• ×
    Information
    Windows update impacting certain printer icons and names. Microsoft is working on a solution.
    Click here to learn more
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
  • ×
    Information
    Windows update impacting certain printer icons and names. Microsoft is working on a solution.
    Click here to learn more
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
Guidelines
The HP Community is where owners of HP products, like you, volunteer to help each other find solutions.
HP Recommended

I keep having issues trying to get 802.1X working in my test enviroment with my VVX 310. It works fine with any computer(mac or windows), wired or wireless,and on cellphones. For a little background i am using Windows Server 2012  for the AD,CA,DNS,and DHCP and created a test domain named "testdomain.com". Computers can join the domain and dns is working fine. DHCP is also handing out adresses for computers authetnticating with 802.1X while NPS is putting them on the right VLAN. For the Authentication method i am using Peap-mschapv2. The certifciate that i am using is the one issued to the Root CA. I know thats not generally best practice but this is just a proof of concept and will be using issued ca templates for the users and comptuers at a difrent time.

 

I exported the certificate for the root CA in base64 encoding and hosted it on a web server and readable in plaintext if you access the site. The certificate downloads and installs fine. I am using the Peap-Mschapv2 auth method. I have tried using a test account "Srv" as Srv and Testdomain\Srv. Neither worked.

 

What is confusing me is that the certifcate works fine if i use it on a domain pc but not on the phones using the same config method.

 

I also tried exporting a pkcs7 .p7b which it did not take, converting that to .pem format which also did not work. And tried converting the .pfx with the private key in .pem to even see if that would work.

 

Bellow is the polycom device config with the certificate cut down i have also attached some screenshots of NPS and the web ui.

