Accessibility Skip to content
Article ID: 000032687
Last Modified Date: 10/12/2021
Access Level: Public

Using 802.1x network authentication protocol with Poly Phones

A customer wanted to use Dot1.x IEEE Standard for port-based Network Access Control (PNAC) > here< utilizing Poly phones.
Trio UC Software 5.7.2 and VVX UC Software 5.9.0 introduced the Simple Certificate Enrolment Protocol also known as SCEP =>  here <= 

Option 1 using Configuration Files

 NOTE: In order to use below Parameters the device.set="1" Parameter must be used. The Parameters needed for this example are as follows: device.set="1" device.net.dot1x.enabled="1" device.net.dot1x.enabled.set="1" The above should be sufficient to enable 802.1x functionality     device.net.dot1x.method.set="1" device.net.dot1x.method="EAP-PEAPv0-MSCHAPv2" The above sets the EAP-PEAPv0-MSCHAPv2 as the 802.1x method device.sec.TLS.customCaCert 2.set="1" device.sec.TLS.customCaCert 2="<Certificate…….>" The above adds the Certificate and the <Certificate…….> needs to be replaced with the actual certificate content. It should be a DER-encoded certificate in PEM format. PEM certificates usually have extension such as .pem, .crt, .cer, and .key. They are Base64 encoded ASCII files and usually contain "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" statements. device.sec.TLS.profile.caCertList 1.set="1" device.sec.TLS.profile.caCertList 1="All" The above links the TLS Profile with the Platform 1 used in this example as Platform 2 supports 4096 bytes and Platform 1 only 1536 Bytes. device.net.dot1x.password=" Add a Password" device.net.dot1x.password.set="1"
device.net.dot1x.identity=" Add a Username" device.net.dot1x.identity.set="1" The above ensures that the Phone itself and a PC connected to the switch Port can authenticate themselves. sec.dot1x.eapollogoff.enabled="1" sec.dot1x.eapollogoff.lanlinkreset="1" The above ensures that the EAPOL logoff features for a PC connected via the Phone is enabled.

Option 2 using the Phone Web Interface 

  The Certificate can either be imported via the Web Interface as a configuration file using the Web Interface Utilities > Import & Export Configuration > Import Configuration  or simply place a URL into the field and click install:

Platform Credentials:


Settings > Network > TLS > Device Certificates
Specifying in either Platform 1 or Platform 2 a valid certificate
and clicking on Install will prompt the Phone to request the relevant key location: The same can be provisioned via a configuration file for either the Platform Certificate 1: device.sec.TLS.customDeviceCert1.set="1"
device.sec.TLS.customDeviceCert1.publicCert=""
device.sec.TLS.customDeviceCert1.privateKey=""
or the Platform Certificate 2 device.sec.TLS.customDeviceCert2.set="1"
device.sec.TLS.customDeviceCert2.publicCert=""
device.sec.TLS.customDeviceCert2.privateKey=""

Relationship between Platform Profiles:
 


 
  • In the above example, we selected within the TLS Applications the TLS Platform Profile 2 for 802.1x as we are using a larger certificate.

  • We are assigning the Device Credentials for Platform  Credential 2 within the TLS Profile

  • The CA Certificate within the TLS Profile is set to use All Certificates which means any added CA Certificate within the Certificate Configuration and in addition, all built-in certificates that are already on the phone (most common like GoDaddy/Symantec etc.).

  • For Syslog the phone would use any Platform CA 1 assigned Certificate added via the Certificate Configuration.
Since VVX and Trio UC Software 5.9.0 or later an overview of the built in certificates can be found via the Web Interface: Settings > Network > TLS > SSL Certificates Older than UC Software 5.9.0: A updated overview of these built in certificates for our Polycom VVX Business media Phones, Trio, SoundStation IP and SoundPoint IP phones can be found =>   here  <= at Polycom® Engineering Advisories and Technical Notifications overview or on the individual Software Download page as example =>   here  <=

Troubleshooting:

  • Missing or wrong Certificate


    000021.234|dot1x|1|00|SSL: SSL_connect:SSLv3 read server hello A
    000021.238|dot1x|4|00|TLS: Certificate verification failed, error 20 (unable to get local issuer certificate) depth 0 for '/C=GB/ST=London/L=London/O=Polycom Inc/OU=PGS/CN=nps.sbaierhome.lab'
    000021.238|dot1x|4|00|CTRL-EVENT-EAP-CERT-ERR TLS: Certificate verification failed, error 20 (unable to get local issuer certificate)#20
    000021.239|dot1x|0|00|CTRL_IFACE monitor send - hexdump(len=21): 2f 74 6d 70 2f 77 70 61 5f 63 74 72 6c 5f 35 36 35 2d 31 30 00
    000021.239|dot1x|1|00|tls_verify_cb tls_check_cert_time_get()=0
    000021.243|dot1x|1|00|SSL: (where=0x4008 ret=0x230)
    000021.243|dot1x|2|00|SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
    000021.243|dot1x|2|00|CTRL-EVENT-EAP-ALERT SSL: SSL3 alert: fatal:unknown CA#48
    000021.243|dot1x|0|00|CTRL_IFACE monitor send - hexdump(len=21): 2f 74 6d 70 2f 77 70 61 5f 63 74 72 6c 5f 35 36 35 2d 31 30 00
    000021.245|dot1x|1|00|SSL: (where=0x1002 ret=0xffffffff)
    000021.245|dot1x|3|00|SSL: SSL_connect:error in error
    000021.245|dot1x|3|00|OpenSSL: tls_connection_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
  • Missing or incorrect 802.1x identity or password


      000621.536|dot1x|1|00|EAP-MSCHAPV2: error 691
    000621.536|dot1x|2|00|CTRL-EVENT-EAP-WRONG-UNAME-OR-PASSWD or
      000021.087|dot1x|1|00|EAP: EAP entering state FAILURE
    000021.087|dot1x|2|00|CTRL-EVENT-EAP-WRONG-USERNAME

  • PC Port troubleshooting

    1209183441|so   |3|00|soNetworkChanged_HostMovementDetection:LAN Port:UP, Speed:1000Mbps, duplex:full, PC Port:UP, Speed:100Mbps, duplex:full
    1209183441|so   |3|00|SoNcasC::soPpsIsStackStarted
    1209183441|dot1x|1|00|soHostMovementDetectionHandle entered.
    1209183443|cdp  |1|00|Sending CDP packet with length (cdpPktLen= 152)
    1209183443|cdp  |1|00|Received CDP packet from 00 0c 85 2e 24 c4.
    1209183443|cdp  |2|00|Ignoring CDP packet with no VLAN Id.
    1209183443|cdp  |2|00| Received CDP without voice and Native VLAN, Assuming Trunk Port
    1209183445|dot1x|1|00|dot1xWpaSupplicantcommand [PING ] try to open control interface...
    1209183445|dot1x|1|00|dot1xWpaSupplicantcommand [PING ] sent...
    1209183449|so   |3|00|soNetworkChanged_HostMovementDetection:LAN Port:UP, Speed:1000Mbps, duplex:full, PC Port: DOWN
    1209183449|so   |3|00|SoNcasC::soPpsIsStackStarted
    1209183449|dot1x|1|00|soHostMovementDetectionHandle entered.

     
Attachments :