Cisco ASA: VPN on Avaya IP Phone with Certificate Authentication and SCEP

I spent a few days working through different issues while trying to setup VPN on Avaya IP Phone with Certificate Authentication using Cisco ASA and Microsoft Certificate Authority (CA) with SCEP. I found multiple (1,2,3) Avaya configuration guides with incomplete or missing information and a couple of support articles which did not get me far so in this post I’ll to go over configuration specifics and some of my findings. I’m sure these findings can be applied to other 3rd party devices configured for Cisco ASA Remote Access VPN with Certificate based authentication.

Components:
Cisco ASA: 9.7.x
Microsoft CA: Windows 2008R2
Avaya IP Phone: 9608

Since there are so may places where this setup can break you need to have a solid working configuration at each step.

First, setup MS CA with NDES. This part is covered very well by Microsoft articles. I’d suggest disabling SCEP Challenge Password as described here since it makes provisioning a lot easier and there are other security mechanisms to restrict NDES enrollment.

This is the first error message I got after completing setup and attempting VPN connection “ExtendedKeyUsage OID …. NOT acceptable“.

 

Turned out the default EKU setting of “IP security IKE intermediate” does not work and it needs to be “IP security tunnel termination“. Fix it by changing extension on CA template under Certificate Authority > Certificate Templates > Manage (right click) > “Your NDES template” > Extensions > Application Policies > Edit > Delete existing policy and addIP security tunnel termination“. No other extensions are needed.

Next, configure Cisco ASA. As an alternative to CLI version in Avaya Configuration Guide I’ve used ASDM and found it quicker and more intuitive to use for setup. First, add Identity Certificate under Configuration > Device Management > Certificate Management > Identity Certificates > Add. Create New key for it.

Select Advance > Enrollment Mode and configure SCEP enrollment url. For Windows 2008R2 it is http://SCEP-IP-ADDRESS/certsrv/mscep/mscep.dll.

Since I’ve disabled enrollment password leave SCEP Challenge Password tab blank.

Hit OK and deploy configuration to ASA. Enrollment will take place automatically and you may have to hit refresh on ASDM to get updated status. You will know it is successful when all the Identity Certificate fields will populate and CA Certificates tab will display signing certificate. Edit CA Certificate configuration to tweak CRL Retrieval Method settings to disable LDAP and HTTP.

Now run through ASDM VPN Wizard > Remote Access VPN Wizard to setup VPN connection policies. Some of it is covered very well in Avaya Configuration Guide. Here is my config. I used Radius server for X-AUTH for visibility and logging purposes.

aaa-server Radius protocol radius
aaa-server Radius (inside) host IP-ADDRESS
 key KEY
aaa-server Radius (inside) host IP-ADDRESS
 key KEY

ip local pool vpnphone-ip-pool POOL-SUBNET mask 255.255.255.0
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside

crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400

group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1
tunnel-group DefaultRAGroup general-attributes
authentication-server-group Radius
tunnel-group DefaultRAGroup ipsec-attributes
peer-id-validate nocheck
//Add below in case Certificate to Connection Profile Map not used
ikev1 trust-point MS-CA

group-policy VPNPHONE internal
group-policy VPNPHONE attributes
 vpn-tunnel-protocol ikev1
tunnel-group VPNPHONE type remote-access
tunnel-group VPNPHONE general-attributes
 address-pool vpnphone-ip-pool
 authentication-server-group Radius
 default-group-policy VPNPHONE
tunnel-group VPNPHONE ipsec-attributes
 peer-id-validate nocheck
 ikev1 trust-point MS-CA

In order to have IP Phone use specific connection profile you will need to setup  Certificate to Connection Profile Map. On the Policy tab check Use the configured rules…

Under  Rules create a mapping rule. Use fields from the IP Phone certificate to match specific Connection Profile. In the example below I’ve selected Issuer field to match CA name.

And finally Avaya IP Phone configuration.

VPN settings are loaded to Avaya phone from configuration file over HTTP so your first check is to monitor IP Phone display for HTTP 200 code. If you get any other response it means file/setting was not loaded correctly. By default, Avaya Utility server is used by the IP Phones to load configuration file but it has limited access to logs and it is really hard to troubleshoot and upload additional files. MS CA  server has a website to request certificates for various needs so I used that for temporary file placement. In this case, files need to be on Intermediate CA in c:\Inetpub\wwwroot\.