 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!-- Application SIP Danube2 5.4.2.6345 24-May-16 23:31 -->
<!-- Created 01-11-2017 13:55 -->
<PHONE_CONFIG>
	<!-- Note: The following parameters have been excluded from the export:
		device.auth.localUserPassword=""
		device.pacfile.password=""
		device.net.dot1x.password=""
		device.prov.lyncDeviceUpdatePassword=""
		device.auth.localAdminPassword=""
		device.logincred.password=""
		device.prov.password=""
	-->
	<DEVICE_SETTINGS
		device.set="1"
		device.auth.localUserPassword.set="0"
		device.pacfile.password.set="0"
		device.net.dot1x.password.set="0"
		device.prov.lyncDeviceUpdatePassword.set="0"
		device.auth.localAdminPassword.set="0"
		device.logincred.pin.set="0"
		device.logincred.pin=""
		device.logincred.password.set="0"
		device.prov.password.set="0"
		device.baseProfile.set="1"
		device.baseProfile="Generic"
		device.prov.serverType.set="1"
		device.prov.serverType="FTP"
		device.dhcp.enabled.set="1"
		device.dhcp.enabled="0"
		device.net.enabled.set="1"
		device.net.enabled="1"
		device.net.dhcpBootServer.set="1"
		device.net.dhcpBootServer="V4"
		device.net.ipAddress.set="1"
		device.net.ipAddress="172.16.1.5"
		device.net.subnetMask.set="1"
		device.net.subnetMask="255.255.255.0"
		device.net.IPgateway.set="1"
		device.net.IPgateway="172.16.1.1"
		device.net.vlanId.set="1"
		device.net.vlanId=""
		device.net.cdpEnabled.set="1"
		device.net.cdpEnabled="1"
		device.net.lldpEnabled.set="1"
		device.net.lldpEnabled="1"
		device.net.lldpCapabilitiesRequired.set="1"
		device.net.lldpCapabilitiesRequired="1"
		device.net.lldpFastStartCount.set="1"
		device.net.lldpFastStartCount="5"
		device.net.etherVlanFilter.set="1"
		device.net.etherVlanFilter="1"
		device.net.etherStormFilter.set="1"
		device.net.etherStormFilter="1"
		device.net.icmp.echoRepliesMask.set="1"
		device.net.icmp.echoRepliesMask="1"
		device.net.etherModeLAN.set="1"
		device.net.etherModeLAN="Auto"
		device.net.etherModePC.set="1"
		device.net.etherModePC="Auto"
		device.dhcp.dhcpVlanDiscUseOpt.set="1"
		device.dhcp.dhcpVlanDiscUseOpt="Fixed"
		device.dhcp.dhcpVlanDiscOpt.set="1"
		device.dhcp.dhcpVlanDiscOpt="129"
		device.dhcp.bootSrvUseOpt.set="1"
		device.dhcp.bootSrvUseOpt="CustomAndDefault"
		device.dhcp.bootSrvOpt.set="1"
		device.dhcp.bootSrvOpt="160"
		device.dhcp.bootSrvOptType.set="1"
		device.dhcp.bootSrvOptType="String"
		device.dhcp.option60Type.set="1"
		device.dhcp.option60Type="ASCII"
		device.prov.upgradeServer.set="1"
		device.prov.upgradeServer=""
		device.prov.serverName.set="1"
		device.prov.serverName=""
		device.prov.user.set="1"
		device.prov.user="PlcmSpIp"
		device.prov.redunAttemptLimit.set="1"
		device.prov.redunAttemptLimit="3"
		device.prov.redunInterAttemptDelay.set="1"
		device.prov.redunInterAttemptDelay="1"
		device.prov.maxRedunServers.set="1"
		device.prov.maxRedunServers="8"
		device.prov.networkEnvironment.set="1"
		device.prov.networkEnvironment="1"
		device.prov.tagSerialNo.set="1"
		device.prov.tagSerialNo="1"
		device.cma.mode.set="1"
		device.cma.mode="Disabled"
		device.cma.serverName.set="1"
		device.cma.serverName=""
		device.cma.disableTlsForDebug.set="1"
		device.cma.disableTlsForDebug="0"
		device.ntlm.versionMode.set="1"
		device.ntlm.versionMode="v2"
		device.logincred.user.set="1"
		device.logincred.user=""
		device.logincred.domain.set="1"
		device.logincred.domain=""
		device.logincred.extension.set="1"
		device.logincred.extension=""
		device.sec.TLS.OCSP.enabled.set="1"
		device.sec.TLS.OCSP.enabled="0"
		device.sec.TLS.FIPS.enabled.set="1"
		device.sec.TLS.FIPS.enabled="0"
