Deploying and Configuring Polycom Phones in 802.1X Environments



Similar documents
Syslog on Polycom Phones

Using Premium Automatic Call Distribution for Call Centers

Device Certificates on Polycom Phones

Information on Syslog For more information on syslog, see RFC Released: December 2006 Interoperability issues: None. Table 1: Syslog at a Glance

Customizing the Display Background on Polycom VVX Business Media Phones

How to Provision a Polycom Phone

Security Slots on Polycom SoundPoint IP, SoundStation IP, SoundStation Duo and VVX Series Phones

Broadcasting Audio Messages with Group Paging and Push-to-Talk

Supporting the Calendar, Instant Messaging, and Presence Features on Polycom Phones

Technical Bulletin 5844

Using Feature Synchronized Automatic Call Distribution with Polycom Phones

Using Enhanced Feature Keys and Configurable Soft Keys on Polycom Phones

Polycom VVX 300, 310, 400 and 410 Business Media Phone

Deploying Polycom SoundStation IP Conference Phones with Cisco Unified Communications Manager (CUCM)

Using the Unified Call Appearance List

Understanding Wireless Security on Your Polycom SpectraLink 8400 Series Wireless Phones

Configuring Optional Re-Registration on Failover Behavior

Broadcasting Audio Messages with Group Paging and Push-to-Talk

Step-by-step Guide for Configuring Cisco ACS server as the Radius with an External Windows Database

Using Multiple Appearance Directory Number - Single Call Appearance with Polycom Phones

Update Configuration. Reboot Phone To upload files to assist in diagnostics, you can choose:

RealPresence Platform Director

Provisioning with the Master Configuration File

Deployment Guide for the Polycom SoundStructure VoIP Interface for Cisco Unified Communications Manager (SIP)

Software Development Kit (SDK)

Polycom RSS 4000 / RealPresence Capture Server 1.6 and RealPresence Media Manager 6.6

PortSIP Encryption Relay Server Deployment Guide

Engineering Advisory Power Consumption and Management on Polycom Phones

Accessibility Features on Polycom Phones

Connectivity to Polycom RealPresence Platform Source Data

Using Polycom VVX Business Media Phones with Microsoft Lync Server 2013

Technical Bulletin 11572

GETTING STARTED GUIDE. 1.3 September D. Polycom RealAccess

Security Advisory Relating to OpenSSL Vulnerability Heartbleed on Various Polycom Products

Available Update Methods

Polycom RealPresence DMA 7000 System, Virtual Edition

Dell Statistica Document Management System (SDMS) Installation Instructions

Polycom RealPresence DMA 7000 System, Virtual Edition

Getting Started Guide Polycom RealPresence Resource Manager System, Appliance Edition

Wave IP 4.5. Wave Spectralink Phone Configuration Guide

Configuring CyberData Devices for Intermedia Hosted PBX

Introducing the Locking Feature. About Your User Password. Locking and Unlocking Your Phone. Calling and Answering from a Locked Phone

How to Access Coast Wi-Fi

Using Syslog for Logging of Complete SIP Messaging on Spectralink 84-Series Handsets

Using custom certificates with Spectralink 8400 Series Handsets

Security Advisory Relating to OpenSSL Vulnerability Heartbleed on Various Polycom Products

Polycom Web Configuration Utility

Configuring an IP (SIP) Polycom Soundstation on the Avaya IP Office

How To Test An Eap Test On A Network With A Testnet (Networking) On A Pc Or Mac Or Ipnet (For A Network) On An Ipnet Or Ipro (For An Ipro) On Pc Or Ipo

Strong Authentication for Juniper Networks SSL VPN

Cisco Secure ACS. By Igor Koudashev, Systems Engineer, Cisco Systems Australia 2006 Cisco Systems, Inc. All rights reserved.

Polycom recommends that all legacy phones be updated to the most recent patch of their last supported SIP and BootROM software versions.

Polycom UC Software in a Microsoft Lync Server Environment

Dell Statistica Statistica Enterprise Installation Instructions

How To Use A Presence Desktop On A Pc Or Mac Or Ipad (For A Non-Profit) For Free

User Guide for the Polycom SoundStation IP 6000 Phone

Using Cisco UC320W with Windows Small Business Server

Zebra. Quick Start Guide. Wireless Configuration for n and Bluetooth Radios for. Link-OS Mobile Printers. P Rev.

