• ×
    Information
    Windows update impacting certain printer icons and names. Microsoft is working on a solution.
    Click here to learn more
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
  • ×
    Information
    Windows update impacting certain printer icons and names. Microsoft is working on a solution.
    Click here to learn more
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
Guidelines
The HP Community is where owners of HP products, like you, volunteer to help each other find solutions.
HP Recommended

Please be aware that the below example will only work with UC Software 4.0.0 or higher.

 

  • Trio/CCX UC Software 5.7.2 and VVX UC Software 5.9.0 introduced the Simple Certificate Enrolment Protocol also known as SCEP => here <=

  • For further details around 802.1x please check => here <=

  • Our Poly Employee Brennon Kwok provides detailed instructions >part 1< and >part 2< around the full working setup.

 

Supported EAP Authentication Protocols and Requirements

 

EAP-TLS
• Device certificate
• Trusted Root Certificate Authority and Client/Device certificates
• Identity (user name)


EAP-PEAPv0/EAP-MSCHAPv2 and EAP-PEAPv0/EAP-GTC
• Trusted Root Certificate Authority and Client/Device certificates
• Identity (user name)
• Password


EAP-TTLS/EAP-MSCHAPv2 and EAP-TTLS/EAP-GTC
• Trusted Root Certificate Authority and Client/Device certificates
• Identity (user name)
• Password


EAP-MD5
• Identity (user name)
• Password


EAP-FAST
• Identity (user name)
• Password
• Optional PAC file, provisioned automatically through the network or manually using a PAC file password.

 

Option 1 using Configuration Files

 

NOTE: In order to use the below Parameters the device.set="1" Parameter must be used.

 

The Parameters needed for this example are as follows:

 

 

 

<web device.set="1" device.net.dot1x.enabled="1" device.net.dot1x.enabled.set="1" />

 

 

 

 above should be sufficient to enable 802.1x functionality 

 

 

 

<web device.net.dot1x.method.set="1" device.net.dot1x.method="EAP-PEAPv0-MSCHAPv2" />

 

 

 

above sets the EAP-PEAPv0-MSCHAPv2 as the 802.1x method

 

 

 

<web device.sec.TLS.customCaCert2.set="1" device.sec.TLS.customCaCert2="<Certificate…….>" />

 

 

 

above adds the Certificate and the <Certificate…….> needs to be replaced with the actual certificate content.

 

It should be a DER-encoded certificate in PEM format.

 

PEM certificates usually have extension such as .pem, .crt, .cer, and .key. They are Base64 encoded ASCII files and contain "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" statements.

 

 

<web device.sec.TLS.profile.caCertList1.set="1" device.sec.TLS.profile.caCertList1="All" />

 

 

above links the TLS Profile with Platform 1 used in this example as Platform 2 supports 4096 bytes and Platform 1 only 1536 Bytes.

 

Example to provide a certificate (redacted) and select Platform profile 2:

 

 

 

 

<device device.set="1"
		device.sec.TLS.profileSelection.dot1x.set="1"
		device.sec.TLS.profileSelection.dot1x="PlatformProfile2"
		device.sec.TLS.customCaCert2.set="1"
		device.sec.TLS.customCaCert2="-----BEGIN CERTIFICATE-----
MIIDizCCAnOgAwIBAgIQb/vqHO3J/JlARqEewzJa6jANBgkqhkiG9w0BAQsFADBY
MRMwEQYKCZImiZPyLGQBGRYDbGFiMRowGAYKCZImiZPyLGQBGRYKc2JhaWVyaG9t
ZTElMCMGA1UEAwwcc2JhaWVyaG9tZS1XMjAyMl9ESENQX0ROUy1DQTAeFw0yMzA0
MTIxMDIxMDFaFw0zMzA0MTIxMDMxMDBaMFgxEzARBgoJkiaJk/IsZAEZFgNsYWIx
......
BAGCNxUBBAMCAQAwDQYJKoZIhvcNAQELBQADggEBAFwAYo8e8kBgO0X8gNuUI93g
qHJGwwRxH4liamVrZVvR7RiuffjDVLJfdBU4fdmdmrifl2Hxqrk92MLI1oby8Sok
B6wygBYehC98p+D2FY849q1CIdoplvWcDOHeoruzYkYDzGuCKxwOs6g6c6EmZsAp
5sUlVy7irh+74xeVYhdqGNIjNaSof39Kd2gkP4zNHlY42z3JOVwlNhcgPWSHlMx3
wNu1jPVq53u7DdjyFSAYeRya5XlUBbvA6atk3gnIin1Ga8GTVAmpQ+0aL0QhoNb6
ziqf4VpbkfAv+wm8ayNHOGiSLd0QVKGdO7zmHb3b/k/03rv+2w/K18R+9X2t59A=
-----END CERTIFICATE-----"
		/>
</changes>

 

 

 

 

 

Identity and Password

 

 

 

<web device.net.dot1x.password="Add a Password" device.net.dot1x.password.set="1" 
device.net.dot1x.identity="Add a Username" device.net.dot1x.identity.set="1" />

 

 

 

 above ensures that the Phone itself and a PC connected to the switch Port can authenticate themselves.

