×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Contact US

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

TrustCerts H323 802.1x

TrustCerts H323 802.1x

TrustCerts H323 802.1x

(OP)
I am tasked with getting 802.1x to work with ClearPass and 9611G phone running R6_8_3_2Y H323 firmware. I made the changes to the 46xxsetttings to include the root CA certificate.
SET TRUSTCERTS CA.pem,slamon-cert-chain

I can see from the HTTP utility server logs that the phones are getting an HTTP 200 okay message but is there a way to verify on the phone itself the phone is truly trusting the cert? As this is Avaya, their documentation is terrible.

RE: TrustCerts H323 802.1x

If it took the cert, it'll trust it.

You can hate Avaya documentation - that's ok. But you, me, and any other voice guy can hate 802.1x.

Here's the first google result for "avaya 802.1 x 9600". I pray I never have to what's in this document.
https://downloads.avaya.com/css/P8/documents/10017...

RE: TrustCerts H323 802.1x

(OP)
Ha yea I read that same doc but again avaya documentation is so poor, old, and full of holes. This doc tells you to have the trust certs as a txt, the latest 46xxsettings says to use .pem, and then another avaya article says to use .cer. There was also a tech article that says the utility server was saying 200 okay but the phone wasn’t accepting the CA. The packet capture was saying unknown CA. So that is why I ask about seeing if the phone actually accepts the cert. I’m assuming there is no way.

RE: TrustCerts H323 802.1x

(OP)
If anyone is dealing with setting up 802.1x this may be helpful information. In my environment, the SCEP process is completed by a stand alone CA server. ClearPass is being used and is setup to use a different Root CA (client CA). ClearPass needed to trust the SCEP Stand Alone CA and the Avaya phone needed the SCEP stand alone CA AND the client root/sub CA used in ClearPass. In total, the phone needed to trust 3 certs.

This was discovered by putting the phone in debug mode. This is accomplished by changing the default CRAFT passcode to something else using the 46xxsettings.txt. Reboot the phone so they grab the settings.

PROCPSWD "2580"
lOGlOCAL 8-Debug
BRURI http://x.x.x.x/PhoneBackup (Utility Server IP)

On the phone itself.....
a. Set log level to ‘Debug’ from phone’s menu: MUTE -> "2580" -> LOG -> Log: Debug.
Note: this is H.323 software and the only way to set it is from phone’s menu, this is not settable from 46xxsettings.txt file.

b. From phone’s menu: MUTE -> "2580" -> DEBUG -> Log to file set to 'On'.
Note that it can be done from 46xxsettings.txt file as well: SET LOGTOFILE 1

You can reboot your phone so it grabs the certs, performs the SCEP process, etc and then you can get the logs sent to the utility server by:
MUTE -> "2580" -> DEBUG -> Phone Report -> Create to get phone report

You can use WINSCP to get the logs from the /PhoneBackup folder. The logs will show you what is being trusted.




Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close