		device.sec.TLS.SSLv2v3.enabled.set="1"
		device.sec.TLS.SSLv2v3.enabled="0"
		device.sec.TLS.profile.cipherSuiteDefault1.set="1"
		device.sec.TLS.profile.cipherSuiteDefault1="1"
		device.sec.TLS.profile.cipherSuite1.set="1"
		device.sec.TLS.profile.cipherSuite1=""
		device.sec.TLS.profile.caCertList1.set="1"
		device.sec.TLS.profile.caCertList1="Platform1"
		device.sec.TLS.profile.deviceCert1.set="1"
		device.sec.TLS.profile.deviceCert1="Builtin"
		device.sec.TLS.profile.cipherSuiteDefault2.set="1"
		device.sec.TLS.profile.cipherSuiteDefault2="1"
		device.sec.TLS.profile.cipherSuite2.set="1"
		device.sec.TLS.profile.cipherSuite2=""
		device.sec.TLS.profile.caCertList2.set="1"
		device.sec.TLS.profile.caCertList2="All"
		device.sec.TLS.profile.deviceCert2.set="1"
		device.sec.TLS.profile.deviceCert2="Builtin"
		device.sec.TLS.syslog.strictCertCommonNameValidation.set="1"
		device.sec.TLS.syslog.strictCertCommonNameValidation="1"
		device.sec.TLS.profileSelection.syslog.set="1"
		device.sec.TLS.profileSelection.syslog="PlatformProfile1"
		device.sec.TLS.prov.strictCertCommonNameValidation.set="1"
		device.sec.TLS.prov.strictCertCommonNameValidation="0"
		device.sec.TLS.profileSelection.provisioning.set="1"
		device.sec.TLS.profileSelection.provisioning="PlatformProfile1"
		device.sec.TLS.dot1x.strictCertCommonNameValidation.set="1"
		device.sec.TLS.dot1x.strictCertCommonNameValidation="1"
		device.sec.TLS.profileSelection.dot1x.set="1"
		device.sec.TLS.profileSelection.dot1x="PlatformProfile1"
		device.sec.coreDumpEncryption.enabled.set="1"
		device.sec.coreDumpEncryption.enabled="1"
		device.syslog.serverName.set="1"
		device.syslog.serverName=""
		device.syslog.transport.set="1"
		device.syslog.transport="UDP"
		device.syslog.facility.set="1"
		device.syslog.facility="16"
		device.syslog.renderLevel.set="1"
		device.syslog.renderLevel="4"
		device.syslog.prependMac.set="1"
		device.syslog.prependMac="0"
		device.sntp.serverName.set="1"
		device.sntp.serverName=""
		device.sntp.gmtOffset.set="1"
		device.sntp.gmtOffset="-18000"
		device.sntp.gmtOffsetcityID.set="1"
		device.sntp.gmtOffsetcityID="16"
		device.dns.serverAddress.set="1"
		device.dns.serverAddress="172.16.8.2"
		device.dns.altSrvAddress.set="1"
		device.dns.altSrvAddress="0.0.0.0"
		device.dns.domain.set="1"
		device.dns.domain="testdomain.com"
		device.hostname.set="1"
		device.hostname=""
		device.em.power.set="1"
		device.em.power="1"
		device.prov.ztpEnabled.set="1"
		device.prov.ztpEnabled="0"
		device.prov.lyncDeviceUpdateEnabled.set="1"
		device.prov.lyncDeviceUpdateEnabled="0"
		device.prov.lyncDeviceUpdateUser.set="1"
		device.prov.lyncDeviceUpdateUser=""
		device.prov.lyncDeviceUpdateDomain.set="1"
		device.prov.lyncDeviceUpdateDomain=""
		device.prov.lyncDeviceUpdateExtension.set="1"
		device.prov.lyncDeviceUpdateExtension=""
		device.prov.lyncDeviceUpdatePin.set="1"
		device.prov.lyncDeviceUpdatePin=""
		device.prov.lyncDeviceUpdateCredentialType.set="1"
		device.prov.lyncDeviceUpdateCredentialType="1"
		device.net.dot1x.enabled.set="1"
		device.net.dot1x.enabled="1"
		device.net.dot1x.method.set="1"
		device.net.dot1x.method="EAP-PEAPv0-MSCHAPv2"
		device.net.dot1x.identity.set="1"
		device.net.dot1x.identity="Srv"
		device.net.dot1x.anonid.set="1"
		device.net.dot1x.anonid=""
		device.net.dot1x.eapFastInBandProv.set="1"
		device.net.dot1x.eapFastInBandProv="0"
		device.auxPort.enable.set="1"
		device.auxPort.enable="1"
		device.serial.enable.set="1"
		device.serial.enable="0"
		device.sec.TLS.customCaCert1.set="1"
	        device.sec.TLS.customCaCert1="MIIDlTC//certificate//WsFK4p"
	/>
</PHONE_CONFIG>