 

 

 

<web sec.dot1x.eapollogoff.enabled="1" sec.dot1x.eapollogoff.lanlinkreset="1" />

 

 

 

 above ensures that the EAPOL logoff features for a PC connected via the Phone is enabled.

 

NOTE: Please ensure to consult the UCS Admin Guide for details on individual parameters.

 

Option 2 using the Phone Web Interface 

 

image

 

image

 

Above links the TLS Profile with Platform 1 used in this example as Platform 2 supports 4096 bytes and Platform 1 only 1536 Bytes.

 

The Certificate can either be imported via the Web Interface as described => here <= or simply place a URL into the field and click install:

 

image

 

Platform Credentials:

 

Settings > Network > TLS > Device Certificates

 

image

 

Specifying in either Platform 1 or Platform 2 a valid certificate

 

image

 

and clicking on Install will prompt the Phone to request the relevant key location:

 

image

 

The same can be provisioned via a configuration file for either the Platform Certificate 1:

 

 

 

device.sec.TLS.customDeviceCert1.set="1"
device.sec.TLS.customDeviceCert1.publicCert=""
device.sec.TLS.customDeviceCert1.privateKey=""

 

 

 

or the Platform Certificate 2

 

 

 

device.sec.TLS.customDeviceCert2.set="1"
device.sec.TLS.customDeviceCert2.publicCert=""
device.sec.TLS.customDeviceCert2.privateKey=""

 

 

 


NOTE:
Please ensure the certificate does not contain the -----BEGIN CERTIFICATE----- / -----END CERTIFICATE----- or -----BEGIN RSA PRIVATE KEY----- / -----END RSA PRIVATE KEY----- statements and is in one line without any carriage return or line feed.

image

 

Relationship between Platform Profiles:

 

image

 

  • In the above example, we selected within the TLS Applications the TLS Platform Profile 2 for 802.1x as we are using a larger certificate.

 

  • We are assigning the Device Credentials for Platform  Credential 2 within the TLS Profile

  • The CA Certificate within the TLS Profile is set to use All Certificates which means any added CA Certificate within the Certificate Configuration and in addition, all built-in certificates that are already on the phone (most common like GoDaddy/Symantec, etc.).

  • For Syslog the phone would use any Platform CA 1 assigned Certificate added via the Certificate Configuration.

A current overview of all certificates can be found => here <= usually within the Certificate Updates for Polycom UC Software

 

Outer ID / Anonymous ID authentication

image

 

The Anonymous ID is the outer ID

 

 

 

 

<web device.net.dot1x.anonid.set="1" device.net.dot1x.anonid="replace_with_outerID" />

 

 

 

 

 

Option 3 using RPRM / PDMS-E

 

  • On RealPresence RessourceManager browse to Endpoint > UC Management > Configuration Profiles and either add the needed parameters or copy a working config via "Paste Configuration XML"

 

image

 

  • On PDMS-E got to and add a new Profile Configuration and follow the above example

 

image

 

As explained above SCEP => here <= can be used to supply the certificate already

 

Troubleshooting:

 

  •  Missing or wrong Certificate

image

 

 

 

 

 

000021.234|dot1x|1|00|SSL: SSL_connect:SSLv3 read server hello A
000021.238|dot1x|4|00|TLS: Certificate verification failed, error 20 (unable to get local issuer certificate) depth 0 for '/C=GB/ST=London/L=London/O=Polycom Inc/OU=PGS/CN=nps.sbaierhome.lab'
000021.238|dot1x|4|00|CTRL-EVENT-EAP-CERT-ERR TLS: Certificate verification failed, error 20 (unable to get local issuer certificate)#20
000021.239|dot1x|0|00|CTRL_IFACE monitor send - hexdump(len=21): 2f 74 6d 70 2f 77 70 61 5f 63 74 72 6c 5f 35 36 35 2d 31 30 00
000021.239|dot1x|1|00|tls_verify_cb tls_check_cert_time_get()=0
000021.243|dot1x|1|00|SSL: (where=0x4008 ret=0x230)
000021.243|dot1x|2|00|SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
000021.243|dot1x|2|00|CTRL-EVENT-EAP-ALERT SSL: SSL3 alert: fatal:unknown CA#48
000021.243|dot1x|0|00|CTRL_IFACE monitor send - hexdump(len=21): 2f 74 6d 70 2f 77 70 61 5f 63 74 72 6c 5f 35 36 35 2d 31 30 00
000021.245|dot1x|1|00|SSL: (where=0x1002 ret=0xffffffff)
000021.245|dot1x|3|00|SSL: SSL_connect:error in error
000021.245|dot1x|3|00|OpenSSL: tls_connection_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