RealPresence Resource Manager System

Technical Bulletin 18292

2010 MegaPath Inc. All rights reserved. Confidential and Proprietary 2

DESKTOP CLIENT CONFIGURATION GUIDE BUSINESS

ClickShare Network Integration

Configuring the Dolby Conference Phone with Cisco Unified Communications Manager

SecureW2 Client for Windows User Guide. Version 3.1

User Guide for the Polycom SoundStation IP 6000 Phone

VoIP Intercom and Cisco Call Manager Server Setup Guide

Dialogic 4000 Media Gateway Series as a Survivable Branch Appliance for Microsoft Lync Server 2010

Dell One Identity Cloud Access Manager How to Configure for High Availability

ChangeAuditor 6.0. Web Client User Guide

Dell One Identity Cloud Access Manager How to Configure vworkspace Integration

Security Advisory Relating to Multiple OpenSSL Vulnerabilities on Various Polycom Products.

Scan to Quick Setup Guide

Dell Enterprise Reporter 2.5. Configuration Manager User Guide

NF1Adv VOIP Setup Guide (for Generic VoIP Setup)

vwlan External RADIUS 802.1x Authentication

Configuring a Windows 2003 Server for IAS

Polycom Unified Communications Deployment Guide for Cisco Environments

Thor VM1. Quick Start Guide. Vehicle-Mount Computer. with Microsoft Windows Embedded CE 6 or Windows Embedded Standard 2009 Operating System

IP Talk Hosted VoIP Solutions Small Office/Home Office (SOHO) Setup Guide

Chapter 1 Configuring Basic Connectivity

SC-T35/SC-T45/SC-T46/SC-T47 ViewSonic Device Manager User Guide

Dell One Identity Cloud Access Manager Installation Guide

Dell One Identity Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

MX7 Tecton. Quick Start Guide. Hand-Held Computer. With Microsoft Windows Embedded CE 6 or Windows Mobile 6.5 Operating System. TECTON-QS Rev A 4/12

802.1X Client Software

FOR WINDOWS FILE SERVERS

NF1Adv VOIP Setup Guide (for Pennytel)

WHITEPAPER. February A. RealPresence One. Product Definition and Licensing. Polycom, Inc. 0

Pulse Policy Secure. RADIUS Server Management Guide. Product Release 5.1. Document Revision 1.0. Published:

Cyberoam Configuration Guide for VPNC Interoperability Testing using DES Encryption Algorithm

Polycom Unified Communications in RealPresence Access Director System Environments

NetMotion Mobility XE

Network-Enabled Devices, AOS v.5.x.x. Content and Purpose of This Guide...1 User Management...2 Types of user accounts2

Certificate Management

Polycom SoundStructure VoIP Interface Hardware Installation Guide

Sample. Configuring the RADIUS Server Integrated with ProCurve Identity Driven Manager. Contents

Transcription:

Deploying and Configuring Polycom Phones in 802.1X Environments This document provides system administrators with the procedures and reference information needed to successfully deploy and configure Polycom SIP phones in a secure 802.1X environment. You can configure 802.1X authentication on all SoundPoint IP, SoundStation IP, VVX 1500, and SpectraLink 8440 Series phones installed with UC Software version 4.0.0 or later on an 802.1X-enabled network. Introduction The 802.1X authentication feature provides authentication services for higher security networks that use 802.1X as the authentication protocol. Polycom SIP phones support seven EAP protocols for 802.1X authentication as listed in the next section. You can configure the 802.1X authentication feature using a central provisioning server, the Polycom Web Configuration Utility, or the phone s keypad interface. For a list of the acronyms used in this document, refer to Defined Acronyms. Supported EAP Authentication Protocols Polycom SIP phones support the authentication protocols listed next. Note that the SpectraLink 8400 Series phones support only the protocols indicated in bold. EAP-TLS EAP-PEAPv0/MSCHAPv2 EAP-PEAPv0/GTC EAP-TTLS/EAP-MSCHAPv2 EAP-TTLS/EAP-GTC EAP-FAST EAP-MD5 EAP Authentication Requirements This section shows you how to authenticate Polycom phones in 802.1X environments using each of the supported EAP protocols. Each authentication protocol has a unique configuration. The parameters you need to configure are listed under each protocol. August 2011 1725-47117-001 Rev.A 1

