Plantronics + Polycom. Now together as Poly Logo

VVX400/410 8021.x

SSMIC
Occasional Contributor

VVX400/410 8021.x

I have been trying to get my phones to authenticate using 8021.x eap-tls for a couple of weeks now without success.   I can get my laptop to authenticate on the same port without issue.

 

Here is the configuration from the phone.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!-- Application SIP Finlay 5.6.0.17325 09-Jul-17 01:33 -->
<!-- Created 15-10-2021 15:05 -->
<PHONE_CONFIG>
<!-- Note: The following parameters have been excluded from the export:
device.auth.localUserPassword=""
device.tr069.cpe.password=""
device.tr069.acs.password=""
device.pacfile.password=""
device.net.dot1x.password=""
device.prov.lyncDeviceUpdatePassword=""
device.auth.localAdminPassword=""
device.logincred.password=""
device.prov.password=""
-->
<DEVICE_SETTINGS
device.set="1"
device.auth.localUserPassword.set="0"
device.tr069.cpe.password.set="0"
device.tr069.acs.password.set="0"
device.pacfile.password.set="0"
device.net.dot1x.password.set="0"
device.prov.lyncDeviceUpdatePassword.set="0"
device.auth.localAdminPassword.set="0"
device.logincred.pin.set="0"
device.logincred.pin=""
device.logincred.password.set="0"
device.prov.password.set="0"
device.baseProfile.set="1"
device.baseProfile="Generic"
device.prov.serverType.set="1"
device.prov.serverType="HTTP"
device.dhcp.enabled.set="1"
device.dhcp.enabled="1"
device.net.enabled.set="1"
device.net.enabled="1"
device.net.ipAddress.set="1"
device.net.ipAddress="0.0.0.0"
device.net.subnetMask.set="1"
device.net.subnetMask="255.0.0.0"
device.net.IPgateway.set="1"
device.net.IPgateway="0.0.0.0"
device.net.ipStack.set="1"
device.net.ipStack="V4Only"
device.net.preferredNetwork.set="1"
device.net.preferredNetwork="V6"
device.net.ipv6AddrDisc.set="1"
device.net.ipv6AddrDisc="DHCP"
device.net.ipv6PrivacyExtension.set="1"
device.net.ipv6PrivacyExtension="EUI64"
device.net.ipv6Address.set="1"
device.net.ipv6Address="::"
device.net.ipv6ULAAddress.set="1"
device.net.ipv6ULAAddress="::"
device.net.ipv6LinkAddress.set="1"
device.net.ipv6LinkAddress="::"
device.net.ipv6Gateway.set="1"
device.net.ipv6Gateway="::"
device.net.vlanId.set="1"
device.net.vlanId=""
device.net.cdpEnabled.set="1"
device.net.cdpEnabled="1"
device.net.lldpEnabled.set="1"
device.net.lldpEnabled="1"
device.net.lldpCapabilitiesRequired.set="1"
device.net.lldpCapabilitiesRequired="1"
device.net.lldpFastStartCount.set="1"
device.net.lldpFastStartCount="5"
device.net.etherVlanFilter.set="1"
device.net.etherVlanFilter="1"
device.net.etherStormFilter.set="1"
device.net.etherStormFilter="1"
device.net.etherStormFilterPpsValue.set="1"
device.net.etherStormFilterPpsValue="38"
device.net.icmp.echoRepliesMask.set="1"
device.net.icmp.echoRepliesMask="1"
device.net.etherModeLAN.set="1"
device.net.etherModeLAN="Auto"
device.net.etherModePC.set="1"
device.net.etherModePC="Auto"
device.dhcp.dhcpVlanDiscUseOpt.set="1"
device.dhcp.dhcpVlanDiscUseOpt="Fixed"
device.dhcp.dhcpVlanDiscOpt.set="1"
device.dhcp.dhcpVlanDiscOpt="129"
device.dhcp.dhcpv6VlanDiscOpt.set="1"
device.dhcp.dhcpv6VlanDiscOpt="1"
