Deploying 8021.x EAP-TLS with Polycom VVX phones Part 1/2

The 802.1X protocol is an IEEE Standard for port-based Network Access Control and part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN. Many organizations have already implemented 802.1x for PCs and laptops connecting to their enterprise network and many are now also mandating devices such as IP Phones and digital whiteboards to comply with 802.1x security standard. This blog post walks through how to setup 802.1x with EAP-TLS authentication on a Polycom VVX phone within a lab environment. Part 1 will focus on the overview, configuring the Cisco Switch and the Windows NPS RADIUS server.

The fundamentals of 802.1x will not be repeated in this blog post, but below shows a basic diagram of how 802.1x works. In our case, the supplicant (or client) is the VVX IP Phone device, the Cisco switch acts as the Authenticator and the Authentication server is a Windows Server 2012 R2 with NPS role is the RADIUS server:

In addition, there are 3 other components needed for 802.1x to work, namely the Domain Controller itself and the Certificate Authority for issuing certificates, and last but not least a provisioning server for uploading/downloading configurations and certificates to the VVX, which in our case is just a simple FTP server. All 5 components need to be configured to work together correctly and the complete setup is shown in the diagram below:

In this lab, the AD Domain Controller, CA, DHCP and NPS RADIUS roles are all running on a single machine running Windows server 2012 R2. FTP is also running on the same machine along with DHCP services which is configured to assign IP addresses. On the Cisco 2960X switch, there are no additional VLANs configured other than the default VLAN and only ports 45-48 are enabled for 802.1x authentication. These is depicted in the diagram below:

Detailed configuration of the Cisco 2960X switch is beyond the scope of this blog post, however the basic commands to configure a simple 802.1x configuration for a single port 48 are shown below:

​​aaa new-model
!
!
aaa authentication dot1x default group radius
aaa authorization network default group radius
dot1x system-auth-control
!
interface GigabitEthernet1/0/2   Gi1/0/48
 switchport mode access
 authentication port-control auto
 authentication violation replace
 dot1x pae authenticator
 dot1x timeout quiet-period 10
 dot1x timeout tx-period 3
 dot1x timeout supp-timeout 10
 dot1x max-req 10
 dot1x max-reauth-req 1
 spanning-tree portfast
!
radius server DC01
 address ipv4 10.0.2.10 auth-port 1645 acct-port 1646
 key <yoursharedsecret>

When completed, my Cisco 2960X switch has the folllowing configuration:

Cisco2960#show configuration
Using 4244 out of 524288 bytes
!
! No configuration change since last restart
! NVRAM config last updated at 02:56:04 UTC Thu Jan 5 2017
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cisco2960
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
username xxxxxxxxxx password 0 xxxxxxxxxxx
aaa new-model
!
!
aaa authentication dot1x default group radius
aaa authorization network default group radius
!
!
!
!
!
!
aaa session-id common
clock timezone UTC 8 0
switch 1 provision ws-c2960x-48ts-l
!
!
!
!
crypto pki trustpoint TP-self-signed-2291087104
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2291087104
 revocation-check none
 rsakeypair TP-self-signed-2291087104
!
!
crypto pki certificate chain TP-self-signed-2291087104
 certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
dot1x system-auth-control
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface FastEthernet0
 no ip address
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
!
............<Lines removed for brevity>............
​
interface GigabitEthernet1/0/44
!
interface GigabitEthernet1/0/45
 switchport mode access
 authentication port-control auto
 authentication violation replace
 dot1x pae authenticator
 dot1x timeout quiet-period 10
 dot1x timeout tx-period 3
 dot1x timeout supp-timeout 10
 dot1x max-req 10
 dot1x max-reauth-req 1
 spanning-tree portfast
!
interface GigabitEthernet1/0/46
 switchport mode access
 authentication port-control auto
 authentication violation replace
 dot1x pae authenticator
 dot1x timeout quiet-period 10
 dot1x timeout tx-period 3
 dot1x timeout supp-timeout 10
 dot1x max-req 10
 dot1x max-reauth-req 1
 spanning-tree portfast
!
interface GigabitEthernet1/0/47
 switchport mode access
 authentication port-control auto
 authentication violation replace
 dot1x pae authenticator
 dot1x timeout quiet-period 10
 dot1x timeout tx-period 3
 dot1x timeout supp-timeout 10
 dot1x max-req 10
 dot1x max-reauth-req 1
 spanning-tree portfast
!
interface GigabitEthernet1/0/48
 switchport mode access
 authentication port-control auto
 authentication violation replace
 dot1x pae authenticator
 dot1x timeout quiet-period 10
 dot1x timeout tx-period 3
 dot1x timeout supp-timeout 10
 dot1x max-req 10
 dot1x max-reauth-req 3
 spanning-tree portfast
!
interface GigabitEthernet1/0/49
!
interface GigabitEthernet1/0/50
!
interface GigabitEthernet1/0/51
!
interface GigabitEthernet1/0/52
!
interface Vlan1
 ip address 10.0.2.1 255.255.255.0
!
ip default-gateway 10.0.2.254
ip http server
ip http secure-server
!
!
!
!
radius server dcrad
 address ipv4 10.0.2.10 auth-port 1645 acct-port 1646
 key <yoursharedsecret>
!
!
!
line con 0
line vty 0 4
 password xxxxxxxxxxx
line vty 5 15
 password xxxxxxxxxxx
!
end

Our AD Domain Controller  has the roles Certificate Authority, DNS, DHCP and NPS and the setup of this roles are pretty standard. in this post we focus on the detailed configuration of the NPS role to support 802.1x Radius Authentication using EAP-TLS. The following screenshots show the various configurations on the NPS role.

​1. First we define the Cisco2960X switch as the Radius client and enter the Shared Secret that was configured on the switch earlier:

2. In the advanced settings we need to enable the additional option below:

3. Next under the Connection Request Policies for Secure Wired (Ethernet) Connections we need to make sure its enabled:

4. Under Conditions, we leave the default NAS Port Type = Ethernet

5. Under Settings->Authentication Methods we do not want to override network policy authentication settings:

6. Under Authentication, we want to authenticate requests on this server:

7. No need to enable Accounting for this lab:

8. Ream attributes not required for this lab:

9. Under RADIUS attributes we add a "Service-Type"="Authenticate Only":

10. No Vendor Specific attributes required for this lab:

11. Under Network Policies->Secure Wired (Ethernet) Connections we configure the following:

12. In the Conditions section, we add the Windows Group containing the accounts that the phones will use for 802.1x authentication:

13. Under Constraints->Authentication methods, we specify EAP Type: Microsoft Smart Card or other certificate. This effectively enables EAP-TLS authentication:

14. Under Constraints->MAS Port Type, we specify Ethernet:

15. In the Settings tab, RADIUS Attributes, we ensure "Service-Type" = "Authenticate Only":

16. No Vendor Specific attributes required for this lab:

17. NAP Enforcement is set to Allow full network access

18. Extended state is not applicable for IP Phones for this lab

19. Remaining settings can be left as default:

We've now prepared our Cisco swtich and Windows NPS RADIUS server for 802.1x authentication. In the next blog post we'll go through how to obtain certificates for the VVX phone and configure it for EAP-TLS