Security

last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

802.1X EAP-TLS with Mitel VoIP

  • 1.  802.1X EAP-TLS with Mitel VoIP

    Posted May 08, 2018 07:55 AM

    Hi all,

     

    I am trying to help a customer in getting their Mitel 6900 Series VoIP phones move to 802.1X using EAP-TLS. While CPPM part in configuring service and the rest is under control, I was wondering if anyone has dealt with this in real life deployment, as I would like to know:

     

    a) where from did you push certs on phones (Mitel Admin Guide is mentioning "The phone downloads certificates using the URLs provided in startup.cfg file" without saying which server URL is pointing to)

    b) how is the solution incorporated with AD/CPPM

     

    I am sure there is a nice document somewhere explaining all of this, but I cannot find it :-). Thanks. 



  • 2.  RE: 802.1X EAP-TLS with Mitel VoIP

    Posted Jun 27, 2018 04:53 AM

    Dear NesM, dear Airhead-Community,

     

    not exactly thew same question, but I think my questions fits the context.

     

    We are planning to update our wireless infrastrsucture and thought about switching to HP Aruba 300 series.

    One of our top questions - that hasn´t been answered by our HP partner yet - is about the quality of VoIP sing HP Aruba AccessPoints.

     

    We too have a Mitel System and were hoping to use the smartphone app (softphone) after upgrading our infrstructure.

    Currently we are facing massive problems espacially regarding the handover from one AP to another one.

     

    Anybody here havon experiences with this, doens´t even have to be a Mitel System, just in general "VoIp over WLAN with Handovers".

     

    Thanks in Advance.



  • 3.  RE: 802.1X EAP-TLS with Mitel VoIP

    Posted Jan 14, 2021 12:26 PM
    Hi,
    I can help you on Mitel Phone, but I need help on CPPM.
    My VOIP Phone has a trusted self signed certifcate onboard, Can I import it to CPPM for EAP-TLS?
    Thanks

    ------------------------------
    VALERIO RIC
    ------------------------------



  • 4.  RE: 802.1X EAP-TLS with Mitel VoIP

    Posted Jan 18, 2021 05:09 AM
    I don't know Mitel specifically, but most IP Phone vendors have factory-installed client certificates that are issued by a vendor-specific Root CA.

    Unsure if you classified that as 'trusted self signed', as self signed is untrusted by definition.

    If the phones do have a client certificate that is issued by the phone vendor, you should import the root CA into your ClearPass Trust List and enable for EAP. After that, there are good chances that the phone can authenticate with its factory certificate.

    If you issued the certificates yourself, have them signed by your own CA and import that root CA into your ClearPass Trust List, similarly to a vendor root VA.

    An internet search for 'Mitel Root CA' shows at least one result that appears to originate from the documentation, but I could not see a date on there so it may be old and obsolete. Your Mitel vendor or support may be able to provide you with the root CA, and if you found the reference it may be useful to post it here for others in the same situation. If you get stuck on the ClearPass side, opening a support case at your Partner or Aruba Support may help you further.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 5.  RE: 802.1X EAP-TLS with Mitel VoIP

    Posted Jan 18, 2021 06:23 AM
    Thank you,
    I'm waiting the root certificates from the customer. The ClearPass technician have created a csr from his server and then we have sended it to the customer. When they return us the certificate, I will check the authentication after importing these one into phones.
    Do you think I can use these certificates?
    V

    ------------------------------
    [Ilmero81]
    ------------------------------



  • 6.  RE: 802.1X EAP-TLS with Mitel VoIP

    Posted Jan 18, 2021 08:08 AM
    The CSR is for the EAP server certificate? The phones need to be configured to trust that as well. The second is that ClearPass needs to trust the phone's client certificate, for which you need to install the Root CA that issued the client certificates in the ClearPass Trust List.

    Phones must trust the ClearPass EAP certificate, so must have the root CA that issued that certificate installed. Also, the phones need to be configured to do 802.1X with EAP-TLS, which probably can be done through some form of management tool for your phones.
    ClearPass must trust the phone's client certificate, so must have the root CA that issued the phone certificates installed in the Trust List and enabled for EAP. That root may be a Mitel root CA if you are using factory certificates.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 7.  RE: 802.1X EAP-TLS with Mitel VoIP

    Posted Jan 18, 2021 10:09 AM
    Yes, the CSR provided by ClearPass technician will be signed by CA and then install into Phones and I think that the ClearPass technician  will import the same signed certificate on the his server.
    It could work, I hope. What do you think about this?

    ------------------------------
    [Ilmero81]
    ------------------------------



  • 8.  RE: 802.1X EAP-TLS with Mitel VoIP

    Posted Jan 18, 2021 02:56 PM
    In EAP-TLS auth, we will have two certificates.

    Client Certificate & Server Certificate.

    CSR which is generated in CPPM server will be a server certificate, we need to get it signed from CA.

    After receiving singed server certificate , we need to install it on CPPM server and root CA who signed the server certificate need to be added in client trust list and same for client certificate as well, root CA of client certificate need to be added in CPPM certificate trust list.

    During authentication both client and server will exchange there certificates and trust each other, since individual have other CA root in trust list and devices will get authenticated.

    Note: Installing client certificate and adding server root CA in trust list will not finish client side configuration. We need to configure client to do authentication using eap tls protocol and it can be done using AD or other tools.







    ------------------------------
    Pavan Arshewar
    Principal Network Engineer

    If my post addresses your query, give kudos!
    ------------------------------