[FAQ] How can I add a 802.1x EAP-PEAPv0/MSCHAPv2 Certificate or use the feature?

Polycom Employee & Community Manager

[FAQ] How can I add a 802.1x EAP-PEAPv0/MSCHAPv2 Certificate or use the feature?

Please be aware that the below example will only work with UC Software 4.0.0 or higher.


  • Trio/CCX UC Software 5.7.2 and VVX UC Software 5.9.0 introduced the Simple Certificate Enrolment Protocol also known as SCEP => here <=

  • For further details around 802.1x please check => here <=

  • Our Poly Employee Brennon Kwok provides detailed instructions >part 1< and >part 2< around the full working setup.


Supported EAP Authentication Protocols and Requirements


• Device certificate
• Trusted Root Certificate Authority and Client/Device certificates
• Identity (user name)

• Trusted Root Certificate Authority and Client/Device certificates
• Identity (user name)
• Password

• Trusted Root Certificate Authority and Client/Device certificates
• Identity (user name)
• Password

• Identity (user name)
• Password

• Identity (user name)
• Password
• Optional PAC file, provisioned automatically through the network or manually using a PAC file password.


Option 1 using Configuration Files


NOTE: In order to use the below Parameters the device.set="1" Parameter must be used.


The Parameters needed for this example are as follows:


<web device.set="1" device.net.dot1x.enabled="1" device.net.dot1x.enabled.set="1" />

 above should be sufficient to enable 802.1x functionality 


<web device.net.dot1x.method.set="1" device.net.dot1x.method="EAP-PEAPv0-MSCHAPv2" />

above sets the EAP-PEAPv0-MSCHAPv2 as the 802.1x method


<web device.sec.TLS.customCaCert2.set="1" device.sec.TLS.customCaCert2="<Certificate…….>" />

above adds the Certificate and the <Certificate…….> needs to be replaced with the actual certificate content.


It should be a DER-encoded certificate in PEM format. PEM certificates usually have extension such as .pem, .crt, .cer, and .key. They are Base64 encoded ASCII files and contain "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" statements.

<web device.sec.TLS.profile.caCertList1.set="1" device.sec.TLS.profile.caCertList1="All" />

 above links the TLS Profile with Platform 1 used in this example as Platform 2 supports 4096 bytes and Platform 1 only 1536 Bytes.


<web device.net.dot1x.password="Add a Password" device.net.dot1x.password.set="1" 
device.net.dot1x.identity="Add a Username" device.net.dot1x.identity.set="1" />

 above ensures that the Phone itself and a PC connected to the switch Port can authenticate themselves.


<web sec.dot1x.eapollogoff.enabled="1" sec.dot1x.eapollogoff.lanlinkreset="1" />

 above ensures that the EAPOL logoff features for a PC connected via the Phone is enabled.


NOTE: Please ensure to consult the UCS Admin Guide for details on individual parameters.


Option 2 using the Phone Web Interface 






Above links the TLS Profile with Platform 1 used in this example as Platform 2 supports 4096 bytes and Platform 1 only 1536 Bytes.


The Certificate can either be imported via the Web Interface as described => here <= or simply place a URL into the field and click install:




Platform Credentials:


Settings > Network > TLS > Device Certificates




Specifying in either Platform 1 or Platform 2 a valid certificate




and clicking on Install will prompt the Phone to request the relevant key location:




The same can be provisioned via a configuration file for either the Platform Certificate 1:



or the Platform Certificate 2



NOTE: Please ensure the certificate does not contain the -----BEGIN CERTIFICATE----- / -----END CERTIFICATE----- or -----BEGIN RSA PRIVATE KEY----- / -----END RSA PRIVATE KEY----- statements and is in one line without any carriage return or line feed.



Relationship between Platform Profiles:




  • In the above example, we selected within the TLS Applications the TLS Platform Profile 2 for 802.1x as we are using a larger certificate.


  • We are assigning the Device Credentials for Platform  Credential 2 within the TLS Profile

  • The CA Certificate within the TLS Profile is set to use All Certificates which means any added CA Certificate within the Certificate Configuration and in addition, all built-in certificates that are already on the phone (most common like GoDaddy/Symantec, etc.).

  • For Syslog the phone would use any Platform CA 1 assigned Certificate added via the Certificate Configuration.