EAP-TLS Device certificate Trusted pool of root/ca certificates EAP-PEAPv0/EAP-MSCHAPv2 or EAP-PEAPv0/EAP-GTC Trusted pool of root/ca certificates Password EAP-TTLS/EAP-MSCHAPv2 or EAP-TTLS/EAP-GTC Trusted pool of root/ca certificates Password EAP-MD5 Password EAP-FAST Password Optional PAC file, provisioned automatically through the network or manually using a PAC file password. Note: Using EAP-FAST Authentication for the First Time The first time you perform EAP-FAST dynamic PAC file provisioning (also known as in-band provisioning), the server will provision the phone with a PAC file and the 802.1X authentication will fail. This will be followed by a successful 802.1X authentication. In some cases, the network switch may impose a delay of about 60 seconds before initiating the 802.1X authentication following a failed authentication attempt. 2

Note: Using EAP-FAST Authentication with a Network Switch in MDA Mode If you are using a network switch in MDA mode, be aware of the following: MDA does not enforce the order of device authentication; however, when using an MDAenabled port, Polycom recommends authenticating your voice device before a data device. When a network switch detects a data or voice device on a port, the switch blocks the device s MAC address until authorization succeeds. If authorization fails, there will be a delay, depending on the network switch setup, before the phone can authenticate. Configuring 802.1X Authentication You can configure 802.1X authentication in the following three ways: Configuring 802.1X Using a Central Provisioning Server Configuring 802.1X Using the Polycom Web Configuration Utility Configuring 802.1X Using the Local Phone User Interface Refer to Configuring 802.1X Using a Central Provisioning Server (discussed next) for detailed descriptions of the parameters that apply to all three methods. If you wish to set up more than 10 phones, Polycom recommends using a central provisioning server. If you are provisioning fewer than 10 phones, you can use the Web Configuration Utility or the phone s user interface to configure the parameters listed in Configuring 802.1X Using a Central Provisioning Server. Configuring 802.1X Using a Central Provisioning Server The following sections outline TLS profile configuration and 802.1X setup. Each EAP protocol requires a slightly different configuration: If you are using EAP-TLS, EAP-PEAP, or EAP-TTLS, see Configuring Your TLS Profile and then go to Setting Up. If you are using EAP-FAST or EAP-MD5, go directly to Setting Up. Refer to EAP Authentication Requirements in this document for a list of the parameters that you will need to configure for each authentication protocol. Configuring Your TLS Profile Only EAP-TLS, EAP-PEAP, and EAP-TTLS require a TLS Profile. Configure either TLS Platform Profile 1 or TLS Platform Profile 2 for these authentication protocols. Choose the parameters ending in 1 to configure TLS Platform Profile 1 (for example, device.sec.tls.profile.cacertlist1) or choose the parameters ending in 2 to configure TLS Platform Profile 2 (for example, device.sec.tls.profile.cacertlist2). You must then specify which Platform Profile 3

you have configured by setting the device.sec.tls.profile.profileselection.dot1x parameter shown in Table 1: TLS Profile Configuration Parameters to TLS Platform Profile 1 or TLS Platform Profile 2. You can locate the configuration parameters shown in Table 1 in the device.cfg configuration file template located in the Config folder of your UC Software distribution. You can make a copy of device.cfg and edit the parameters directly or create a new configuration file containing only the parameters you wish to modify. Table 1: TLS Profile Configuration Parameters Parameter device.sec.tls.profile.cacertlist1 device.sec.tls.profile.cacertlist2 Values Builtin, BuiltinAndPlatform1, BuiltinAndPlatform2, All, Platform1, Platform2, Platform1AndPlatform2 Choose the CA certificate(s) to use for authentication: The built-in default certificate The built-in and Custom #1 certificates The built-in and Custom #2 certificates Any certificate (built in, Custom #1 or Custom #2) Only the Custom #1 certificate Only the Custom #2 certificate Either the Custom #1 or Custom #2 certificate device.sec.tls.profile.ciphersuite1 device.sec.tls.profile.ciphersuite2 The cipher suite to use for the Platform Profile. device.sec.tls.profile.ciphersuitedefault1 device.sec.tls.profile.ciphersuitedefault2 0 or 1 If set to 1, the default cipher suite will be used. If set to 0, the custom cipher suite will be used. device.sec.tls.profile.customcacert1 device.sec.tls.profile.customcacert2 The custom certificate to use if device.sec.tls.profile.cacertlist is configured to use a custom certificate. device.sec.tls.profile.devicecert1 device.sec.tls.profile.devicecert2 Builtin, BuiltinAndPlatform1, BuiltinAndPlatform2, All, Platform1, Platform2, Platform1AndPlatform2 Choose the device certificate(s) to use for authentication. device.sec.tls.profile.profileselection.dot1x PlatformProfile1, PlatformProfile2 Choose the TLS Platform Profile that you have configured. 4

