Snom deskphones support a security feature for Port Security using the EAP Protocol. Before the phone gets any access it is validated by the switch and a so called Radius Server (https://en.wikipedia.org/wiki/RADIUS). The phone uses a certificate to authenticate with the server. The easiest way to secure a port is via MAB (Mac Address Bypass) where just the MAC is checked and devices are authenticated. This is not advisable in secure environments because the mac address is easy to "spoof" (https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/config_guide_c17-663759.html)
Requirements for using EAP/TLS
A simple environment consists of a Microsoft NPS-Server as Radius Server, Microsoft AD and Microsoft CA for the Certificates. A basic switch would be a Cisco Small Business SG 300-10MP.
Following setup is needed:
- Radius server authenticating the requests
- Switch/Router supporting 802.1x
- IP Endpoint with a valid certificate
- Client Certificate with SAN entry (UPN for user certificate, DNS FQDN for computer certificate) and corresponding private key
- Certificates encoded in PEM/DER format - Private key file of client certificate in PEM/DER/PFX format)
- With server authentication: CA Certificates for server authentication (Root + Intermediate in one file)
Generating Client Certificates
An easy way generating a client certificate is the usage of openssl for the creation of the certificate request in combination with windows server command line tool certreq for performing the certification process.
Therefore, no private key has to be extracted.
1.) Create Certificate Request (check appendix for example config):
2.) With Windows as Radius server
The result is the client certificate snom.cer and the corresponding private key snom.key. Alternatively the certificate request can be built also with certreq using an *.inf file (see appendix). Unfortunately, the extraction of the corresponding private key is necessary afterwards.
certreq: In the scenario the certificate template was based on Computer or user templates.
The configuration is the main part of all files needed besides the certificate(s). The filename of this configuration must be “wpa_supplicant.conf”. More information regarding different configuration options, for example to use different authentication types can be found here: http://linux.die.net/man/8/wpa_supplicant
Very important is the path of the certificates in the configuration file. The path must be /snom/snomconfig/certificates/8021x/$filename. The name of the certificate file itself can be changed, it is only important that the same name is used in the configuration file! After you have successfully edited the config and created a certificate, you have to create a tarball, for example with 7-zip on a Windows-based system or tar -cvf name.tar /path/to/file1 /path/to/file2 /path/to/file3 on a Unix-based System. You need this in the next steps.
key_mgmt=IEEE8021X IEEE 802.1x using EAP authentication
eap=TLS EAP method eap-tls
identity Corresponding user / computer account (check examples)
password Password for identity (e.g. user account)
ca_cert Certificate path of certificate authority
client_cert Client certificate
private_key Corresponding private key
private_key_passwd Password of encrypted private key
If using a PKCS#12/PFX file including certificate and private key “client_cert” is obsolete - No setting “ca_cert” disables server authentication
Based on computer account (no server authentication, none encrypted private key):
Simple Example using PFX/PKCS#12-File
TAR-FILE contains: wpa_supplicant.conf / 0004137109a3.cer / 0004137109a3.key
Computer account (no server authentication, encrypted private key)
TAR-FILE contains: wpa_supplicant.conf / 0004137109a3.pfx
Based on user account (Including Server Authentication, Encrypted Private Key, User Account Password, private key and client certificate in one file)
Method 1: Put all certificates in one file starting with the server and then intermediates until the root CA.Using Intermediate certificates.
Method 2: Set several ca_cert lines in the wpa_supplicant.conf
There are two ways of configuring 802.1X on the phone. The first is via the web UI, this is described in this section. For information regarding provisioning please refer to the next section. For this step the phone has to be in a non-802.1X environment so that you can access the phone from your web browser. I assume the latest 802.1X firmware is already on the phone and the phone was reset to factory defaults after the upgrade. Open the web UI by putting https://X.X.X.X as your URL in your browser, please replace the X with the actual IP-address of the phone. Go to Certificates → 802.1x Certificates
Phone configuration (Web user interface)
Click the button to choose a file and then navigate to the tarball you created before. Select it and click on “Load"
Afterwards you should see the files you uploaded. [OK] indicates that the certificates were loaded correctly.
Now navigate to Advanced → Qos/Security and choose EAP-TLS in the 802.1X dropdown:
Don’t be fooled by the Type EAP-TLS: it is used, what is configured in the wpa_supplicant.conf. This will change in a stable release. Always keep in mind that this is a pre-alpha firmware version. Now you can put your device in an 802.1X protected environment and reboot the phone. The authentication process will start and the progress is shown on the display.
Phone configuration (Provisioning)
You can also provide these settings and the tarball via provisioning. There are multiple ways of doing it and are described in our wiki:
These settings have to be set to enable custom certificates:
Make sure to replace the “url” parameter of the entity with the actual location of the tarball in your environment. All phone settings related 802.1X authentication are shown in the above example.
Important: If you enable the 802.1X debug log, make sure that after you found the problem or got the information you needed, please deactivate this option again! Never activate the 802.1X debug log in a production environment! The debug log will still be there after a reboot, so if authentication fails you can than take the phone, put it back in a non-802.1X environment and have a look at the debug-output of the wpa_supplicant.
Openssl Config Example e.g. snom.cnf for computer certificate