device.dhcp.bootSrvUseOpt.set="1"
device.dhcp.bootSrvUseOpt="CustomAndDefault"
device.dhcp.bootSrvOpt.set="1"
device.dhcp.bootSrvOpt="160"
device.dhcp.bootSrvOptType.set="1"
device.dhcp.bootSrvOptType="String"
device.dhcp.option60Type.set="1"
device.dhcp.option60Type="ASCII"
device.prov.upgradeServer.set="1"
device.prov.upgradeServer=""
device.prov.serverName.set="1"
device.prov.serverName="http://provision.omnity.biz"
device.prov.user.set="1"
device.prov.user=""
device.prov.redunAttemptLimit.set="1"
device.prov.redunAttemptLimit="3"
device.prov.redunInterAttemptDelay.set="1"
device.prov.redunInterAttemptDelay="1"
device.prov.maxRedunServers.set="1"
device.prov.maxRedunServers="8"
device.prov.AutoProvEnabled.set="1"
device.prov.AutoProvEnabled="0"
device.prov.networkEnvironment.set="1"
device.prov.networkEnvironment="1"
device.prov.tagSerialNo.set="1"
device.prov.tagSerialNo="0"
device.cma.mode.set="1"
device.cma.mode="Disabled"
device.cma.serverName.set="1"
device.cma.serverName=""
device.cma.disableTlsForDebug.set="1"
device.cma.disableTlsForDebug="0"
device.ntlm.versionMode.set="1"
device.ntlm.versionMode="v2"
device.logincred.user.set="1"
device.logincred.user=""
device.logincred.domain.set="1"
device.logincred.domain=""
device.logincred.extension.set="1"
device.logincred.extension=""
device.sec.TLS.OCSP.enabled.set="1"
device.sec.TLS.OCSP.enabled="0"
device.sec.TLS.FIPS.enabled.set="1"
device.sec.TLS.FIPS.enabled="0"
device.sec.TLS.protocol.dot1x.set="1"
device.sec.TLS.protocol.dot1x="TLSv1_2"
device.sec.TLS.protocol.syslog.set="1"
device.sec.TLS.protocol.syslog="TLSv1_0"
device.sec.TLS.protocol.prov.set="1"
device.sec.TLS.protocol.prov="TLSv1_0"
device.sec.TLS.profile.cipherSuiteDefault1.set="1"
device.sec.TLS.profile.cipherSuiteDefault1="0"
device.sec.TLS.profile.cipherSuite1.set="1"
device.sec.TLS.profile.cipherSuite1="ALL:!aNULL:!eNULL:!DSS:!SEED:!ECDSA:!IDEA:!MEDIUM:!LOW:!EXP:!DH:!AECDH:!PSK:!SRP:!MD5:!RC4:@STRENGTH"
device.sec.TLS.profile.caCertList1.set="1"
device.sec.TLS.profile.caCertList1="All"
device.sec.TLS.profile.deviceCert1.set="1"
device.sec.TLS.profile.deviceCert1="Platform1"
device.sec.TLS.profile.cipherSuiteDefault2.set="1"
device.sec.TLS.profile.cipherSuiteDefault2="1"
device.sec.TLS.profile.cipherSuite2.set="1"
device.sec.TLS.profile.cipherSuite2=""
device.sec.TLS.profile.caCertList2.set="1"
device.sec.TLS.profile.caCertList2="All"
device.sec.TLS.profile.deviceCert2.set="1"
device.sec.TLS.profile.deviceCert2="Platform2"
device.sec.TLS.syslog.strictCertCommonNameValidation.set="1"
device.sec.TLS.syslog.strictCertCommonNameValidation="1"
device.sec.TLS.profileSelection.syslog.set="1"
device.sec.TLS.profileSelection.syslog="PlatformProfile1"
device.sec.TLS.prov.strictCertCommonNameValidation.set="1"
device.sec.TLS.prov.strictCertCommonNameValidation="1"
device.sec.TLS.profileSelection.provisioning.set="1"
device.sec.TLS.profileSelection.provisioning="PlatformProfile1"
device.sec.TLS.dot1x.strictCertCommonNameValidation.set="1"
device.sec.TLS.dot1x.strictCertCommonNameValidation="0"
device.sec.TLS.profileSelection.dot1x.set="1"
device.sec.TLS.profileSelection.dot1x="PlatformProfile1"
