VVX, 802.1x and certificate issues.

A_security · ‎11-01-2017

I keep having issues trying to get 802.1X working in my test enviroment with my VVX 310. It works fine with any computer(mac or windows), wired or wireless,and on cellphones. For a little background i am using Windows Server 2012 for the AD,CA,DNS,and DHCP and created a test domain named "testdomain.com". Computers can join the domain and dns is working fine. DHCP is also handing out adresses for computers authetnticating with 802.1X while NPS is putting them on the right VLAN. For the Authentication method i am using Peap-mschapv2. The certifciate that i am using is the one issued to the Root CA. I know thats not generally best practice but this is just a proof of concept and will be using issued ca templates for the users and comptuers at a difrent time.

I exported the certificate for the root CA in base64 encoding and hosted it on a web server and readable in plaintext if you access the site. The certificate downloads and installs fine. I am using the Peap-Mschapv2 auth method. I have tried using a test account "Srv" as Srv and Testdomain\Srv. Neither worked.

What is confusing me is that the certifcate works fine if i use it on a domain pc but not on the phones using the same config method.

I also tried exporting a pkcs7 .p7b which it did not take, converting that to .pem format which also did not work. And tried converting the .pfx with the private key in .pem to even see if that would work.

Bellow is the polycom device config with the certificate cut down i have also attached some screenshots of NPS and the web ui.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!-- Application SIP Danube2 5.4.2.6345 24-May-16 23:31 -->
<!-- Created 01-11-2017 13:55 -->
<PHONE_CONFIG>
	<!-- Note: The following parameters have been excluded from the export:
		device.auth.localUserPassword=""
		device.pacfile.password=""
		device.net.dot1x.password=""
		device.prov.lyncDeviceUpdatePassword=""
		device.auth.localAdminPassword=""
		device.logincred.password=""
		device.prov.password=""
	-->
	<DEVICE_SETTINGS
		device.set="1"
		device.auth.localUserPassword.set="0"
		device.pacfile.password.set="0"
		device.net.dot1x.password.set="0"
		device.prov.lyncDeviceUpdatePassword.set="0"
		device.auth.localAdminPassword.set="0"
		device.logincred.pin.set="0"
		device.logincred.pin=""
		device.logincred.password.set="0"
		device.prov.password.set="0"
		device.baseProfile.set="1"
		device.baseProfile="Generic"
		device.prov.serverType.set="1"
		device.prov.serverType="FTP"
		device.dhcp.enabled.set="1"
		device.dhcp.enabled="0"
		device.net.enabled.set="1"
		device.net.enabled="1"
		device.net.dhcpBootServer.set="1"
		device.net.dhcpBootServer="V4"
		device.net.ipAddress.set="1"
		device.net.ipAddress="172.16.1.5"
		device.net.subnetMask.set="1"
		device.net.subnetMask="255.255.255.0"
		device.net.IPgateway.set="1"
		device.net.IPgateway="172.16.1.1"
		device.net.vlanId.set="1"
		device.net.vlanId=""
		device.net.cdpEnabled.set="1"
		device.net.cdpEnabled="1"
		device.net.lldpEnabled.set="1"
		device.net.lldpEnabled="1"
		device.net.lldpCapabilitiesRequired.set="1"
		device.net.lldpCapabilitiesRequired="1"
		device.net.lldpFastStartCount.set="1"
		device.net.lldpFastStartCount="5"
		device.net.etherVlanFilter.set="1"
		device.net.etherVlanFilter="1"
		device.net.etherStormFilter.set="1"
		device.net.etherStormFilter="1"
		device.net.icmp.echoRepliesMask.set="1"
		device.net.icmp.echoRepliesMask="1"
		device.net.etherModeLAN.set="1"
		device.net.etherModeLAN="Auto"
		device.net.etherModePC.set="1"
		device.net.etherModePC="Auto"
		device.dhcp.dhcpVlanDiscUseOpt.set="1"
		device.dhcp.dhcpVlanDiscUseOpt="Fixed"
		device.dhcp.dhcpVlanDiscOpt.set="1"
		device.dhcp.dhcpVlanDiscOpt="129"
		device.dhcp.bootSrvUseOpt.set="1"
		device.dhcp.bootSrvUseOpt="CustomAndDefault"
		device.dhcp.bootSrvOpt.set="1"
		device.dhcp.bootSrvOpt="160"
		device.dhcp.bootSrvOptType.set="1"
		device.dhcp.bootSrvOptType="String"
		device.dhcp.option60Type.set="1"
		device.dhcp.option60Type="ASCII"
		device.prov.upgradeServer.set="1"
		device.prov.upgradeServer=""
		device.prov.serverName.set="1"
		device.prov.serverName=""
		device.prov.user.set="1"
		device.prov.user="PlcmSpIp"
		device.prov.redunAttemptLimit.set="1"
		device.prov.redunAttemptLimit="3"
		device.prov.redunInterAttemptDelay.set="1"
		device.prov.redunInterAttemptDelay="1"
