Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2748
Views
0
Helpful
7
Replies

Cisco 8821 cert auto enrollment with SCEP

cmaiolani
Level 1
Level 1

‎08-29-2018 12:27 AM - edited ‎03-18-2019 12:30 PM

Hi All,

 

I configured one Cisco 8821 connected with EAP-TLS with SCEP for cert enrollment.

I have CUCM 12, 8821 with firmware sip8821.11-0-4SR1-13, one router for SCEP RA, one Microsoft CA and an ACS Cisco.

Everything works fine but I would like to test the scenario where the user cert of the phone is near to expire.

To test that I tried two ways:

 

- a cert Template with 4 h of duration and 1 h renewal

- The change of the 8821's clock

 

In both scenario from 8821 log and SCEP router log I can't see any attempt (SCEP mess) of the phone to request a new cert.

The only poor documentation about SCEP that i found is

 

https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/cuipph/8821/english/Deployment/8821_wlandg.pdf

 

I can't find a troubleshooting guide, I can't find forum's discussions.

Any one could give me an advise about how to test and troubleshoot cert expiration on 8821 or any one has expirence about that? 

 

Thank you so much

 

0 Helpful
7 Replies 7

pieterh
VIP
VIP

‎08-30-2018 01:45 AM - edited ‎08-30-2018 01:52 AM

here from section 7 some debugging commands for scep

 

if your windows server is 2008, here are some issues to check

Important Microsoft Hotfixes

Before you configure SCEP support for BYOD, ensure that the Windows 2008 R2 NDES server has these Microsoft hotfixes installed:

0 Helpful

cmaiolani
Level 1
Level 1
In response to pieterh

‎08-30-2018 02:19 AM

Hi,
Thank you so much for reply.
I have 2012 R2 Standard.
My problem is Client-Side Logging, in this scenario Cisco 8821 Phone.
I would like to force the phone to ask via SCEP message to the Cisco Router a new certificate.
To do this I changed the time of the phone's NTP but I don't know exactly when the phone will try to request a new cert.
The guide tells:
"The Cisco Wireless IP Phone 8821 and 8821-EX will periodically check the user and server certificate expiration periods. Certificate renewal will occur when the expiration date is within 50 days".

And if i have a user cert duration of 40 or 30 days for example (for test purpose)? Periodically how: once a day, once a week?

Thank you so much.
0 Helpful

pieterh
VIP
VIP
In response to cmaiolani

‎08-30-2018 02:39 AM - edited ‎08-30-2018 02:44 AM

from this document, that also seems valid for scep, the timers seems to be calculated

- As soon as an identity certificate is installed, IOS calculates the RENEW timer for the specific trust-point as shown below

< graphic>

Current-Authoritative-Time means that the system clock has to be an authoritative source of time
as described here. (link to authoritative Time source section) PKI timers will not be initialized without an authoritative source of time. And as a consequence, renewal operation will not take place.

 

IOS does not initialize PKI timers without an authoritative clock. Although NTP is highly
recommended, as a temporary measure, the administrator can mark the hardware clock as authoritative using:
Router(config)# clock calendar-valid

0 Helpful

cmaiolani
Level 1
Level 1
In response to pieterh

‎08-30-2018 03:35 AM - edited ‎08-30-2018 03:36 AM

Thank you so much.

Cisco Phone 8821 is not an IOS device, so maybe timers calculation is different and I don't have any kind of parameter, timer, documentation about SCEP.
The phone has an NTP server, and I change the time of this NTP server and not the time of the phone directly. So I think it's Authoritative.

On the phone I can't see PKI timers as I can see that on the router.

0 Helpful

pieterh
VIP
VIP
In response to cmaiolani

‎08-30-2018 04:14 AM

if the ntp server is unsynchronized with an external timesource, it wil not be authoritative.

 

Yes I'm aware the phone is not IOS, but when describing SCEP mechanics, the behavour should be the same. the parameters come from the SCEP server and you can perform the calculation as described in the link.

 

you use the router as RA, you can try debugging there to see if any scep packets are received.

0 Helpful

pieterh
VIP
VIP
In response to pieterh

‎08-30-2018 04:18 AM

Do the logfiles on the phone show any messages regarding SCEP?

Step 1

Obtain the IP address of the Cisco IP Phone by using one of these methods:

  1. Search for the phone in Cisco Unified Communications Manager Administration by choosing Device > Phone. Phones that register with Cisco Unified Communications Manager display the IP address on the Find and List Phones window and at the top of the Phone Configuration window.

  2. On the Cisco IP Phone, access the Settings app, select Phone information > Device information > Network > IPv4, and then scroll to the IP Address field.
Step 2

Open a web browser and enter the following URL, where IP_address is the IP address of the Cisco IP Phone:

http://<IP_address>
Step 3

Click Console logs.
Step 4

Open the listed log files and save the files that cover the time period that the user experienced the problem.

If the problem is not limited to a specific time, save all the log files.
0 Helpful

cmaiolani
Level 1
Level 1
In response to pieterh

‎08-31-2018 12:15 AM

I see only SCEP message at the beginning, when the phone download certs (user and CA) via SCEP the first time.
After it seems the phone doesn't try to renew the user cert, even if the cert is expiring or expired and in this long moment I can't see any kind of SCEP logs in the Phone and obvious also in the router.
NTP is ok, also with clock calendar-valid command.

I tried to SSH the phone in DBUG mode but I can't find some interesting command for SCEP or similar

Thank you so much
0 Helpful
Customers Also Viewed These Support Documents