Certificates on Nortel/Avaya 1140e IP Phones

[cflynt]

Hello all,

I have been asked to put certificates on our IP Phones for remote workers for authentication into our network over a Cisco Aironet 600 AP using 802.1x. Basically, they have a dedicated port on the AP for the phone and will allow the phone into the network once it recognizes a valid certificate on the phone. I have glanced over some NTP's and have a little understanding of it, but was hoping some others might have done this already and have some more info on how to accomplish the task. I have tried manually inputting the CA Server, which is a Mircosoft CA Server, the CA Domain and a hostname for the phone manually on the regular LAN. When the phone reboots, it pops up a Fingerprint for the CA Server, and asks for a CA Password, I input that manually, and all looks ok at the moment. But if I reboot the phone I get a Signaling Security Error and the phone continues to retry and keeps popping up with that error. I plug into the AP on their 802.1x port and I don't even make it that far. If I look at the certificates on the phone I show a Device and Trusted cert that it pulled in I guess, but am wondering if I have to do more like with the Certs on UCM etc to make this function on our phone systems? Was hoping not to have to dive that deep in, but if that is what we must do, then that's what we will do. Was just hoping to get some more insight and understanding and HELP heh on the matter. I know there are ways to push the certs to the phone via provisioning, and ideally we will want to go that method in the end, but was just trying manual methods to get it running first. Is pushing the pem files different than manually inputing the CA server etc? And is there any way to see logs or such to find out what it is doing.

Thanks for any assistance on the matter. Let me know if you need more info on the setup.

Chad

 

[Triton101]

i'm not sure if you were looking in to the UniStim ntp, but there is a section there on certificates
not sure what version you are running, but check this doc out

UNIStim Software Release 4.3 for IP Deskphones

http://support.avaya.com/css/P8/documents/100113686

__________________________________________________________
Find a job you love and you'll never work a day in your life. - Confucius

 

[cflynt]

Thanks for the reply, and ya we are on the latest firmware, and basically I have done that manual method, and that's what gets me to the Signaling Security Error. So I am guessing I need to do more to the phone system side of things to allow that trust to happen. I just am lost as to why I never even get that far when I hook up to an 802.1x configured port. It never seems to authenticate the Cert to let me to the phone system to fail there.

 

[Triton101]

not sure if you can use the VPN wiz to mess around with the certs, if you are running 5.5.1, you can try this

ftp://ftp.avaya.com/incoming/Up1cku9/tsoweb/11001200/UNIStim_5.5.1/IPCPVA-01.00_00.25.jar.zip

__________________________________________________________
Find a job you love and you'll never work a day in your life. - Confucius

 

[cflynt]

Thanks, will look at it. But I don't believe that is the problem. We have certs, they are in there. I did have them export the root cert to a PEM file and imported it, no change. I did figure out my Signaling Security Error, I had to enable the certificate option for DTLS in the Node config. I was setup for DTLS just not for Certificate ones. So that allows the phone to connect on a normal port. But still get nowhere on an 802.1x port. So I just need to determine if the ONLY way NORVAYA does 802.1x is with the EAP enabled and a Radius Server. The network guys weren't wanting to go that route, but might be our only choice.