UCPrimer
  • Tech Blog
  • About UCPrimer.com

Deploying 8021.x EAP-TLS with Polycom VVX phones using SCEP Simple Certificate Enrollment Protocol

9/30/2019

0 Comments

 
Picture
In the previous blog post, we covered the details of deploying 802.1x EAP-TLS on Polycom VVX phones using Cisco 2960X switch and Windows NPS RADIUS server. Deploying device certificates manually on the phones can be a time consuming process especially for high security environments when a unique device certificate is required for each phone. With the release of UCS5.9.3 firmware in June this year, Polycom VVX phones now support Simple Certificate Enrollment Protocol SCEP for easy requesting and assigning devices certificates for 802.1x EAP-TLS authentication. This blog post builds upon the same lab environment of the previous post but describes in detail how to add and deploy SCEP.
The details of how SCEP works is beyond the scope of this post but more information can be obtained from this Microsoft website. For readers unfamiliar with how 802.1x EAP-TLS works and the various components required, it is highly recommended to first read the previous blog posts mentioned above where we describe the various settings requied on the Windows server CA, NPS role services as well as the Cisco 2960X switch. In this walk through, we already have the necessary components needed as shown in blue below and will add and configure the SCEP service in yellow:
Picture
For production environments, it is recommended to deploy SCEP role services on a separate server; however to keep this lab simple. we just add the SCEP services to our existing Windows 2012 R2 server which is also the AD DC, CA, and NPS RADIUS server. We first need a SCEP service account that is also a member of the local IIS_IUSRS group. In our lab we created a new AD domain account named SCEPSvc which will be used later throughout this walkthrough. ​To add the SCEP role, this we simply use the Windows Server Roles wizard to add the NDES service into the AD CS role as shown below:
Picture
For SCEP we want to add the Network Device Enrollment Service (NDES):
Picture
We need to specify the SCEP service account created earlier:
Picture
For the Registration Authority (RA) we can accept the defaults:
Picture
We'll use the default crypto providers and a key length of 2048 bits:
Picture
After reviewing the information, we can click on "Configure" to proceed:
Picture
Upon successfully installation we should get the screen below:
Picture
Next we need to specify the certificate template that the SCEP service issues for the Polycom VVX phones. By default, SCEP will issue a certificate of template type "IPSECIntermediateOffline" which will not work with 802.1x EAP-TLS. To configure this correctly, start registry editor and navigate to \HKLM\Software\Microsoft\Cryptography\MSCEP and change the "GeneralPurposeTemplate" key value to "UserSignature" as shown below. After that restart IIS for the setting to take effect
Picture
To being using SCEP, we browse to http:<SCEPServer>/certsrv/mscep_admin/ and after a few seconds we should get a page that can be used to enrol device certificates for our VVX. This page contains the thumb print of the CA certificate along with the one-time enrollment challenge password as shown below:
Picture
It's important to note that the CA certificate thumbprint shown in this page is not the thumbprint of the CA certificate but the thumbprint of the RA certificate, and hence cannot be used to enroll for certificates on the Polycom VVX. We need to get the thumbprint of the issuing CA certificate which is different as shown below (note that the thumbprint is different from the web page):
Picture
Now we are ready to enroll certificates on the Polycom VVX phone using SCEP. Browsing to the phones admin UI, we navigate to the Settings->SCEP and select the Enable button. This will allow us to enter the following information:

SCEP Feature: Enable
SCEP URL: http://<SCEPServer>/certsrv/mscep/                (Please don't forget the final '/' in the URL or SCEP will fail)
Challenge Password: <As shown in the SCEP server web page>          (This can only be used once and is valid for 1 hour)
​Common Name: <UPN of the AD account of the phone>
Organization: <Your organization>
Email address: <Same as Common Name>
State and Country: <Your State and Country>


Example screen is shown below:
Picture
Once we click on "Save" above the phone will attempt to connect to the SCEP service and download the Root CA certificate as well as enrol for a new device certificate. If successful, we can see the certificates on the phone menu at Settings->Network->TLS. The Root CA certificate will be placed in the Auto Prov CA as shown below:
Picture
And the 802.1x device certificate will be placed in the Auto Prov Credential as shown below:
Picture
Since SCEP will put the device certificates in the Auto Prov Credential, we need to specify this on the TLS applications for 802.1x on the phone:
Picture
Next we need to add the SCEP service account to the Windows AD group that was configured in the NPS server. This was explained in the previous blog where the NPS policy specifies that the "dot1x" Windows group is a required condition for allowed access. The screen show is reproduced here:
Picture
Hence we need to add the SCEP Service account to the dot1x AD Group
Picture
Last but not least, we enable 802.1x on the Polycom VVX phone on the Settings->Network->Ethernet->802.1x menu.Here we specify the following parameters:

802.1X Auth: Enable
EAP Method: EAP-TLS
Identity: <SCEP Service Account>
Password: <Blank>


Example screen shot is shown below:
Picture
After saving the above settings, we can connect the phone's ethernet port to the Cisco 2960 switch port that has 802.1x enabled. After a few seconds the phone will get authenticated and obtain an IP address from DHCP server. On the NPS event viewer, we can look for event 6278 that logs a successful authentication as shown below:
Picture
This concludes this blog post on how to depoy 802.1x EAP-TLS on Polycom VVX phones using SCEP in a lab environment. Hope this has been helpful and do leave comments or questions below.
0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    Picture
    Picture

    Important Links

    Microsoft Teams Docs
    Microsoft Learn

    ​Microsoft MVP Blogs

    Michael Tressler’s Blog
    Michael’s MTR Quick Tip Videos
    Jimmy Vaughan’s Blog
    Jeff Schertz
    Adam Jacobs
    James Cussen
    ​Damien Margaritis

    Archives

    September 2022
    August 2022
    March 2022
    February 2022
    January 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    June 2021
    April 2021
    March 2021
    December 2020
    October 2020
    September 2020
    August 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    March 2019
    November 2018
    October 2018
    September 2018
    August 2018
    June 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    August 2017
    July 2017
    April 2017
    March 2017
    February 2017
    January 2017
    November 2016
    October 2016
    September 2016
    August 2016
    July 2016
    June 2016
    May 2016
    April 2016
    March 2016
    January 2016
    November 2015
    October 2015
    September 2015
    August 2015
    July 2015
    June 2015
    May 2015
    April 2015
    March 2015
    February 2015
    January 2015
    December 2014
    November 2014
    October 2014
    September 2014
    August 2014
    July 2014
    June 2014
    May 2014
    April 2014
    March 2014
    February 2014
    January 2014
    December 2013
    November 2013
    October 2013
    September 2013
    August 2013
    July 2013
    June 2013
    May 2013
    April 2013
    March 2013
    February 2013
    January 2013
    December 2012
    November 2012
    September 2012
    August 2012

    Categories

    All
    Edge
    Exchange 2013
    Hybrid
    Lpe
    Lync 2010
    Lync 2013
    Mobility
    Oauth
    Office365
    Polycom
    Ucs

    RSS Feed

    This website uses marketing and tracking technologies. Opting out of this will opt you out of all cookies, except for those needed to run the website. Note that some products may not work as well without tracking cookies.

    Opt Out of Cookies