  • 96x1Hupgrade.txt – just calls 46xxsettings.txt. Probably not needed and was imported from default setup.

********************************************
* Get the settings file
********************************************
# GETSET
GET 46xxsettings.txt

  • 46xxsettings.txt – contains all necessary configuration settings for the IP Phone to initiate VPN tunnel. Settings are very well covered in Avaya Configuration Guide. Just make sure and not make the file too large as there is a cutoff point. I had all the enabled settings moved to the beginning of the file.
  • root.crt and Intermediate.crt are signing certificates that can be extracted from CA. Configuration guide does not mention it but root needs to be imported also. The easy way to get these files is to download them from CA website.

Double-click the file downloaded from CA (certnew.p7b) and export root and intermediate certificates from the chain.

Select Base-64 encoding.

Files will be exported with .cer extension. Different guides list different extensions. I’ve tested both .cer and .crt successfully.

In the IP Phone configuration file list them on the same line separated by comma.

SET TRUSTCERTS root.crt,Intermediate.crt

With all the files in place you just need to point IP phone to look for the configuration file on new HTTP server. This can be done with DHCP option when IP Phone boots up. In the example below HTTP server is set to 10.1.1.11. You will also need CallManager IP to complete setup and assign an extension to IP Phone.

dhcpd option 242 ascii mcipadd=10.10.10.10,mcport=1719,httpsrvr=10.1.1.11

As files load, you should see them on IP Phone screen.

Successful upload will be confirmed with HTTP 200.

With all files loaded successfully you will be presented with IP Phone extension screen which needs to be provisioned by CallManager admin. Once an extension is successfully assigned the Phone needs to be rebooted one more time to enable VPN (unless it was enabled in configuration file). During reboot press “*” to program it. Default Passcode is “27238“.

Scroll down to VPN and press Start

VPN will be disabled. Set it to Enabled.

Use Right Arrow button to click through the settings to the end and exit out to save changes. IP Phone will reboot and establish VPN tunnel. If it does not happen then you can try the following troubleshooting steps.

For issues with certificates on Cisco ASA, the following commands will be helpful:

debug crypto ipsec 128
debug crypto ikev1 128
debug crypto ca 128
debug cry ca 128

On Microsoft CA look at Issued Certificates and confirm ASA and IP Phone certificates were issued.

Error:

CRYPTO_PKI: Found a suitable authenticated trustpoint ALG-Inter.
CRYPTO_PKI:check_key_usage: ExtendedKeyUsage OID = 1.3.6.1.5.5.8.2.2
CRYPTO_PKI:check_key_usage: ExtendedKeyUsage OID = 1.3.6.1.5.5.8.2.2, NOT acceptable
CRYPTO_PKI:check_key_usage: No acceptable ExtendedKeyUsage OIDs found

Fix:

  1. Go into the certificate properties and confirm EKU settings. The OID needs to be IP Security Tunnel Endpoint (1.3.6.1.5.5.7.3.6)
  2. Check EKU settings on CA template

Error: %ASA-5-713068: …………. Received non-routine Notify message: Invalid certificate (20)

On Avaya IP Phone “Gateway certificate invalid” error.

Fix:

  1. Check Certification Path to make sure you are not missing trusted certs.
  2. Check IP Phone config file for “SET TRUSTCERTS ….“.
  3. Make sure trusted certificates are in PEM format. Check it with text editor if contents are garbled then it is not PEM.
  4. Rerun phone setup but do not reset from error screen by selecting Program as it may not clear previous settings. Do reboot > “*” and passcode > reset > reboot > “*” again and verify all previous settings were cleared. Only then redo provisioning.

Error: Settings are not loading to Avaya IP Phone.

Fix:

  1. Make sure and move all the enabled options to the beginning of the file.
  2. Check phone screen as settings are loaded. Each file uploaded should end with HTTP 200.
  3. Clear Phone settings from program menu and try loading again.
  4. Use dedicated HTTP server to upload files and not Avaya Utility server.

Error: VPN establishes and IP phone immediately reboots.

Fix:

  1. An extension was not assigned during provisioning. Make sure and complete this step before enabling VPN setting.

Leave a reply:

Your email address will not be published.

Site Footer

Sliding Sidebar