device.sec.coreDumpEncryption.enabled.set="1"
device.sec.coreDumpEncryption.enabled="1"
device.syslog.serverName.set="1"
device.syslog.serverName=""
device.syslog.transport.set="1"
device.syslog.transport="UDP"
device.syslog.facility.set="1"
device.syslog.facility="16"
device.syslog.renderLevel.set="1"
device.syslog.renderLevel="4"
device.syslog.prependMac.set="1"
device.syslog.prependMac="0"
device.sntp.serverName.set="1"
device.sntp.serverName=""
device.sntp.gmtOffset.set="1"
device.sntp.gmtOffset="0"
device.sntp.gmtOffsetcityID.set="1"
device.sntp.gmtOffsetcityID="37"
device.dns.serverAddress.set="1"
device.dns.serverAddress="0.0.0.0"
device.dns.altSrvAddress.set="1"
device.dns.altSrvAddress="0.0.0.0"
device.dns.domain.set="1"
device.dns.domain=""
device.hostname.set="1"
device.hostname=""
device.em.power.set="1"
device.em.power="1"
device.prov.ztpEnabled.set="1"
device.prov.ztpEnabled="0"
device.prov.curlPartialFileError.enabled.set="1"
device.prov.curlPartialFileError.enabled="0"
device.prov.lyncDeviceUpdateEnabled.set="1"
device.prov.lyncDeviceUpdateEnabled="0"
device.prov.lyncDeviceUpdateUser.set="1"
device.prov.lyncDeviceUpdateUser=""
device.prov.lyncDeviceUpdateDomain.set="1"
device.prov.lyncDeviceUpdateDomain=""
device.prov.lyncDeviceUpdateExtension.set="1"
device.prov.lyncDeviceUpdateExtension=""
device.prov.lyncDeviceUpdatePin.set="1"
device.prov.lyncDeviceUpdatePin=""
device.prov.lyncDeviceUpdateCredentialType.set="1"
device.prov.lyncDeviceUpdateCredentialType="1"
device.net.dot1x.enabled.set="1"
device.net.dot1x.enabled="1"
device.net.dot1x.method.set="1"
device.net.dot1x.method="EAP-TLS"
device.net.dot1x.identity.set="1"
device.net.dot1x.identity="nadmin"
device.net.dot1x.anonid.set="1"
device.net.dot1x.anonid=""
device.net.dot1x.eapFastInBandProv.set="1"
device.net.dot1x.eapFastInBandProv="0"
device.ipv6.icmp.genDestUnreachable.set="1"
device.ipv6.icmp.genDestUnreachable="1"
device.ipv6.icmp.echoReplies.set="1"
device.ipv6.icmp.echoReplies="1"
device.ipv6.icmp.ignoreRedirect.set="1"
device.ipv6.icmp.ignoreRedirect="1"
device.ipv6.icmp.txRateLimiting.set="1"
device.ipv6.icmp.txRateLimiting="1000"
device.feature.tr069.enabled.set="1"
device.feature.tr069.enabled="0"
device.tr069.acs.url.set="1"
device.tr069.acs.url=""
device.tr069.acs.username.set="1"
device.tr069.acs.username="PlcmSpIp"
device.tr069.cpe.username.set="1"
device.tr069.cpe.username="PlcmSpIp"
device.tr069.periodicInform.enabled.set="1"
device.tr069.periodicInform.enabled="0"
device.tr069.periodicInform.interval.set="1"
device.tr069.periodicInform.interval="18000"
device.tr069.upgradesManaged.enabled.set="1"
device.tr069.upgradesManaged.enabled="0"
device.tr069.upgradeUrl.set="1"
device.tr069.upgradeUrl=""
device.tr069.upgradeStatus.set="1"
device.tr069.upgradeStatus="DontUpgrade"
device.auxPort.enable.set="1"
device.auxPort.enable="1"
device.theme.set="1"
device.theme="Classic"
device.spProfile.set="1"
device.spProfile="Default"
device.serial.enable.set="1"
device.serial.enable="1"
device.sec.TLS.customCaCert1.set="1"
device.sec.TLS.customCaCert1="certificate removed"
/>
</PHONE_CONFIG>

