avayaguy23
Systems Engineer
I am deploying 802.1x on 9611G phones running H323 6.8.3.2Y firmware. I have it all working but I have questions about the SCEP renew process. I currently have the cert identity policy to be valid for a day. The renewal process kicks in at 90% or about 21 hours. The phone goes offline for a couple days but is connected to a non 802.1x enabled network port so it can perform the SCEP process. It never performs the SCEP renewal process. ClearPass is saying the phone is using the old expired identity cert when connected to an 802.1x enabled network port. We need to factory reset the phone in order for it to generate a new identity cert. Is this normal behavior? I'm pretty sure it is based on the fact that the phone has 802.1x enabled but not on the network port.
DOT1X – set to “2 – EAPOL multicast passthrough is disabled”
DOT1XSTAT – set to “1 – enable supplicant for multicast and unicast EAPOL messages”
DOT1XEAPS – set to TLS
this will enable EAP-TLS authentication
DOT1XWAIT - set to 1
Configure
MYCERTCN – set to $MACADDR
configures the identification method to using the phone’s MAC address
MYCERTURL – to include the URL of the CA server where the identity certs are stored
e.g.: The phone with download the certificate using the SCEP process
MYCERTKEYLEN – 2048
DOT1X – set to “2 – EAPOL multicast passthrough is disabled”
DOT1XSTAT – set to “1 – enable supplicant for multicast and unicast EAPOL messages”
DOT1XEAPS – set to TLS
this will enable EAP-TLS authentication
DOT1XWAIT - set to 1
Configure
MYCERTCN – set to $MACADDR
configures the identification method to using the phone’s MAC address
MYCERTURL – to include the URL of the CA server where the identity certs are stored
e.g.: The phone with download the certificate using the SCEP process
MYCERTKEYLEN – 2048