 

 I am currently getting error 7000 on the phone.

 

 

4 REPLIES 4
HP Recommended

Hello A_security,

welcome to the Polycom Community.

It is always useful to include the currently used UC Software version as issues experienced or a question asked may already be addressed in a newer release.

This also allows yourself and others to check against current software release notes, Administrator Guides or FAQ post’s.

The above is also stated in the "Must Read First" and is the absolute minimum requirement every new post should include. .

In addition providing us with this basic information gives Polycom an idea what Software Versions are used in the field and avoids wasting time trying to troubleshoot issues which have already been addressed.

Therefore the Polycom VoIP FAQ contains this post here:

Question: How can I find out my SIP or UC Software Version of my Phone?
Resolution: Please check here

 

In addition you do not have a certificate on the phone:

 

	device.sec.TLS.customCaCert1.set="1"
	        device.sec.TLS.customCaCert1="MIIDlTC//certificate//WsFK4p"

 

I suggest you check this FAQ post here:

 

Jun 25, 2012 Question: How can I add a 802.1x EAP-PEAPv0/MSCHAPv2 Certificate?

Resolution: Please check => here <=


Please ensure to provide some feedback if this reply has helped you so other users can profit from your experience.

Best Regards

Steffen Baier

Polycom Global Services

------------------------------------------------
Notice: I am an HP Poly employee but all replies within the community are done as a volunteer outside of my day role. This community forum is not an official HP Poly support resource, thus responses from HP Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge.
If you need immediate and/or official assistance for former Poly\Plantronics\Polycom please open a service ticket through your support channels
For HP products please check HP Support.

Please also ensure you always check the General VoIP , Video Endpoint , UC Platform (Microsoft) , PSTN
HP Recommended

So my UC version is 5.4.2.6345

 

I looked at the guide you sent me that says that "It should be in DER format aka with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE----- "

 

When i export a certificate in Windows Server 2012 R2, it does not come out in plain text. My base64 encoded certs have the begin and end certificate but my .der encoded ones do not. I have attached a picture of how the der.cer looks when i access it via http web server. I see that also here thier format ends in .crt. When i export a certifcate in .der format.

 

How would i export  the certificate to a der encoded .crt file. Could i convert another type of file into this? I am trying to do it via the web interface method. When i open the .der file in notepad it also look like this. Thank you so much !!

HP Recommended

I am still having issues. This documentation here from you guys says it needs to be in PEM format not dir while the blog you linked me to is in der. I cant upload a der certificate and i cant paste it in due to the encoding not being in plaintext. What am i missing here?

 

I can also upload certificates but i cant get them to work properly.

Here is what i tried uploading most recently.

Exported from my ca via a base64 pem format.

