Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

TrustCerts H323 802.1x

Status
Not open for further replies.
avayaguy23

avayaguy23

Systems Engineer
May 30, 2018
489
US
I am tasked with getting 802.1x to work with ClearPass and 9611G phone running R6_8_3_2Y H323 firmware. I made the changes to the 46xxsetttings to include the root CA certificate.
SET TRUSTCERTS CA.pem,slamon-cert-chain

I can see from the HTTP utility server logs that the phones are getting an HTTP 200 okay message but is there a way to verify on the phone itself the phone is truly trusting the cert? As this is Avaya, their documentation is terrible.

 
Sort by date Sort by votes
Ha yea I read that same doc but again avaya documentation is so poor, old, and full of holes. This doc tells you to have the trust certs as a txt, the latest 46xxsettings says to use .pem, and then another avaya article says to use .cer. There was also a tech article that says the utility server was saying 200 okay but the phone wasn’t accepting the CA. The packet capture was saying unknown CA. So that is why I ask about seeing if the phone actually accepts the cert. I’m assuming there is no way.
 
Upvote 0 Downvote
If anyone is dealing with setting up 802.1x this may be helpful information. In my environment, the SCEP process is completed by a stand alone CA server. ClearPass is being used and is setup to use a different Root CA (client CA). ClearPass needed to trust the SCEP Stand Alone CA and the Avaya phone needed the SCEP stand alone CA AND the client root/sub CA used in ClearPass. In total, the phone needed to trust 3 certs.

This was discovered by putting the phone in debug mode. This is accomplished by changing the default CRAFT passcode to something else using the 46xxsettings.txt. Reboot the phone so they grab the settings.

PROCPSWD "2580"
lOGlOCAL 8-Debug
BRURI (Utility Server IP)

On the phone itself.....
a. Set log level to ‘Debug’ from phone’s menu: MUTE -> "2580" -> LOG -> Log: Debug.
Note: this is H.323 software and the only way to set it is from phone’s menu, this is not settable from 46xxsettings.txt file.

b. From phone’s menu: MUTE -> "2580" -> DEBUG -> Log to file set to 'On'.
Note that it can be done from 46xxsettings.txt file as well: SET LOGTOFILE 1

You can reboot your phone so it grabs the certs, performs the SCEP process, etc and then you can get the logs sent to the utility server by:
MUTE -> "2580" -> DEBUG -> Phone Report -> Create to get phone report

You can use WINSCP to get the logs from the /PhoneBackup folder. The logs will show you what is being trusted.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

majordad99
  • Locked
  • Question
96x1 trustcerts
Replies
0
Views
67
majordad99
majordad99
wpetilli
  • Locked
  • Question
Personal labels h323 to SIP
Replies
0
Views
54
wpetilli
wpetilli
jimbojimbo
  • Locked
  • Question
Aura 10 greater then 2000 SIP or H323 endpoints
Replies
3
Views
76
G van Hamburg
G van Hamburg
DucDuong19
  • Locked
  • Question
H323 trunk denial event 1575: SETUP msg send failed D1=0x9e97 D2=0x198b
Replies
4
Views
409
DucDuong19
DucDuong19
avayaguy23
  • Locked
  • Question
Avaya 9611G H323 6.8.3.2Y EAP-TLS SCEP renewal
Replies
19
Views
341
avayaguy23
avayaguy23

Part and Inventory Search

Sponsor

Back
Top