Once you have finished configuring your TLS Profile for EAP-TLS, EAP-PEAP, or EAP-TTLS, go to Setting Up. Setting Up 802.1X To configure the EAP-TLS, EAP-PEAP, and EAP-TTLS protocols, you must first configure your certificates by setting up a TLS Profile (see Configuring Your TLS Profile). To set up 802.1X authentication, configure the parameters in Table 2: 802.1X Setup Parameters. You can locate the following configuration parameters in the device.cfg configuration file template located in the Config folder of your UC Software distribution. You can make a copy of device.cfg and edit the parameters directly or create a new configuration file containing only the parameters you wish to modify. Table 2: 802.1X Setup Parameters Parameter Value device.net.dot1x.enable 1 Enable 802.1X authentication. device.net.dot1x.method 0, 1, 2, 3, 4, 5, 6, or 7 Specify the 802.1X authentication method where the numbers 0 to 7 refer to the following protocols: 0: None, 1:EAP-TLS, 2:EAP-PEAPv0-MSCHAPv2, 3:EAP-PEAPv0-GTC, 4:EAP-TTLS-MSCHAPv2, 5:EAP-TTLS-GTC, 6:EAP-FAST, 7:EAP-MD5 device.net.dot1x.identity The identity (user name) for authentication. device.net.dot1x.password The password for 802.1X authentication. This parameter is required for all methods except EAP-TLS. device.net.dot1x.anonid EAP-TTLS and EAP-FAST only. The anonymous identity (user name). device.net.dot1x.eapfastinbandprov 0 or 1 EAP-FAST only, optional. Choose 1 to enable EAP In-Band Provisioning by server unauthenticated PAC provisioning using anonymous Diffie-Hellman key exchange. Choose 0 to disable EAP In-Band Provisioning. Reserved for Future Use Choose 2 to enable EAP In-band provisioning by server authenticated PAC provisioning using certificate based server authentication. 5

Parameter device.pacfile.data Value EAP-FAST only, optional. The PAC file (base 64 encoded). To generate a base 64-encoded PAC file, generate the PAC file using your authentication server and then convert it to base 64. You can convert the file to base 64 using the following openssl commands: $ openssl enc -base64 -in myfile -out myfile.b64 device.pacfile.password EAP-FAST only, optional. The password for the PAC file. Applying the Configuration Files to your Phone Once you have created a new configuration file or edited a copy of the device.cfg template configuration file using the parameters in Table 1 and Table 2, apply the files to your phone. To apply the configuration files to your phone: 1 Connect your phone to a staging network (a network that is not 802.1X-enabled). 2 Apply the configuration files to the phone. For more information on applying configuration files to your phone, consult the Polycom UC Software Administrator s Guide, available from http://www.support.polycom.com/voice/. 3 Reboot the phone. Once the phone reboots, it will be ready to connect to the 802.1X-enabled network. 4 Connect the phone to the 802.1X-enabled network and reboot the phone. Verify that your phone is authenticated by making a phone call. Troubleshooting: What if my Phone Doesn t Authenticate? If your phone does not authenticate, navigate to the Configuration menu (Menu > Status > Platform > Configuration) and check for errors in your configuration files. If you see the message Errors Found instead of Parameters Accepted for one or more of the files, verify the parameters in the file. Configuring 802.1X Using the Polycom Web Configuration Utility You can configure the 802.1X authentication parameters using the Polycom Web Configuration Utility. This section shows you where to find the 802.1X settings on the Web Configuration Utility. Refer to 6

