Child pages
  • Port Authentication via 802.1x - EAP-TLS


Contents


General

Snom deskphones support a security feature for Port Security using the EAP Protocol. Before the phone gets any access it is validated by the switch and a so called Radius Server (https://en.wikipedia.org/wiki/RADIUS). The phone uses a certificate to authenticate with the server. The easiest way to secure a port is via MAB (Mac Address Bypass) where just the MAC is checked and devices are authenticated. This is not advisable in secure environments because the mac address is easy to "spoof" (https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/config_guide_c17-663759.html)

Requirements for using EAP/TLS

A simple environment consists of a Microsoft NPS-Server as Radius Server, Microsoft AD and Microsoft CA for the Certificates. A basic switch would be a Cisco Small Business SG 300-10MP.

Following setup is needed:

  • Radius server authenticating the requests
  • Switch/Router supporting 802.1x
  • IP Endpoint with a valid certificate
  • Client Certificate with SAN entry (UPN for user certificate, DNS FQDN for computer certificate) and corresponding private key 
  • Certificates encoded in PEM/DER format - Private key file of client certificate in PEM/DER/PFX format)
  • With server authentication: CA Certificates for server authentication (Root + Intermediate in one file) 

Configuration

Generating Client Certificates

An easy way generating a client certificate is the usage of openssl for the creation of the certificate request in combination with windows server command line tool certreq for performing the certification process.

Therefore, no private key has to be extracted.

1.) Create Certificate Request (check appendix for example config):

openssl req -new -config snom.cnf -keyout snom.key -out snom.csr


2.) With Windows as Radius server

certreq.exe -submit -attrib "CertificateTemplate:SnomPhones" snom.csr snom.cer I


The result is the client certificate snom.cer and the corresponding private key snom.key. Alternatively the certificate request can be built also with certreq using an *.inf file (see appendix). Unfortunately, the extraction of the corresponding private key is necessary afterwards. 

certreq: In the scenario the certificate template was based on Computer or user templates.

WPA_SUPPLICANT CONFIGURATION

General

The configuration is the main part of all files needed besides the certificate(s). The filename of this configuration must be “wpa_supplicant.conf”. More information regarding different configuration options, for example to use different authentication types can be found here: http://linux.die.net/man/8/wpa_supplicant

Very important is the path of the certificates in the configuration file. The path must be /snom/snomconfig/certificates/8021x/$filename. The name of the certificate file itself can be changed, it is only important that the same name is used in the configuration file! After you have successfully edited the config and created a certificate, you have to create a tarball, for example with 7-zip on a Windows-based system or tar -cvf name.tar /path/to/file1 /path/to/file2 /path/to/file3 on a Unix-based System. You need this in the next steps.

Important Settings:

  • key_mgmt=IEEE8021X IEEE 802.1x using EAP authentication 

  • eap=TLS EAP method eap-tls

  • identity Corresponding user / computer account (check examples)

  • password Password for identity (e.g. user account) 

  • ca_cert Certificate path of certificate authority 

  • client_cert Client certificate

  • private_key Corresponding private key

  • private_key_passwd Password of encrypted private key 

 If using a PKCS#12/PFX file including certificate and private key “client_cert” is obsolete - No setting “ca_cert” disables server authentication


Simple Example

Based on computer account (no server authentication, none encrypted private key):

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=0
eapol_version=2 
ap_scan=0
fast_reauth=1
network={ 
key_mgmt=IEEE8021X 
eap=TLS 
identity="jdtestdomain.local/computers/0004137109a3" 
client_cert="/snom/snomconfig/certificates/8021x/0004137109a3.cer" 
private_key="/snom/snomconfig/certificates/8021x/0004137109a3.key" 
eapol_flags=0 
}



Simple Example using PFX/PKCS#12-File
TAR-FILE contains: wpa_supplicant.conf / 0004137109a3.cer / 0004137109a3.key

Computer account (no server authentication, encrypted private key)

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=0
eapol_version=2
ap_scan=0
fast_reauth=1
network={
key_mgmt=IEEE8021X
eap=TLS
identity="jdtestdomain.local/computers/0004137109a3"
private_key="/snom/snomconfig/certificates/8021x/0004137109a3.pfx"
private_key_passwd="snom123"
eapol_flags=0
}



