 70 61 5f 63 74 72 6c 5f 35 36 35 2d 31 30 00 000021.239|dot1x|1|00|tls_verify_cb tls_check_cert_time_get()=0 000021.243|dot1x|1|00|SSL: (where=0x4008 ret=0x230) 000021.243|dot1x|2|00|SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA 000021.243|dot1x|2|00|CTRL-EVENT-EAP-ALERT SSL: SSL3 alert: fatal:unknown CA#48 000021.243|dot1x|0|00|CTRL_IFACE monitor send - hexdump(len=21): 2f 74 6d 70 2f 77 70 61 5f 63 74 72 6c 5f 35 36 35 2d 31 30 00 000021.245|dot1x|1|00|SSL: (where=0x1002 ret=0xffffffff) 000021.245|dot1x|3|00|SSL: SSL_connect:error in error 000021.245|dot1x|3|00|OpenSSL: tls_connection_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
000621.536|dot1x|1|00|EAP-MSCHAPV2: error 691 000621.536|dot1x|2|00|CTRL-EVENT-EAP-WRONG-UNAME-OR-PASSWD
or
000021.087|dot1x|1|00|EAP: EAP entering state FAILURE 000021.087|dot1x|2|00|CTRL-EVENT-EAP-WRONG-USERNAME
PC Port
1209183441|so |3|00|soNetworkChanged_HostMovementDetection:LAN Port:UP, Speed:1000Mbps, duplex:full, PC Port:UP, Speed:100Mbps, duplex:full 1209183441|so |3|00|SoNcasC::soPpsIsStackStarted 1209183441|dot1x|1|00|soHostMovementDetectionHandle entered. 1209183443|cdp |1|00|Sending CDP packet with length (cdpPktLen= 152) 1209183443|cdp |1|00|Received CDP packet from 00 0c 85 2e 24 c4. 1209183443|cdp |2|00|Ignoring CDP packet with no VLAN Id. 1209183443|cdp |2|00| Received CDP without voice and Native VLAN, Assuming Trunk Port 1209183445|dot1x|1|00|dot1xWpaSupplicantcommand [PING ] try to open control interface... 1209183445|dot1x|1|00|dot1xWpaSupplicantcommand [PING ] sent... 1209183449|so |3|00|soNetworkChanged_HostMovementDetection:LAN Port:UP, Speed:1000Mbps, duplex:full, PC Port: DOWN 1209183449|so |3|00|SoNcasC::soPpsIsStackStarted 1209183449|dot1x|1|00|soHostMovementDetectionHandle entered.