Logo

[FAQ] How can I add a 802.1x EAP-PEAPv0/MSCHAPv2 Certificate or use the feature?

SteffenBaierUK
Polycom Employee & Community Manager

[FAQ] How can I add a 802.1x EAP-PEAPv0/MSCHAPv2 Certificate or use the feature?

Please be aware that the below example will only work with UC Software 4.0.0 or higher.

 

  • Trio/CCX UC Software 5.7.2 and VVX UC Software 5.9.0 introduced the Simple Certificate Enrolment Protocol also known as SCEP => here <=

  • For further details around 802.1x please check => here <=

  • Our Poly Employee Brennon Kwok provides detailed instructions >part 1< and >part 2< around the full working setup.

 

Supported EAP Authentication Protocols and Requirements

 

EAP-TLS
• Device certificate
• Trusted Root Certificate Authority and Client/Device certificates
• Identity (user name)


EAP-PEAPv0/EAP-MSCHAPv2 and EAP-PEAPv0/EAP-GTC
• Trusted Root Certificate Authority and Client/Device certificates
• Identity (user name)
• Password


EAP-TTLS/EAP-MSCHAPv2 and EAP-TTLS/EAP-GTC
• Trusted Root Certificate Authority and Client/Device certificates
• Identity (user name)
• Password


EAP-MD5
• Identity (user name)
• Password


EAP-FAST
• Identity (user name)
• Password
• Optional PAC file, provisioned automatically through the network or manually using a PAC file password.

 

Option 1 using Configuration Files

 

NOTE: In order to use the below Parameters the device.set="1" Parameter must be used.

 

The Parameters needed for this example are as follows:

 

<web device.set="1" device.net.dot1x.enabled="1" device.net.dot1x.enabled.set="1" />

 above should be sufficient to enable 802.1x functionality 

 

<web device.net.dot1x.method.set="1" device.net.dot1x.method="EAP-PEAPv0-MSCHAPv2" />

above sets the EAP-PEAPv0-MSCHAPv2 as the 802.1x method

 

<web device.sec.TLS.customCaCert2.set="1" device.sec.TLS.customCaCert2="<Certificate…….>" />

above adds the Certificate and the <Certificate…….> needs to be replaced with the actual certificate content.

 

It should be a DER-encoded certificate in PEM format. PEM certificates usually have extension such as .pem, .crt, .cer, and .key. They are Base64 encoded ASCII files and contain "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" statements.

<web device.sec.TLS.profile.caCertList1.set="1" device.sec.TLS.profile.caCertList1="All" />

 above links the TLS Profile with Platform 1 used in this example as Platform 2 supports 4096 bytes and Platform 1 only 1536 Bytes.

 

<web device.net.dot1x.password="Add a Password" device.net.dot1x.password.set="1" 
device.net.dot1x.identity="Add a Username" device.net.dot1x.identity.set="1" />

 above ensures that the Phone itself and a PC connected to the switch Port can authenticate themselves.

 

<web sec.dot1x.eapollogoff.enabled="1" sec.dot1x.eapollogoff.lanlinkreset="1" />

 above ensures that the EAPOL logoff features for a PC connected via the Phone is enabled.

 

NOTE: Please ensure to consult the UCS Admin Guide for details on individual parameters.

 

Option 2 using the Phone Web Interface 

 

802dot1x_01.PNG

 

802dot1x_02.PNG

 

Above links the TLS Profile with Platform 1 used in this example as Platform 2 supports 4096 bytes and Platform 1 only 1536 Bytes.

 

The Certificate can either be imported via the Web Interface as described => here <= or simply place a URL into the field and click install:

 

802dot1x_03.PNG

 

Platform Credentials:

 

Settings > Network > TLS > Device Certificates

 

PlatformCredentialsCertificateKey.png

 

Specifying in either Platform 1 or Platform 2 a valid certificate

 

PlatformCredentialsCertificateKey_02.png

 

and clicking on Install will prompt the Phone to request the relevant key location:

 

PlatformCredentialsCertificateKey_03.png

 

The same can be provisioned via a configuration file for either the Platform Certificate 1:

 

device.sec.TLS.customDeviceCert1.set="1"
device.sec.TLS.customDeviceCert1.publicCert=""
device.sec.TLS.customDeviceCert1.privateKey=""

or the Platform Certificate 2

 

device.sec.TLS.customDeviceCert2.set="1"
device.sec.TLS.customDeviceCert2.publicCert=""
device.sec.TLS.customDeviceCert2.privateKey=""

NOTE: Please ensure the certificate does not contain the -----BEGIN CERTIFICATE----- / -----END CERTIFICATE----- or -----BEGIN RSA PRIVATE KEY----- / -----END RSA PRIVATE KEY----- statements and is in one line without any carriage return or line feed.

PlatformCredentialsCertificateKey_04.png

 

Relationship between Platform Profiles:

 

PlatformCredentialsCertificateKey_05.png

 

  • In the above example, we selected within the TLS Applications the TLS Platform Profile 2 for 802.1x as we are using a larger certificate.

 

  • We are assigning the Device Credentials for Platform  Credential 2 within the TLS Profile

  • The CA Certificate within the TLS Profile is set to use All Certificates which means any added CA Certificate within the Certificate Configuration and in addition, all built-in certificates that are already on the phone (most common like GoDaddy/Symantec, etc.).

  • For Syslog the phone would use any Platform CA 1 assigned Certificate added via the Certificate Configuration.