		device.prov.maxRedunServers.set="1"
		device.prov.maxRedunServers="8"
		device.prov.networkEnvironment.set="1"
		device.prov.networkEnvironment="1"
		device.prov.tagSerialNo.set="1"
		device.prov.tagSerialNo="1"
		device.cma.mode.set="1"
		device.cma.mode="Disabled"
		device.cma.serverName.set="1"
		device.cma.serverName=""
		device.cma.disableTlsForDebug.set="1"
		device.cma.disableTlsForDebug="0"
		device.ntlm.versionMode.set="1"
		device.ntlm.versionMode="v2"
		device.logincred.user.set="1"
		device.logincred.user=""
		device.logincred.domain.set="1"
		device.logincred.domain=""
		device.logincred.extension.set="1"
		device.logincred.extension=""
		device.sec.TLS.OCSP.enabled.set="1"
		device.sec.TLS.OCSP.enabled="0"
		device.sec.TLS.FIPS.enabled.set="1"
		device.sec.TLS.FIPS.enabled="0"
		device.sec.TLS.SSLv2v3.enabled.set="1"
		device.sec.TLS.SSLv2v3.enabled="0"
		device.sec.TLS.profile.cipherSuiteDefault1.set="1"
		device.sec.TLS.profile.cipherSuiteDefault1="1"
		device.sec.TLS.profile.cipherSuite1.set="1"
		device.sec.TLS.profile.cipherSuite1=""
		device.sec.TLS.profile.caCertList1.set="1"
		device.sec.TLS.profile.caCertList1="Platform1"
		device.sec.TLS.profile.deviceCert1.set="1"
		device.sec.TLS.profile.deviceCert1="Builtin"
		device.sec.TLS.profile.cipherSuiteDefault2.set="1"
		device.sec.TLS.profile.cipherSuiteDefault2="1"
		device.sec.TLS.profile.cipherSuite2.set="1"
		device.sec.TLS.profile.cipherSuite2=""
		device.sec.TLS.profile.caCertList2.set="1"
		device.sec.TLS.profile.caCertList2="All"
		device.sec.TLS.profile.deviceCert2.set="1"
		device.sec.TLS.profile.deviceCert2="Builtin"
		device.sec.TLS.syslog.strictCertCommonNameValidation.set="1"
		device.sec.TLS.syslog.strictCertCommonNameValidation="1"
		device.sec.TLS.profileSelection.syslog.set="1"
		device.sec.TLS.profileSelection.syslog="PlatformProfile1"
		device.sec.TLS.prov.strictCertCommonNameValidation.set="1"
		device.sec.TLS.prov.strictCertCommonNameValidation="0"
		device.sec.TLS.profileSelection.provisioning.set="1"
		device.sec.TLS.profileSelection.provisioning="PlatformProfile1"
		device.sec.TLS.dot1x.strictCertCommonNameValidation.set="1"
		device.sec.TLS.dot1x.strictCertCommonNameValidation="1"
		device.sec.TLS.profileSelection.dot1x.set="1"
		device.sec.TLS.profileSelection.dot1x="PlatformProfile1"
		device.sec.coreDumpEncryption.enabled.set="1"
		device.sec.coreDumpEncryption.enabled="1"
		device.syslog.serverName.set="1"
		device.syslog.serverName=""
		device.syslog.transport.set="1"
		device.syslog.transport="UDP"
		device.syslog.facility.set="1"
		device.syslog.facility="16"
		device.syslog.renderLevel.set="1"
		device.syslog.renderLevel="4"
		device.syslog.prependMac.set="1"
		device.syslog.prependMac="0"
		device.sntp.serverName.set="1"
		device.sntp.serverName=""
		device.sntp.gmtOffset.set="1"
		device.sntp.gmtOffset="-18000"
		device.sntp.gmtOffsetcityID.set="1"
		device.sntp.gmtOffsetcityID="16"
		device.dns.serverAddress.set="1"
		device.dns.serverAddress="172.16.8.2"
		device.dns.altSrvAddress.set="1"
		device.dns.altSrvAddress="0.0.0.0"
		device.dns.domain.set="1"
		device.dns.domain="testdomain.com"
		device.hostname.set="1"
		device.hostname=""
		device.em.power.set="1"
		device.em.power="1"
		device.prov.ztpEnabled.set="1"
		device.prov.ztpEnabled="0"
		device.prov.lyncDeviceUpdateEnabled.set="1"
		device.prov.lyncDeviceUpdateEnabled="0"
		device.prov.lyncDeviceUpdateUser.set="1"
		device.prov.lyncDeviceUpdateUser=""
		device.prov.lyncDeviceUpdateDomain.set="1"
		device.prov.lyncDeviceUpdateDomain=""
		device.prov.lyncDeviceUpdateExtension.set="1"
		device.prov.lyncDeviceUpdateExtension=""
		device.prov.lyncDeviceUpdatePin.set="1"
		device.prov.lyncDeviceUpdatePin=""
		device.prov.lyncDeviceUpdateCredentialType.set="1"
		device.prov.lyncDeviceUpdateCredentialType="1"
		device.net.dot1x.enabled.set="1"
		device.net.dot1x.enabled="1"
		device.net.dot1x.method.set="1"
		device.net.dot1x.method="EAP-PEAPv0-MSCHAPv2"
		device.net.dot1x.identity.set="1"
		device.net.dot1x.identity="Srv"
		device.net.dot1x.anonid.set="1"
		device.net.dot1x.anonid=""
		device.net.dot1x.eapFastInBandProv.set="1"
		device.net.dot1x.eapFastInBandProv="0"
		device.auxPort.enable.set="1"
		device.auxPort.enable="1"
		device.serial.enable.set="1"
		device.serial.enable="0"
		device.sec.TLS.customCaCert1.set="1"
	        device.sec.TLS.customCaCert1="MIIDlTC//certificate//WsFK4p"
	/>
</PHONE_CONFIG>

