Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

TrustCerts H323 802.1x

Status
Not open for further replies.

avayaguy23

Systems Engineer
May 30, 2018
489
US
I am tasked with getting 802.1x to work with ClearPass and 9611G phone running R6_8_3_2Y H323 firmware. I made the changes to the 46xxsetttings to include the root CA certificate.
SET TRUSTCERTS CA.pem,slamon-cert-chain

I can see from the HTTP utility server logs that the phones are getting an HTTP 200 okay message but is there a way to verify on the phone itself the phone is truly trusting the cert? As this is Avaya, their documentation is terrible.

 
Ha yea I read that same doc but again avaya documentation is so poor, old, and full of holes. This doc tells you to have the trust certs as a txt, the latest 46xxsettings says to use .pem, and then another avaya article says to use .cer. There was also a tech article that says the utility server was saying 200 okay but the phone wasn’t accepting the CA. The packet capture was saying unknown CA. So that is why I ask about seeing if the phone actually accepts the cert. I’m assuming there is no way.
 
If anyone is dealing with setting up 802.1x this may be helpful information. In my environment, the SCEP process is completed by a stand alone CA server. ClearPass is being used and is setup to use a different Root CA (client CA). ClearPass needed to trust the SCEP Stand Alone CA and the Avaya phone needed the SCEP stand alone CA AND the client root/sub CA used in ClearPass. In total, the phone needed to trust 3 certs.

This was discovered by putting the phone in debug mode. This is accomplished by changing the default CRAFT passcode to something else using the 46xxsettings.txt. Reboot the phone so they grab the settings.

PROCPSWD "2580"
lOGlOCAL 8-Debug
BRURI (Utility Server IP)

On the phone itself.....
a. Set log level to ‘Debug’ from phone’s menu: MUTE -> "2580" -> LOG -> Log: Debug.
Note: this is H.323 software and the only way to set it is from phone’s menu, this is not settable from 46xxsettings.txt file.

b. From phone’s menu: MUTE -> "2580" -> DEBUG -> Log to file set to 'On'.
Note that it can be done from 46xxsettings.txt file as well: SET LOGTOFILE 1

You can reboot your phone so it grabs the certs, performs the SCEP process, etc and then you can get the logs sent to the utility server by:
MUTE -> "2580" -> DEBUG -> Phone Report -> Create to get phone report

You can use WINSCP to get the logs from the /PhoneBackup folder. The logs will show you what is being trusted.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top