A current overview of all certificates can be found => here <= usually within the Certificate Updates for Polycom UC Software

 

Outer ID / Anonymous ID authentication

Dot1x_OuterID-AnonymousID.png

 

The Anonymous ID is the outer ID

 

 

<web device.net.dot1x.anonid.set="1" device.net.dot1x.anonid="replace_with_outerID" />

 

 

 

Option 3 using RPRM / PDMS-E

 

  • On RealPresence RessourceManager browse to Endpoint > UC Management > Configuration Profiles and either add the needed parameters or copy a working config via "Paste Configuration XML"

 

RPRM_Dot1x_01.png

 

  • On PDMS-E got to and add a new Profile Configuration and follow the above example

 

PDMS-E_dot1x_01.png

 

As explained above SCEP => here <= can be used to supply the certificate already

 

Troubleshooting:

 

  •  Missing or wrong Certificate

802dot1x_04.PNG

 

000021.234|dot1x|1|00|SSL: SSL_connect:SSLv3 read server hello A
000021.238|dot1x|4|00|TLS: Certificate verification failed, error 20 (unable to get local issuer certificate) depth 0 for '/C=GB/ST=London/L=London/O=Polycom Inc/OU=PGS/CN=nps.sbaierhome.lab'
000021.238|dot1x|4|00|CTRL-EVENT-EAP-CERT-ERR TLS: Certificate verification failed, error 20 (unable to get local issuer certificate)#20
000021.239|dot1x|0|00|CTRL_IFACE monitor send - hexdump(len=21): 2f 74 6d 70 2f 77 70 61 5f 63 74 72 6c 5f 35 36 35 2d 31 30 00
000021.239|dot1x|1|00|tls_verify_cb tls_check_cert_time_get()=0
000021.243|dot1x|1|00|SSL: (where=0x4008 ret=0x230)
000021.243|dot1x|2|00|SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
000021.243|dot1x|2|00|CTRL-EVENT-EAP-ALERT SSL: SSL3 alert: fatal:unknown CA#48
000021.243|dot1x|0|00|CTRL_IFACE monitor send - hexdump(len=21): 2f 74 6d 70 2f 77 70 61 5f 63 74 72 6c 5f 35 36 35 2d 31 30 00
000021.245|dot1x|1|00|SSL: (where=0x1002 ret=0xffffffff)
000021.245|dot1x|3|00|SSL: SSL_connect:error in error
000021.245|dot1x|3|00|OpenSSL: tls_connection_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

 

 

  • Missing or incorrect 802.1x identity or password

802dot1x_05.PNG

 

000621.536|dot1x|1|00|EAP-MSCHAPV2: error 691
000621.536|dot1x|2|00|CTRL-EVENT-EAP-WRONG-UNAME-OR-PASSWD

 

or

 

000021.087|dot1x|1|00|EAP: EAP entering state FAILURE
000021.087|dot1x|2|00|CTRL-EVENT-EAP-WRONG-USERNAME

 

  • Incorrect EAP Method
    SteffenBaierUK_0-1638549307790.png

     


    000126.429|dot1x|1|00|EAPOL: SUPP_BE entering state FAIL
    000126.429|dot1x|1|00|EAPOL: SUPP_BE entering state IDLE
    000126.429|dot1x|1|00|EAPOL authentication completed unsuccessfully
    000126.428|dot1x|0|00|dot1xWpaMonitorMsg: Processing "<2>CTRL-EVENT-EAP-MTHD-MISMATCH "
    000126.429|dot1x|4|00|EAP Method Mismatch Failure
    000126.429|dot1x|0|00|dot1xWpaMonitorMsg: Processing "<2>CTRL-EVENT-EAP-FAILURE EAP authentication failed"
    000126.429|dot1x|4|00|EAP Authentication Failed

 

PC Port changes

 

1209183441|so   |3|00|soNetworkChanged_HostMovementDetection:LAN Port:UP, Speed:1000Mbps, duplex:full, PC Port:UP, Speed:100Mbps, duplex:full
1209183441|so   |3|00|SoNcasC::soPpsIsStackStarted
1209183441|dot1x|1|00|soHostMovementDetectionHandle entered.
1209183443|cdp  |1|00|Sending CDP packet with length (cdpPktLen= 152)
1209183443|cdp  |1|00|Received CDP packet from 00 0c 85 2e 24 c4.
1209183443|cdp  |2|00|Ignoring CDP packet with no VLAN Id.
1209183443|cdp  |2|00| Received CDP without voice and Native VLAN, Assuming Trunk Port
1209183445|dot1x|1|00|dot1xWpaSupplicantcommand [PING ] try to open control interface...
1209183445|dot1x|1|00|dot1xWpaSupplicantcommand [PING ] sent...
1209183449|so   |3|00|soNetworkChanged_HostMovementDetection:LAN Port:UP, Speed:1000Mbps, duplex:full, PC Port: DOWN
1209183449|so   |3|00|SoNcasC::soPpsIsStackStarted
1209183449|dot1x|1|00|soHostMovementDetectionHandle entered.

 

----------------

If official support is required please check how to phone or open a case here

----------------
The title Poly Employee & Community Manager is a community setting and does not reflect my role. I am just a simple volunteer in the community like everybody else. All posts and words are my own & do not represent the views of Employer.

----------------


⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓SIGNATURE ⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓
Notice: This community forum is not an official Poly support resource, thus responses from Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge.
Please also ensure you always check the VoIP , Video Endpoint , Microsoft Voice , PSTN or other FAQ's in the different sections