I am currently getting error 7000 on the phone.

SteffenBaierUK · ‎11-03-2017

Hello A_security,

welcome to the Polycom Community.

It is always useful to include the currently used UC Software version as issues experienced or a question asked may already be addressed in a newer release.

This also allows yourself and others to check against current software release notes, Administrator Guides or FAQ post’s.

The above is also stated in the "Must Read First" and is the absolute minimum requirement every new post should include. .

In addition providing us with this basic information gives Polycom an idea what Software Versions are used in the field and avoids wasting time trying to troubleshoot issues which have already been addressed.

Therefore the Polycom VoIP FAQ contains this post here:

Question: How can I find out my SIP or UC Software Version of my Phone?
Resolution: Please check here

In addition you do not have a certificate on the phone:

	device.sec.TLS.customCaCert1.set="1"
	        device.sec.TLS.customCaCert1="MIIDlTC//certificate//WsFK4p"

I suggest you check this FAQ post here:

Jun 25, 2012 Question: How can I add a 802.1x EAP-PEAPv0/MSCHAPv2 Certificate?

Resolution: Please check => here <=

Please ensure to provide some feedback if this reply has helped you so other users can profit from your experience.

Best Regards

Steffen Baier

Polycom Global Services

----------------

If official support is required please check how to phone or open a case here

----------------
The title Poly Employee & Community Manager is a community setting and does not reflect my role. I am just a simple volunteer in the community like everybody else. All posts and words are my own & do not represent the views of Employer.

----------------

⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓SIGNATURE ⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓
Notice: This community forum is not an official Poly support resource, thus responses from Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge.
Please also ensure you always check the VoIP , Video Endpoint , Microsoft Voice , PSTN or other FAQ's in the different sections

A_security · ‎11-05-2017

So my UC version is 5.4.2.6345

I looked at the guide you sent me that says that "It should be in DER format aka with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE----- "

When i export a certificate in Windows Server 2012 R2, it does not come out in plain text. My base64 encoded certs have the begin and end certificate but my .der encoded ones do not. I have attached a picture of how the der.cer looks when i access it via http web server. I see that also here thier format ends in .crt. When i export a certifcate in .der format.

How would i export the certificate to a der encoded .crt file. Could i convert another type of file into this? I am trying to do it via the web interface method. When i open the .der file in notepad it also look like this. Thank you so much !!

A_security · ‎11-10-2017

I am still having issues. This documentation here from you guys says it needs to be in PEM format not dir while the blog you linked me to is in der. I cant upload a der certificate and i cant paste it in due to the encoding not being in plaintext. What am i missing here?

I can also upload certificates but i cant get them to work properly.

Here is what i tried uploading most recently.

Exported from my ca via a base64 pem format.

