UCPrimer
  • Tech Blog
  • About UCPrimer.com

Deploying 8021.x EAP-TLS with Polycom VVX phones Part 1/2

7/31/2019

0 Comments

 
Picture
The 802.1X protocol is an IEEE Standard for port-based Network Access Control and part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN. Many organizations have already implemented 802.1x for PCs and laptops connecting to their enterprise network and many are now also mandating devices such as IP Phones and digital whiteboards to comply with 802.1x security standard. This blog post walks through how to setup 802.1x with EAP-TLS authentication on a Polycom VVX phone within a lab environment. Part 1 will focus on the overview, configuring the Cisco Switch and the Windows NPS RADIUS server.
The fundamentals of 802.1x will not be repeated in this blog post, but below shows a basic diagram of how 802.1x works. In our case, the supplicant (or client) is the VVX IP Phone device, the Cisco switch acts as the Authenticator and the Authentication server is a Windows Server 2012 R2 with NPS role is the RADIUS server:
Picture
In addition, there are 3 other components needed for 802.1x to work, namely the Domain Controller itself and the Certificate Authority for issuing certificates, and last but not least a provisioning server for uploading/downloading configurations and certificates to the VVX, which in our case is just a simple FTP server. All 5 components need to be configured to work together correctly and the complete setup is shown in the diagram below:
Picture
In this lab, the AD Domain Controller, CA, DHCP and NPS RADIUS roles are all running on a single machine running Windows server 2012 R2. FTP is also running on the same machine along with DHCP services which is configured to assign IP addresses. On the Cisco 2960X switch, there are no additional VLANs configured other than the default VLAN and only ports 45-48 are enabled for 802.1x authentication. These is depicted in the diagram below:
Picture
Detailed configuration of the Cisco 2960X switch is beyond the scope of this blog post, however the basic commands to configure a simple 802.1x configuration for a single port 48 are shown below:
​​aaa new-model
!
!
aaa authentication dot1x default group radius
aaa authorization network default group radius
dot1x system-auth-control
!
interface GigabitEthernet1/0/2   Gi1/0/48
 switchport mode access
 authentication port-control auto
 authentication violation replace
 dot1x pae authenticator
 dot1x timeout quiet-period 10
 dot1x timeout tx-period 3
 dot1x timeout supp-timeout 10
 dot1x max-req 10
 dot1x max-reauth-req 1
 spanning-tree portfast
!
radius server DC01
 address ipv4 10.0.2.10 auth-port 1645 acct-port 1646
 key <yoursharedsecret>
When completed, my Cisco 2960X switch has the folllowing configuration:
Cisco2960#show configuration
Using 4244 out of 524288 bytes
!
! No configuration change since last restart
! NVRAM config last updated at 02:56:04 UTC Thu Jan 5 2017
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cisco2960
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
username xxxxxxxxxx password 0 xxxxxxxxxxx
aaa new-model
!
!
aaa authentication dot1x default group radius
aaa authorization network default group radius
!
!
!
!
!
!
aaa session-id common
clock timezone UTC 8 0
switch 1 provision ws-c2960x-48ts-l
!
!
!
!
crypto pki trustpoint TP-self-signed-2291087104
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2291087104
 revocation-check none
 rsakeypair TP-self-signed-2291087104
!
!
crypto pki certificate chain TP-self-signed-2291087104
 certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
dot1x system-auth-control
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface FastEthernet0
 no ip address
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
!
............<Lines removed for brevity>............
​
interface GigabitEthernet1/0/44
!
interface GigabitEthernet1/0/45
 switchport mode access
 authentication port-control auto
 authentication violation replace
 dot1x pae authenticator
 dot1x timeout quiet-period 10
 dot1x timeout tx-period 3
 dot1x timeout supp-timeout 10
 dot1x max-req 10
 dot1x max-reauth-req 1
 spanning-tree portfast
!
interface GigabitEthernet1/0/46
 switchport mode access
 authentication port-control auto
 authentication violation replace
 dot1x pae authenticator
 dot1x timeout quiet-period 10
 dot1x timeout tx-period 3
 dot1x timeout supp-timeout 10
 dot1x max-req 10
 dot1x max-reauth-req 1
 spanning-tree portfast
!
interface GigabitEthernet1/0/47
 switchport mode access
 authentication port-control auto
 authentication violation replace
 dot1x pae authenticator
 dot1x timeout quiet-period 10
 dot1x timeout tx-period 3
 dot1x timeout supp-timeout 10
 dot1x max-req 10
 dot1x max-reauth-req 1
 spanning-tree portfast
!
interface GigabitEthernet1/0/48
 switchport mode access
 authentication port-control auto
 authentication violation replace
 dot1x pae authenticator
 dot1x timeout quiet-period 10
 dot1x timeout tx-period 3
 dot1x timeout supp-timeout 10
 dot1x max-req 10
 dot1x max-reauth-req 3
 spanning-tree portfast
!
interface GigabitEthernet1/0/49
!
interface GigabitEthernet1/0/50
!
interface GigabitEthernet1/0/51
!
interface GigabitEthernet1/0/52
!
interface Vlan1
 ip address 10.0.2.1 255.255.255.0
!
ip default-gateway 10.0.2.254
ip http server
ip http secure-server
!
!
!
!
radius server dcrad
 address ipv4 10.0.2.10 auth-port 1645 acct-port 1646
 key <yoursharedsecret>
!
!
!
line con 0
line vty 0 4
 password xxxxxxxxxxx
line vty 5 15
 password xxxxxxxxxxx
!
end
Our AD Domain Controller  has the roles Certificate Authority, DNS, DHCP and NPS and the setup of this roles are pretty standard. in this post we focus on the detailed configuration of the NPS role to support 802.1x Radius Authentication using EAP-TLS. The following screenshots show the various configurations on the NPS role.