<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<PHONE_CONFIG>
  <DEVICE_SETTINGS device.set="1">
    <device.net.dot1x device.net.dot1x.enabled="1" device.net.dot1x.enabled.set="1" device.net.dot1x.anonid="" device.net.dot1x.anonid.set="0" device.net.dot1x.eapFastInBandProv="" device.net.dot1x.eapFastInBandProv.set="0" device.net.dot1x.identity="" device.net.dot1x.identity.set="1" device.net.dot1x.method="" device.net.dot1x.method.set="1" device.net.dot1x.password="" device.net.dot1x.password.set="1"></device.net.dot1x>
    <CA_Certificates device.sec.TLS.profile.caCertList1.set="1" device.sec.TLS.profile.caCertList1="BuiltinAndPlatform2" device.sec.TLS.customCaCert2.set="1" device.sec.TLS.customCaCert2="-----BEGIN CERTIFICATE-----MIIDlTCCAn2gAwIBAgIQKPCNim8V0rpDZTh4aliGGzANBgkqhkiG9w0BAQUFADBQMRMwEQYKCZImiZPyLGQBGRYDY29tMRowGAYKCZImiZPyLGQBGRYKdGVzdGRvbWFpbjEdMBsGA1UEAxMUdGVzdGRvbWFpbi1DT1JFLUNBLTEwIBcNMTcxMDI3MjE0MTQxWhgPMjA3MjEwMjcyMTUxNDFaMFAxEzARBgoJkiaJk/IsZAEZFgNjb20xGjAYBgoJkiaJk/IsZAEZFgp0ZXN0ZG9tYWluMR0wGwYDVQQDExR0ZXN0ZG9tYWluLUNPUkUtQ0EtMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALVBCQOIcEVjspIUyXvkL0RQihJX2IGaU9F5aEY8rcL5ED/H06WmKU72cYdHKFe43zkX2nk5TUZYvaJIBtglwn9jg+a27Z9TGiH21NB+zv2Ewc5Z/UKYTDXdi1XKFmuMitSpttYByvLmZAl2yAwE06ng8WNpa2T5Suoa2hIWFuPcWahaixneE0hn0voHSJcdkIoWoScW/1Efy5pkQs2MGKhGmbH64bawrdloa/iSkNHnnsebxdL7SUNRfuCQKFkpk3kXyUxtBSeKfnHXRjdAhIK/BXqZEsKwa3TKACdQYvgkXmeUtrO+2KyZhiCgtnohrChGu5QGykoksBh63025ZG8CAwEAAaNpMGcwEwYJKwYBBAGCNxQCBAYeBABDAEEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFGp22rlKCBynsNPSDGwZoLK22XtbMBAGCSsGAQQBgjcVAQQDAgEAMA0GCSqGSIb3DQEBBQUAA4IBAQB0HFIYYvtwbN9x1LvZaeS8lPBflZAR7ArfeWBEi6/LYjMbbauJ8f0zk/5JJrIRrSCkoyQJb9QD68kkanIjTVj1783DOv5bf8+L3FtkfqZiqybxws/tfOMsyxm4+OsU90PxW8CCerOh4u9JkrhEuaFLKKMJccnZhHp+h371DH55swLsRo9XgfLjWC4KEqthA7i1Rf5LIUYxr09iq1VVGEOfxnOHWpaLzrYSs2QyduGWhVgtLjkIISaVqaaI5VlTjGshtO7gTdj4qzhQtLLviqb7hqDJftWgTaSelQKjA2QD7KZyJJM1K4Y/XSFG+WunX2GjtWX0xYD0WsFhOPk8JK4p-----END CERTIFICATE----->"/>
    <sec.dot1x>
      <sec.dot1x.eapollogoff sec.dot1x.eapollogoff.enabled="1" sec.dot1x.eapollogoff.lanlinkreset="1"></sec.dot1x.eapollogoff>
    </sec.dot1x>
  </DEVICE_SETTINGS>
</PHONE_CONFIG>

Can you see anything wrong here?

HP Recommended

Hello @A_security,

I have updated my FAQ post with the "correct" verbiage i.e. the Certificate should be a DER encoded certificate. This should be in PEM format.

 

I cannot comment anymore as these are not Polycom standards so you may want to google this.

 

In case nobody can help you within the free support community you may want to open a ticket with your Polycom reseller.


In order to raise a support ticket you need to work with your Polycom reseller as they need to do this for you. End Customers are usually unable to open a ticket directly with Polycom support.

If this is some sort of an Internet discounter please post either your phone's MAC address or your Polycom devices serial so I can look up who would be able to support you. This may not be who you purchased the Polycom device from.

Please ensure to provide some feedback if this reply has helped you so other users can profit from your experience.

Best Regards

Steffen Baier

Polycom Global Services

------------------------------------------------
Notice: I am an HP Poly employee but all replies within the community are done as a volunteer outside of my day role. This community forum is not an official HP Poly support resource, thus responses from HP Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge.
If you need immediate and/or official assistance for former Poly\Plantronics\Polycom please open a service ticket through your support channels
For HP products please check HP Support.

Please also ensure you always check the General VoIP , Video Endpoint , UC Platform (Microsoft) , PSTN
† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the <a href="https://www8.hp.com/us/en/terms-of-use.html" class="udrlinesmall">Terms of Use</a> and <a href="/t5/custom/page/page-id/hp.rulespage" class="udrlinesmall"> Rules of Participation</a>.