<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<PHONE_CONFIG>
  <DEVICE_SETTINGS device.set="1">
    <device.net.dot1x device.net.dot1x.enabled="1" device.net.dot1x.enabled.set="1" device.net.dot1x.anonid="" device.net.dot1x.anonid.set="0" device.net.dot1x.eapFastInBandProv="" device.net.dot1x.eapFastInBandProv.set="0" device.net.dot1x.identity="" device.net.dot1x.identity.set="1" device.net.dot1x.method="" device.net.dot1x.method.set="1" device.net.dot1x.password="" device.net.dot1x.password.set="1"></device.net.dot1x>
    <CA_Certificates device.sec.TLS.profile.caCertList1.set="1" device.sec.TLS.profile.caCertList1="BuiltinAndPlatform2" device.sec.TLS.customCaCert2.set="1" device.sec.TLS.customCaCert2="-----BEGIN CERTIFICATE-----MIIDlTCCAn2gAwIBAgIQKPCNim8V0rpDZTh4aliGGzANBgkqhkiG9w0BAQUFADBQMRMwEQYKCZImiZPyLGQBGRYDY29tMRowGAYKCZImiZPyLGQBGRYKdGVzdGRvbWFpbjEdMBsGA1UEAxMUdGVzdGRvbWFpbi1DT1JFLUNBLTEwIBcNMTcxMDI3MjE0MTQxWhgPMjA3MjEwMjcyMTUxNDFaMFAxEzARBgoJkiaJk/IsZAEZFgNjb20xGjAYBgoJkiaJk/IsZAEZFgp0ZXN0ZG9tYWluMR0wGwYDVQQDExR0ZXN0ZG9tYWluLUNPUkUtQ0EtMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALVBCQOIcEVjspIUyXvkL0RQihJX2IGaU9F5aEY8rcL5ED/H06WmKU72cYdHKFe43zkX2nk5TUZYvaJIBtglwn9jg+a27Z9TGiH21NB+zv2Ewc5Z/UKYTDXdi1XKFmuMitSpttYByvLmZAl2yAwE06ng8WNpa2T5Suoa2hIWFuPcWahaixneE0hn0voHSJcdkIoWoScW/1Efy5pkQs2MGKhGmbH64bawrdloa/iSkNHnnsebxdL7SUNRfuCQKFkpk3kXyUxtBSeKfnHXRjdAhIK/BXqZEsKwa3TKACdQYvgkXmeUtrO+2KyZhiCgtnohrChGu5QGykoksBh63025ZG8CAwEAAaNpMGcwEwYJKwYBBAGCNxQCBAYeBABDAEEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFGp22rlKCBynsNPSDGwZoLK22XtbMBAGCSsGAQQBgjcVAQQDAgEAMA0GCSqGSIb3DQEBBQUAA4IBAQB0HFIYYvtwbN9x1LvZaeS8lPBflZAR7ArfeWBEi6/LYjMbbauJ8f0zk/5JJrIRrSCkoyQJb9QD68kkanIjTVj1783DOv5bf8+L3FtkfqZiqybxws/tfOMsyxm4+OsU90PxW8CCerOh4u9JkrhEuaFLKKMJccnZhHp+h371DH55swLsRo9XgfLjWC4KEqthA7i1Rf5LIUYxr09iq1VVGEOfxnOHWpaLzrYSs2QyduGWhVgtLjkIISaVqaaI5VlTjGshtO7gTdj4qzhQtLLviqb7hqDJftWgTaSelQKjA2QD7KZyJJM1K4Y/XSFG+WunX2GjtWX0xYD0WsFhOPk8JK4p-----END CERTIFICATE----->"/>
    <sec.dot1x>
      <sec.dot1x.eapollogoff sec.dot1x.eapollogoff.enabled="1" sec.dot1x.eapollogoff.lanlinkreset="1"></sec.dot1x.eapollogoff>
    </sec.dot1x>
  </DEVICE_SETTINGS>
</PHONE_CONFIG>

Can you see anything wrong here?

SteffenBaierUK · ‎11-14-2017

Hello @A_security,

I have updated my FAQ post with the "correct" verbiage i.e. the Certificate should be a DER encoded certificate. This should be in PEM format.

I cannot comment anymore as these are not Polycom standards so you may want to google this.

In case nobody can help you within the free support community you may want to open a ticket with your Polycom reseller.

In order to raise a support ticket you need to work with your Polycom reseller as they need to do this for you. End Customers are usually unable to open a ticket directly with Polycom support.

If this is some sort of an Internet discounter please post either your phone's MAC address or your Polycom devices serial so I can look up who would be able to support you. This may not be who you purchased the Polycom device from.

Please ensure to provide some feedback if this reply has helped you so other users can profit from your experience.

Best Regards

Steffen Baier

Polycom Global Services

----------------

If official support is required please check how to phone or open a case here

----------------
The title Poly Employee & Community Manager is a community setting and does not reflect my role. I am just a simple volunteer in the community like everybody else. All posts and words are my own & do not represent the views of Employer.

----------------

⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓SIGNATURE ⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓
Notice: This community forum is not an official Poly support resource, thus responses from Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge.
Please also ensure you always check the VoIP , Video Endpoint , Microsoft Voice , PSTN or other FAQ's in the different sections

VVX, 802.1x and certificate issues.

VVX, 802.1x and certificate issues.

Re: VVX, 802.1x and certificate issues.

Re: VVX, 802.1x and certificate issues.

Re: VVX, 802.1x and certificate issues.

Re: VVX, 802.1x and certificate issues.