A current overview of all certificates can be found => here <= usually within the Certificate Updates for Polycom UC Software


Outer ID / Anonymous ID authentication



The Anonymous ID is the outer ID



<web device.net.dot1x.anonid.set="1" device.net.dot1x.anonid="replace_with_outerID" />




Option 3 using RPRM / PDMS-E


  • On RealPresence RessourceManager browse to Endpoint > UC Management > Configuration Profiles and either add the needed parameters or copy a working config via "Paste Configuration XML"




  • On PDMS-E got to and add a new Profile Configuration and follow the above example




As explained above SCEP => here <= can be used to supply the certificate already




  •  Missing or wrong Certificate



000021.234|dot1x|1|00|SSL: SSL_connect:SSLv3 read server hello A
000021.238|dot1x|4|00|TLS: Certificate verification failed, error 20 (unable to get local issuer certificate) depth 0 for '/C=GB/ST=London/L=London/O=Polycom Inc/OU=PGS/CN=nps.sbaierhome.lab'
000021.238|dot1x|4|00|CTRL-EVENT-EAP-CERT-ERR TLS: Certificate verification failed, error 20 (unable to get local issuer certificate)#20
000021.239|dot1x|0|00|CTRL_IFACE monitor send - hexdump(len=21): 2f 74 6d 70 2f 77 70 61 5f 63 74 72 6c 5f 35 36 35 2d 31 30 00
000021.239|dot1x|1|00|tls_verify_cb tls_check_cert_time_get()=0
000021.243|dot1x|1|00|SSL: (where=0x4008 ret=0x230)
000021.243|dot1x|2|00|SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
000021.243|dot1x|2|00|CTRL-EVENT-EAP-ALERT SSL: SSL3 alert: fatal:unknown CA#48
000021.243|dot1x|0|00|CTRL_IFACE monitor send - hexdump(len=21): 2f 74 6d 70 2f 77 70 61 5f 63 74 72 6c 5f 35 36 35 2d 31 30 00
000021.245|dot1x|1|00|SSL: (where=0x1002 ret=0xffffffff)
000021.245|dot1x|3|00|SSL: SSL_connect:error in error
000021.245|dot1x|3|00|OpenSSL: tls_connection_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed



  • Missing or incorrect 802.1x identity or password



000621.536|dot1x|1|00|EAP-MSCHAPV2: error 691




000021.087|dot1x|1|00|EAP: EAP entering state FAILURE


  • Incorrect EAP Method


    000126.429|dot1x|1|00|EAPOL: SUPP_BE entering state FAIL
    000126.429|dot1x|1|00|EAPOL: SUPP_BE entering state IDLE
    000126.429|dot1x|1|00|EAPOL authentication completed unsuccessfully
    000126.428|dot1x|0|00|dot1xWpaMonitorMsg: Processing "<2>CTRL-EVENT-EAP-MTHD-MISMATCH "
    000126.429|dot1x|4|00|EAP Method Mismatch Failure
    000126.429|dot1x|0|00|dot1xWpaMonitorMsg: Processing "<2>CTRL-EVENT-EAP-FAILURE EAP authentication failed"
    000126.429|dot1x|4|00|EAP Authentication Failed


PC Port changes


1209183441|so   |3|00|soNetworkChanged_HostMovementDetection:LAN Port:UP, Speed:1000Mbps, duplex:full, PC Port:UP, Speed:100Mbps, duplex:full
1209183441|so   |3|00|SoNcasC::soPpsIsStackStarted
1209183441|dot1x|1|00|soHostMovementDetectionHandle entered.
1209183443|cdp  |1|00|Sending CDP packet with length (cdpPktLen= 152)
1209183443|cdp  |1|00|Received CDP packet from 00 0c 85 2e 24 c4.
1209183443|cdp  |2|00|Ignoring CDP packet with no VLAN Id.
1209183443|cdp  |2|00| Received CDP without voice and Native VLAN, Assuming Trunk Port
1209183445|dot1x|1|00|dot1xWpaSupplicantcommand [PING ] try to open control interface...
1209183445|dot1x|1|00|dot1xWpaSupplicantcommand [PING ] sent...
1209183449|so   |3|00|soNetworkChanged_HostMovementDetection:LAN Port:UP, Speed:1000Mbps, duplex:full, PC Port: DOWN
1209183449|so   |3|00|SoNcasC::soPpsIsStackStarted
1209183449|dot1x|1|00|soHostMovementDetectionHandle entered.



If official support is required please check how to phone or open a case here

The title Poly Employee & Community Manager is a community setting and does not reflect my role. I am just a simple volunteer in the community like everybody else. All posts and words are my own & do not represent the views of Employer.


⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓SIGNATURE ⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓
Notice: This community forum is not an official Poly support resource, thus responses from Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge.
Please also ensure you always check the VoIP , Video Endpoint , Microsoft Voice , PSTN or other FAQ's in the different sections