UCPrimer
  • UCprimer
  • About

Deploying 8021.x EAP-TLS with Polycom VVX phones Part 2/2

8/30/2019

1 Comment

 
Picture
​This is part 2 of the previous blog post on how to deploy 802.1x EAP-TLS authentication on Polycom VVX phones using Cisco 2960X switch and Windows Server 2012 R2 NPS RADUIS. In this post, we continue to configure and obtain certificates for the VVX and connect the phone to the 802.1x enabled port on the switch to get EAP-TLS authentication and having been allowed, proceed to obtain an IP address from the Windows DHCP server. It's worthwhile to review the previous post before continue reading this post.
The first step is to create an AD user account that is part of the dot1x group allowed by the NAP policy configured in Part 1. In our lab this is simply "[email protected]" but note than in the XML cfg file that we'll configure later, we do not need to specify the full UPN, just the account name will do. Remeber to add this account into the Windows Group scecifed in the NPS policy in Part 1, which was "UCSkypelab\dot1x" in our example

Next, we need to configure the Certificate Authority to issue certificates using the certificate template "User Signature". This is simple done by starting the CA MMC, right-click to "Certificate Templates" on the left pane and select New->Certificate Template to Issue" as shown below:
Picture
From the available templates we select "User Signature Only" which will be the template used when we request certificates for the phones:
Picture
Next on the VVX phone, we need to generate a CSR from the phone's menu. Note that the provisioning server is already configured on the VVX using FTP. This step must be done so that the phone will upload the CSR to the provisioning server along with the private key. Before generating the CSR, we need to configure a parameter on the VVX that will upload the private key as a .pem file to the provisioning server. The sample xml file containing this parameter is shown below:
​<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<!--Description: Phone will ignore software update notifications for software uploaded through Skype Control Panel.  Phone will only upgrade through Provisioning Server or Web Admin Utility.-->
<PHONE_CONFIG>
  <ALL sec.uploadDevice.privateKey="1" />
</PHONE_CONFIG>
Next we proceed to generate a CSR using the phone's menu interface. This is found under Settings->Advanced->Administration Settings->Generate CSR. We enter the full UPN of the AD account that will be used for 802.1x authentication. in our example this is [email protected]:
Picture
After pressing the "Generate" button, the CSR along with the private Key .pem file in Base64 format will be uploaded to the provisioning server. We copy the contents of the CSR using Notepad and open a browser to our CA server to request a certificate at the URL http://<CAServer>/certsrv. Important: when prompted for credentials login as the user account created for the phone earlier. On the home page click on "Request a Certificate"->"Advanced Certificate Request". Here we past the contents of the CSR file into the box and specify template "User Signature":
Picture
After submitting the request, the CA will issue a certificate for the phone and we need to download the certificate as Base-64 format. With this certificate and the private key .pem file on the provisioning server, we can now create a configuration XML file to upload to the phone. Below is picture of the .cfg XML file and a sample .cfg is uploaded at the end of this blog post for easy reference:
Picture
Finally we can now plug in the VVX phone into one of the 802.1x enabled ports on the switch and the NPS server should now authenticate the VVX and allow full network access, which will then allow the VVX phone to obtain an IP from the DHCP server. If authentication fails, the phone will not be able to obtain any IP address. To see a successful 802.1x authentication server, we can look for Event 6278 in the Event Viewer:
Picture
Picture
The most common issue faced is that the certificate subject name or common name did not match the UPN of the AD user account created for 802.1x authentication for the phone, which was [email protected] in our lab, or the credentials used to login to request for the certificate was not this user account. Another common failure would is due to the certificate template was something other than "User Signature Only". A failed authentication will typically result in a Event 6273 as shown below:
Picture
Picture
Its always good to check the event viewer details especially under "Reason" to understand what could be the cause of the failure. This concludes the 2 part blog post on depoying 802.1x EAP-TLS on Polycom VVX phones using Windows NPS RADIUS server. I hope this post has been helpful and feel free to leave comments below. As mentioned, attached below is the sample XML cfg file.
vvxeaptls.cfg
File Size: 7 kb
File Type: cfg
Download File
1 Comment
GORDON
10/20/2021 10:17:24 am

Would it be possible to get more information regarding the certificates? I have messing with this for at least three weeks now and can not get this to work. I generated the certificate using the CSR and used our CA to generate the certificates. After that I can not get the certificates to work.

Reply

Your comment will be posted after it is approved.


Leave a Reply.

    UCPrimer

    Picture
    Picture
    Picture
    View my profile on LinkedIn

    Important Links

    Microsoft Teams Docs
    Microsoft Learn
    ​Microsoft MVP Blogs
    Michael Tressler’s Blog
    Michael’s MTR Quick Tip Videos
    Jimmy Vaughan’s Blog
    Jeff Schertz
    Adam Jacobs
    James Cussen
    ​Damien Margaritis

    Archives

    March 2025
    February 2025
    January 2025
    December 2024
    November 2024
    October 2024
    August 2024
    July 2024
    May 2024
    April 2024
    March 2024
    February 2024
    December 2023
    November 2023
    October 2023
    September 2023
    July 2023
    March 2023
    February 2023
    January 2023
    November 2022
    October 2022
    September 2022
    August 2022
    July 2022
    March 2022
    February 2022
    January 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    June 2021
    April 2021
    March 2021
    December 2020
    October 2020
    September 2020
    August 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    March 2019
    November 2018
    October 2018
    September 2018
    August 2018
    June 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    August 2017
    July 2017
    April 2017
    March 2017
    February 2017
    January 2017
    November 2016
    October 2016
    September 2016
    August 2016
    July 2016
    June 2016
    May 2016
    April 2016
    March 2016
    January 2016
    November 2015
    October 2015
    September 2015
    August 2015
    July 2015
    June 2015
    May 2015
    April 2015
    March 2015
    February 2015
    January 2015
    December 2014
    November 2014
    October 2014
    September 2014
    August 2014
    July 2014
    June 2014
    May 2014
    April 2014
    March 2014
    February 2014
    January 2014
    December 2013
    November 2013
    October 2013
    September 2013
    August 2013
    July 2013
    June 2013
    May 2013
    April 2013
    March 2013
    February 2013
    January 2013
    December 2012
    November 2012
    September 2012
    August 2012

    Categories

    All
    Edge
    Exchange 2013
    Hybrid
    Lpe
    Lync 2010
    Lync 2013
    Mobility
    Oauth
    Office365
    Polycom
    Ucs

    RSS Feed

    This website uses marketing and tracking technologies. Opting out of this will opt you out of all cookies, except for those needed to run the website. Note that some products may not work as well without tracking cookies.

    Opt Out of Cookies