Extended Example 
TAR-FILE contains: wpa_supplicant.conf / 0004137109a3.pfx

Based on user account (Including Server Authentication, Encrypted Private Key, User Account Password, private key and client certificate in one file)

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=0 eapol_version=2 
ap_scan=0 
fast_reauth=1 
network={
key_mgmt=IEEE8021X 
eap=TLS 
identity="martin.goth"
password="test123" ca_cert="/snom/snomconfig/certificates/8021x/ca.cer" 
client_cert="/snom/snomconfig/certificates/8021x/martingoth.pem" 
private_key="/snom/snomconfig/certificates/8021x/martingoth.pem" 
private_key_passwd="snom123"
eapol_flags=0 
} 


Method 1: Put all certificates in one file starting with the server and then intermediates until the root CA.Using Intermediate certificates.

subject= ... (server) 
-----BEGIN CERTIFICATE-----
 … 
-----END CERTIFICATE----- 
subject= (intermediate) 
-----BEGIN CERTIFICATE----- 
… 
-----END CERTIFICATE-----
Subject= … (root) 
-----BEGIN CERTIFICATE----- 
… 
-----END CERTIFICATE----- 



Method 2: Set several ca_cert lines in the wpa_supplicant.conf 

… 
ca_cert="/etc/cert/ca/rootcert.der 
ca_cert="/etc/cert/ca/intermediatecacert.der 
ca_cert="/etc/cert/ca/cacert.der 
ca_cert="/etc/cert/ca/radius1.der
 … 


There are two ways of configuring 802.1X on the phone. The first is via the web UI, this is described in this section. For information regarding provisioning please refer to the next section. For this step the phone has to be in a non-802.1X environment so that you can access the phone from your web browser. I assume the latest 802.1X firmware is already on the phone and the phone was reset to factory defaults after the upgrade. Open the web UI by putting https://X.X.X.X as your URL in your browser, please replace the X with the actual IP-address of the phone. Go to Certificates → 802.1x Certificates

Phone configuration (Web user interface)


Click the button to choose a file and then navigate to the tarball you created before. Select it and click on “Load"


Afterwards you should see the files you uploaded. [OK] indicates that the certificates were loaded correctly.

Now navigate to Advanced → Qos/Security and choose EAP-TLS in the 802.1X dropdown:

Don’t be fooled by the Type EAP-TLS: it is used, what is configured in the wpa_supplicant.conf. This will change in a stable release. Always keep in mind that this is a pre-alpha firmware version. Now you can put your device in an 802.1X protected environment and reboot the phone. The authentication process will start and the progress is shown on the display.

Phone configuration (Provisioning) 

You can also provide these settings and the tarball via provisioning. There are multiple ways of doing it and are described in our wiki:

https://service.snom.com/display/wiki/Auto+Provisioning

https://service.snom.com/display/wiki/Desk+Phone+Configuration+Files

These settings have to be set to enable custom certificates:

<?xml version="1.0 encoding="utf-8"?>
<settings>
<phone-settings e="2">
<ieee8021x_eap_auth_method perm="">EAP-TLS</ieee8021x_eap_auth_method>
<ieee8021x_eap_tls_use_custom_cert perm="">on</ieee8021x_eap_tls_use_custom_cert>
<ieee8021x_eap_tls_debug perm="">off</ieee8021x_eap_tls_debug>
</phone-settings>
<uploads>
<file url="http://$host/$filename.tar" type="certificates_8021x">
</uploads>
</settings>

Make sure to replace the “url” parameter of the entity with the actual location of the tarball in your environment. All phone settings related 802.1X authentication are shown in the above example. 

Debug

Important: If you enable the 802.1X debug log, make sure that after you found the problem or got the information you needed, please deactivate this option again! Never activate the 802.1X debug log in a production environment! The debug log will still be there after a reboot, so if authentication fails you can than take the phone, put it back in a non-802.1X environment and have a look at the debug-output of the wpa_supplicant.

Examples

Openssl Config Example e.g. snom.cnf for computer certificate

Certreq Inf-Example