When I run a packet capture for the phone while it is connecting I get the following.

Extensible Authentication Protocol

   Code: Response (2)

   Id: 2

   Length: 6

   Type: Legacy Nak (Response Only) (3)

   Desired Auth Type: Unknown (0)

 

Type should be eap-tls

 

I am not sure what I am doing wrong.  

 

Message 1 of 4
3 REPLIES 3
SteffenBaierUK
Polycom Employee & Community Manager

Re: VVX400/410 8021.x

Hello @SSMIC ,

 

Your post ended up in the Spam Filter so I moved this here. Please ensure to use Code Tags when posting logs as explained >here<

 

In addition, you have not provided us with any details of the currently used software version.

 

From our FAQ:

 

Jun 25, 2012 Question: How can I add an 802.1x EAP-PEAPv0/MSCHAPv2 Certificate or use Dot.1x?

Resolution: Please check => here <=

 

Please check the above and also the est of the FAQ


Best Regards

Steffen Baier

----------------
The title Poly Employee & Community Manager is a community setting and does not reflect my role. I am just a simple volunteer in the community like everybody else. All posts and words are my own & do not represent the views of Employer.

----------------

Notice: This community forum is not an official Poly support resource, thus responses from Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge. If you need immediate and/or official assistance please open a service ticket through your proper support channels.
Please also ensure you always check the VoIP , Video Endpoint , Skype for Business , PSTN or RPM FAQ's
Message 2 of 4
SSMIC
Occasional Contributor

Re: VVX400/410 8021.x

I thought the software version was in the config file.  

C Software Version5.6.0.17325
Updater Version

5.8.0.19248

 

I did follow the document you provided the link to.  I also tried following this document.

Deploying 8021.x EAP-TLS with Polycom VVX phones Part 2/2 (ucprimer.com)

 

The end result is still the same.  For some reason the phone is not sending the correct eap type even though it has been set to eap-tls as indicated in the documentation.  

Message 3 of 4
SteffenBaierUK
Polycom Employee & Community Manager

Re: VVX400/410 8021.x

Hello @SSMIC ,

 

We cannot assume what is provided is what is actually used. Your software is hopelessly outdated and the latest currently supported version 9as of today) is 5.9.7

 

I suggest you update to a current version and if this still fails you can share some logs from the phone based on the FAQ.

 

Our volunteers may look at them. If this is urgent or no volunteer answers the next step would be opening a support ticket. If the unit is out of warranty PPI/Pay per Incident would be applicable.

 

This is all outlined in the FAQ's

 

Please ensure to provide some feedback if this reply has helped you so other users can profit from your experience.

Best Regards

Steffen Baier

----------------
The title Poly Employee & Community Manager is a community setting and does not reflect my role. I am just a simple volunteer in the community like everybody else. All posts and words are my own & do not represent the views of Employer.

----------------

Notice: This community forum is not an official Poly support resource, thus responses from Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge. If you need immediate and/or official assistance please open a service ticket through your proper support channels.
Please also ensure you always check the VoIP , Video Endpoint , Skype for Business , PSTN or RPM FAQ's
Message 4 of 4