Configuring 802.1X Using a Central Provisioning Server for an interpretation of the configuration parameters. To set up a TLS Profile: 1 Connect your phone to a staging network (a network that is not 802.1X-enabled). 2 Launch the Web Configuration Utility by navigating to http://<phoneipaddress>. Log in using your administrator credentials. 3 Navigate to Settings > Network > TLS. 4 Expand the Certificate Configuration menu and install the required certificates. 5 Expand the TLS Profiles menu and configure either Platform Profile 1 or Platform Profile 2. 6 Expand the TLS Applications and choose the Platform Profile that you configured (either TLS Platform Profile 1 or TLS Platform Profile 2) from the drop-down list next to the 802.1X label. 7 Click Save at the bottom of the page. Your phone will reboot or restart. To enable 802.1X authentication: 1 Launch the Web Configuration Utility by navigating to http://<phoneipaddress>. 2 Navigate to Settings > Network > Ethernet. 3 Expand the Ethernet 802.1X menu and configure the settings as described in Table 2: 802.1X Setup Parameters. 4 To configure EAP-FAST with a PAC file, expand PAC File Info and install the PAC file (base 64 encoded) Configuring 802.1X Using the Local Phone User Interface You can configure the 802.1X authentication parameters using your phone s user interface. This section shows you how to find the 802.1X settings using the phone menus. Refer to Configuring 802.1X Using a Central Provisioning Server for an interpretation of the configuration parameters. To set up a TLS Profile: 1 Navigate to the TLS Security menu (Menu > Advanced > Admin Settings > TLS Security). 2 Select Custom CA Certificates to configure your CA Certificates, or select Custom Device Credentials to configure the Device Credentials. 3 From the TLS Security menu, select Configure TLS Profiles and choose either TLS Platform Profile 1 or TLS Platform Profile 2. 4 Configure the profile as shown in Table 1: TLS Profile Configuration Parameters. 7

5 From the TLS Security menu, select TLS Applications > 802.1X. 6 Select the TLS Platform Profile that you configured (either TLS Platform Profile 1 or TLS Platform Profile 2). 7 Save the configuration. The phone will reboot. To enable 802.1X Authentication: 1 Navigate to the Ethernet Menu (Menu > Advanced > Admin Settings > Network Settings > Ethernet Menu). 2 Scroll down to 802.1X Auth and select Enabled. 3 From the Ethernet Menu, select 802.1X Menu. See Table 2: 802.1X Setup Parameters for the list of parameters to configure. PAC file configuration for EAP-FAST can also be performed from the 802.1X Menu by selecting PAC File Info. The PAC file must be base 64 encoded. Defined Acronyms The following acronyms are used in this document: EAP Extensible Authentication Protocol TLS Transport Layer Security PEAP Protected Extensible Authentication Protocol TTLS Tunneled Transport Layer Security FAST Flexible Authentication via Secure Tunneling MD5 Message-Digest Algorithm MS-CHAPv2 Microsoft Challenge-Handshake Authentication Protocol (version 2) GTC Generic Token Card IEEE Institute of Electrical and Electronics Engineers LAN Local Area Network WLAN Wireless Local Area Network EAPOL EAP over LAN (Extensible Authentication Protocol over Local Area Network) PAC Protected Access Credential MDA Multi-Domain Authentication 8

Trademarks 2011, Polycom, Inc. All rights reserved. POLYCOM, the Polycom "Triangles" logo and the names and marks associated with Polycom's products are trademarks and/or service marks of Polycom, Inc. and are registered and/or common law marks in the United States and various other countries. All other trademarks are property of their respective owners. No portion hereof may be reproduced or transmitted in any form or by any means, for any purpose other than the recipient's personal use, without the express written permission of Polycom. Disclaimer While Polycom uses reasonable efforts to include accurate and up-to-date information in this document, Polycom makes no warranties or representations as to its accuracy. Polycom assumes no liability or responsibility for any typographical or other errors or omissions in the content of this document. Limitation of Liability Polycom and/or its respective suppliers make no representations about the suitability of the information contained in this document for any purpose. Information is provided "as is" without warranty of any kind and is subject to change without notice. The entire risk arising out of its use remains with the recipient. In no event shall Polycom and/or its respective suppliers be liable for any direct, consequential, incidental, special, punitive or other damages whatsoever (including without limitation, damages for loss of business profits, business interruption, or loss of business information), even if Polycom has been advised of the possibility of such damages. Customer Feedback We are constantly working to improve the quality of our documentation, and we would appreciate your feedback. Please send email to VoiceDocumentationFeedback@polycom.com. Visit support.polycom.com for software downloads, product document, product licenses, troubleshooting tips, service requests, and more. 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information