Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Shaun E on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ID Certs for 96XX Phones

Status
Not open for further replies.
aklshaker

aklshaker

MIS
Jun 2, 2006
6
US
Hello everyone,

I found this thread from 2016 on installing ID certs for Avaya 96XX phones:


I have been researching this same topic, and finding the same amount of limited information as discussed here. If anyone ever found a working solution for Cisco ISE and Avaya IP phones I would love any information you can share. I am trying to find a working configuration as well.

Thanks!
Chris
 
Sort by date Sort by votes
802.1X Authentication against Cisco ISE using Certificates.
 
Upvote 0 Downvote
Thanks so I have to enroll with a SCEP CA? I can't just add the certificate I want with the SET TRUSTCERTS parameter in the settings file?

 
Upvote 0 Downvote
And I know very little about 802.1x, so take this with a grain of salt.
I think you do need SCEP. Trustcerts is for the phone to trust certs that chain up to a particular authority. So, you put your System Manager CA cert in that line and when a SM presents a cert issued to "mysm" and "issued by "mysmgr", by virtue of my phone having "mysmgr" as a trusted authority, it will set up a TLS handshake.
Much like your browser trusting a webserver.

What you're doing is the opposite. You want to authenticate the phone. So, the phone would have to present a certificate to the network that the .1x authentication thing trusts. Otherwise, I'd just plug my laptop with wireshark on your LAN, see the cert offered, say I trust it, and away I go.

You COULD make 1 cert for "phones" and take each phone in to your private room and load that so only phones that have gone through your private room could get on the network. Or, do 1 per serial/mac so you can revoke them based on your need. Just depends what and how you're trying to lock things down.
 
Upvote 0 Downvote
Thanks I really appreciate all the feedback. The other thread I found on this on this subject said that system manager can not act as a SCEP, does anyone know if that has changed since version 7 came out? Or any other suggestions for a sever running SCEP that you guys might have deployed for this kind of setup?
 
Upvote 0 Downvote
My opinion - it can, but don't! My interpretation of Avaya's intent was to put a CA in System Manager to handle things they need - not to be a replacement for a CA in your enterprise. Lots of things use SCEP - Session Managers, IP Offices, etc. It'd be nice feature to include it for phones as well, but I think you'd break the other SCEP parts already set up for other Avaya things.
I suppose you could spin up your own EJBCA like SMGR uses but use it yourself.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Y
  • Locked
  • Question
Certs for SBCE
Replies
2
Views
318
Instructor of Avaya
Instructor of Avaya
frontier4195
  • Locked
  • Question
Unrestrict Guest room phones 1
Replies
3
Views
515
SoftwareRT
SoftwareRT
A
  • Locked
  • Question
Avaya IP Phones not picking the designated voice VLAN
Replies
3
Views
785
dialtonebone
dialtonebone
telm59
  • Locked
  • Question
Analog caller ID
Replies
1
Views
479
dialtonebone
dialtonebone
Richard_Harrow
  • Locked
  • Question
How do I view licenses for IP phones and analog phones on CM 6.3?
Replies
3
Views
511
AvayaTier3
AvayaTier3

Part and Inventory Search

Sponsor

Back
Top