​1. First we define the Cisco2960X switch as the Radius client and enter the Shared Secret that was configured on the switch earlier:
Picture
2. In the advanced settings we need to enable the additional option below:
Picture
3. Next under the Connection Request Policies for Secure Wired (Ethernet) Connections we need to make sure its enabled:
Picture
4. Under Conditions, we leave the default NAS Port Type = Ethernet
Picture
5. Under Settings->Authentication Methods we do not want to override network policy authentication settings:
Picture
6. Under Authentication, we want to authenticate requests on this server:
Picture
7. No need to enable Accounting for this lab:
Picture
8. Ream attributes not required for this lab:
Picture
9. Under RADIUS attributes we add a "Service-Type"="Authenticate Only":
Picture
10. No Vendor Specific attributes required for this lab:
Picture
11. Under Network Policies->Secure Wired (Ethernet) Connections we configure the following:
Picture
12. In the Conditions section, we add the Windows Group containing the accounts that the phones will use for 802.1x authentication:
Picture
13. Under Constraints->Authentication methods, we specify EAP Type: Microsoft Smart Card or other certificate. This effectively enables EAP-TLS authentication:
Picture
14. Under Constraints->MAS Port Type, we specify Ethernet:
Picture
15. In the Settings tab, RADIUS Attributes, we ensure "Service-Type" = "Authenticate Only":
Picture
16. No Vendor Specific attributes required for this lab:
Picture
17. NAP Enforcement is set to Allow full network access
Picture
18. Extended state is not applicable for IP Phones for this lab
Picture
19. Remaining settings can be left as default:
Picture
Picture
Picture
Picture
We've now prepared our Cisco swtich and Windows NPS RADIUS server for 802.1x authentication. In the next blog post we'll go through how to obtain certificates for the VVX phone and configure it for EAP-TLS
0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    Picture
    Picture

    Important Links

    Microsoft Teams Docs
    Microsoft Learn

    ​Microsoft MVP Blogs

    Michael Tressler’s Blog
    Michael’s MTR Quick Tip Videos
    Jimmy Vaughan’s Blog
    Jeff Schertz
    Adam Jacobs
    James Cussen
    ​Damien Margaritis

    Archives

    September 2022
    August 2022
    March 2022
    February 2022
    January 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    June 2021
    April 2021
    March 2021
    December 2020
    October 2020
    September 2020
    August 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    March 2019
    November 2018
    October 2018
    September 2018
    August 2018
    June 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    August 2017
    July 2017
    April 2017
    March 2017
    February 2017
    January 2017
    November 2016
    October 2016
    September 2016
    August 2016
    July 2016
    June 2016
    May 2016
    April 2016
    March 2016
    January 2016
    November 2015
    October 2015
    September 2015
    August 2015
    July 2015
    June 2015
    May 2015
    April 2015
    March 2015
    February 2015
    January 2015
    December 2014
    November 2014
    October 2014
    September 2014
    August 2014
    July 2014
    June 2014
    May 2014
    April 2014
    March 2014
    February 2014
    January 2014
    December 2013
    November 2013
    October 2013
    September 2013
    August 2013
    July 2013
    June 2013
    May 2013
    April 2013
    March 2013
    February 2013
    January 2013
    December 2012
    November 2012
    September 2012
    August 2012

    Categories

    All
    Edge
    Exchange 2013
    Hybrid
    Lpe
    Lync 2010
    Lync 2013
    Mobility
    Oauth
    Office365
    Polycom
    Ucs

    RSS Feed

    This website uses marketing and tracking technologies. Opting out of this will opt you out of all cookies, except for those needed to run the website. Note that some products may not work as well without tracking cookies.

    Opt Out of Cookies