OpenStage phones using 802.1X certificates and DLS

[daynomate]

Hi, I'm a network engineer rather than involved with the voice system but I'm tasked with getting 802.1X authentication working with our IP Phones.

I've read several documents about standard deployments but they all seem to point to having a single user certificate for a phone profile template. This would mean to me that all phones in that profile share a common user certificate. This is not ideal in 802.1X as we really should have individual certificates for each handset that can be revoked or replaced.

Has anyone had experience using 802.1X with these handsets or any handsets that are managed by DLS?

We are using Cisco switches and Microsoft NPS as the CA and windows Radius server.

[Kimera]

Interesting request.

I think you will be able to generate single Client Certificates (so just each one Client Certificate could be used with each one IP Phone) and not just only one for all of your IP Devices.

HiPath DLS (now OpenScape DLS), which acts as a central configuration and deployment point of security parameters (I mean VoIP Security Management and/or 802.1x Certificates Management), should then let you manage the 802.1x authentication process through the definition and usage of Templates/Locations profiles by using IP Devices or SIP Users specific information/parameters so you can manage what you want per-Device basis (An example: I think a parameter for a custom Location could be an IP range and then some IP Devices could be associated with that custom Location...but other parameters are available, like E.164 Patterns).

As references I would read the "OpenScape Deployment Service Administration and Installation Manual" (latest available edition: P31003-S2370-M107-01-76A9 released September, 13rd 2013) and the "IEEE 802.1x Configuration Management Administration Manual" (latest available edition: P31003-S2000-M103-01-76A9 released April, 22th 2013) and I would use the OpenScape DLS V7 R1.10.2 (recently released) or the OpenScape DLS V6 R1.7.1 (better R1.8.0 recently released) taking care of reading relevant Release Notes too (The reference about those specific DLS versions is due to resolved issues with Plug & Play Deployment of PKI Certificates and Automatic Certificates Renewal features).

Also consider to search (SEBA now Unify Partner Portal) Knowledge Base for articles about IEEE 802.1x: there you will find interesting things. Personally I've not enough experience about IEEE 802.1x deployments because (as far as I know) such type of security requirements isn't so common here (gosh!) but, maybe, other Forum's members were able to help you better than me.

Best regards, Kimera.

[daynomate]

Thanks Kimera, that was great to know.

I was able to find the DLS Admin and Install manual (P31003-S2370-M107-15-76A9 with filename 20130827074202!Deployment-Service_V7_en.pdf but in the footer it mentions 04/2013)

I couldn't find the new verison of the 802.1X manual though, the latest being the April 2011 one which seems quite outdated.

However from various doc's I can now see that even with our current V3 of DLS we can do individual cets pushed to the phones via template as long as the filenames match a look-up pattern i.e. MACADDRESS-PK12 so that the right phone cert can be pushed to the right phone.

The ideal scenario where it's all handled automatically from the CA also seems now possible with DLS V6 thanks to what they call the "PKI Connector" which seems to be a java plugin. I can't find much information about how it actually works, though there is config items in the latest DLS manual covering it. With this working we should then be able to issue, revoke, replace, renew etc phone certs direct from the CA with now work required on the DLS once it's all setup.

For now I'm going to try the manually generated certs and get DLS to assign them based on filename for a quick trial.

I'll keep the thread posted with my results. Thanks again!

[Kimera]

Hi daynomate,

Glad to hear that through Templates you can manage the per-Device deployment of Certificates. Just drop me a PM or an e-Mail for updated manuals.

Regarding the OpenScape DLS "PKI Connector" feature: I suppose you shall license your DLS with "n" PKI User Licenses where "n" should be the number of the users who are going to use that feature.

See screen-shots.

Best regards, Kimera.

[daynomate]

Thanks again! I'll shoot you a PM as those updated manuals would be awesome.

Re: licensing - I read it as though that is only required if using an Internal PKI on DLS, is that correct? If we only use the last method of getting an external CA to fully manage all the certificates is that Mobility PKI license still required?

Regards,
Daynomate

[Kimera]

Thanks again! I'll shoot you a PM as those updated manuals would be awesome.

I saw.

Re: licensing - I read it as though that is only required if using an Internal PKI on DLS, is that correct?

It seems so (although it's not so clearly stated...the manual doesn't say specifically "...when using - internal DLS (I will add) - PKI service..." so a doubt remains but, after all, it seems that Licensing could be mandatory when you're going to use the DLS itself as a provider of Certificates through its internal - here, again - PKI features).

If we only use the last method of getting an external CA to fully manage all the certificates is that Mobility PKI license still required?

See above.

[daynomate]

Hi, thanks again for that documentation. We are finally trying to do this but I seem to have come stuck :/ In DLS the Administration -> PKI option is a solid circle instead of a folder that can be expanded.

I assumed from what the documentation said that there was no installation of the connector or plugin required. Is that correct?

[daynomate]

Hi, thanks again for that documentation. We are finally trying to do this but I seem to have come stuck :/ In DLS the Administration -> PKI option is a solid circle instead of a folder that can be expanded.

I assumed from what the documentation said that there was no installation of the connector or plugin required. Is that correct?

Oops - we worked out the problem - it was the DLS user permissions. When logging into DLS as Administrator it appears fine.

Now the next issue is licensing. I am now totally confused - from the doco I read we would not need additional licensing to use the PKI Connector, however from what I can read we do need to use the MSCA Plugin and that requires PKI licensing.

The reason for the confusion is that I thought licensinging was required if we were using PKI to secure the phone -> DLS communication, and not for phone -> 802.1X CA