 

 

 

 

 

 

  • Missing or incorrect 802.1x identity or password

image

 

 

 

 

 

000621.536|dot1x|1|00|EAP-MSCHAPV2: error 691
000621.536|dot1x|2|00|CTRL-EVENT-EAP-WRONG-UNAME-OR-PASSWD

 

 

 

 

 

or

 

 

 

 

 

000021.087|dot1x|1|00|EAP: EAP entering state FAILURE
000021.087|dot1x|2|00|CTRL-EVENT-EAP-WRONG-USERNAME

 

 

 

 

 

  • Incorrect EAP Method
    image

     


    000126.429|dot1x|1|00|EAPOL: SUPP_BE entering state FAIL
    000126.429|dot1x|1|00|EAPOL: SUPP_BE entering state IDLE
    000126.429|dot1x|1|00|EAPOL authentication completed unsuccessfully
    000126.428|dot1x|0|00|dot1xWpaMonitorMsg: Processing "<2>CTRL-EVENT-EAP-MTHD-MISMATCH "
    000126.429|dot1x|4|00|EAP Method Mismatch Failure
    000126.429|dot1x|0|00|dot1xWpaMonitorMsg: Processing "<2>CTRL-EVENT-EAP-FAILURE EAP authentication failed"
    000126.429|dot1x|4|00|EAP Authentication Failed

 

PC Port changes

 

1209183441|so   |3|00|soNetworkChanged_HostMovementDetection:LAN Port:UP, Speed:1000Mbps, duplex:full, PC Port:UP, Speed:100Mbps, duplex:full
1209183441|so   |3|00|SoNcasC::soPpsIsStackStarted
1209183441|dot1x|1|00|soHostMovementDetectionHandle entered.
1209183443|cdp  |1|00|Sending CDP packet with length (cdpPktLen= 152)
1209183443|cdp  |1|00|Received CDP packet from 00 0c 85 2e 24 c4.
1209183443|cdp  |2|00|Ignoring CDP packet with no VLAN Id.
1209183443|cdp  |2|00| Received CDP without voice and Native VLAN, Assuming Trunk Port
1209183445|dot1x|1|00|dot1xWpaSupplicantcommand [PING ] try to open control interface...
1209183445|dot1x|1|00|dot1xWpaSupplicantcommand [PING ] sent...
1209183449|so   |3|00|soNetworkChanged_HostMovementDetection:LAN Port:UP, Speed:1000Mbps, duplex:full, PC Port: DOWN
1209183449|so   |3|00|SoNcasC::soPpsIsStackStarted
1209183449|dot1x|1|00|soHostMovementDetectionHandle entered.

 

------------------------------------------------
Notice: I am an HP Poly employee but all replies within the community are done as a volunteer outside of my day role. This community forum is not an official HP Poly support resource, thus responses from HP Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge.
If you need immediate and/or official assistance for former Poly\Plantronics\Polycom please open a service ticket through your support channels
For HP products please check HP Support.

Please also ensure you always check the General VoIP , Video Endpoint , UC Platform (Microsoft) , PSTN
1 REPLY 1
HP Recommended

Using a Poly Edge B or Poly VVXx50 ObiEdition phone to configure 802.1x please navigate to System Management > WAN Settings

image

 

The most common is usually PEAP-MSCHAPv2

 

Then provide an Identity and a Password

image

 

Now save this and once the phone is back navigate to System Management > Device Admin > Platform CA 1 and provide an HTTP or TFTP location for the Base64 encoded Certificate:

image

 

Now save this and reboot the phone so the Certificate can be downloaded.

 

------------------------------------------------
Notice: I am an HP Poly employee but all replies within the community are done as a volunteer outside of my day role. This community forum is not an official HP Poly support resource, thus responses from HP Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge.
If you need immediate and/or official assistance for former Poly\Plantronics\Polycom please open a service ticket through your support channels
For HP products please check HP Support.

Please also ensure you always check the General VoIP , Video Endpoint , UC Platform (Microsoft) , PSTN
† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the <a href="https://www8.hp.com/us/en/terms-of-use.html" class="udrlinesmall">Terms of Use</a> and <a href="/t5/custom/page/page-id/hp.rulespage" class="udrlinesmall"> Rules of Participation</a>.