TECHNICAL COMMUNICATION No. TC1436 Ed.

01

OmniPCX Enterprise Nb of pages : 5 Date : 14 February 2011

URGENT

NOT URGENT TEMPORARY PERMANENT

SUBJECT: IP TOUCH PHONE DOESN'T START WHEN 802.1X EAP-TLS AUTHENTICATION IS

ACTIVATED DUE TO FAULTY FACTORY CERTIFICATE

CONTENTS

1. DESCRIPTION OF THE ISSUE........................................................3

2. IP TOUCH PHONES AFFECTED.....................................................3

2.1 How to retrieve IP Touch’s Serial Number on a running system? .............. 4

3. HOW TO CHECK THE VALIDITY OF THE CERTIFICATE? ................4

4. HOW TO PROCEED?....................................................................5

1
2
 OmniPCX Enterprise
IP TOUCH PHONE DOESN'T START WHEN
802.1X EAP-TLS AUTHENTICATION IS
ACTIVATED DUE TO FAULTY FACTORY
CERTIFICATE

1. DESCRIPTION OF THE ISSUE

The IP Touch phone doesn't start when 802.1x EAP-TLS authentication is activated to grant the access
to the Data Network due to a faulty factory certificate.
When the 802.1x EAP-TLS authentication feature is activated on the Data Switch, an IP Touch
connected to the Data switch must at first be authenticated before being allowed to connect to the
Data Network.
Because of the faulty factory certificate, the authentication will fail and the IP Touch will not start
preventing from any access to the Data Network.
There are two situations where the issue will came-up:
• An IP Touch with a faulty certificate is installed on a Data Network that already implements
802.1x EAP-TLS.
• Or an IP Touch with the faulty certificate is first deployed on a Data Network where 802.1x
EAP-TLS is NOT implemented. The IP Touch will operate normally until the data switch is
configured to activate 802.1x EAP-TLS authentication. From that moment, the IP Touch will
reset and will not start.
In both situations, the error message 802.1x Authentication Failed will be displayed on the
screen.
This issue is NOT PRESENT when:
• 802.1x EAP-MD5 authentication is activated
• There is no 802.1x authentication on the Data Network
The issue is not related to the Call Server software.
Note
The TLS authentication protocol is available as of R9.0 on Alcatel-Lucent IP Touch 4028/4038/4068
with 16MB of RAM, Alcatel-Lucent IP Touch 4008/4018, and Alcatel-Lucent IP Touch 8 series phone
Extended Edition sets.

2. IP TOUCH PHONES AFFECTED

The problem affects the IP Touch phones series 4008 EE, 4018 EE, 4028 EE, 4038 EE and 4068
EE.
The Serial Number range of the IP Touch phones with the issue is FCN010105XXXXX to
FCN010231XXXXX.

The IP Touch phones series 4028 FE, 4038 FE and 4068 FE are NOT AFFECTED.

Ed. 01 / 14 February 2011 3 TC1436

 OmniPCX Enterprise
IP TOUCH PHONE DOESN'T START WHEN
802.1X EAP-TLS AUTHENTICATION IS
ACTIVATED DUE TO FAULTY FACTORY
CERTIFICATE

2.1 How to retrieve IP Touch’s Serial Number on a running system?

The OXE getnoeversion system command returns information on all IP Touch sets declared on
the Communication Server Node. This command can be useful to get the list of all "Serial Number"
on a running system.

(1203)caimans> getnoeversion
getnoeversion started 2011-02-11 at 14:12:16
Begin the inventory of all Alcatel 8&9 Series phones registered on that node ?
Choose between 2 output file types (x for xml, c for csv, q to quit) (x/c/q) c
.. 72% achieved .. 81% achieved .. 90% achieved .. 100% achieved ..
getnoeversion ended 2011-02-11 at 14:12:21
getnoeversion ... 22 extensions retrieved out of 22 configured in management.
getnoeversion ... inventory file path is /DHS3dyn/mao/getnoeversion.csv.Z
(1203)caimans>

Example of getnoeversion.csv file content

Dir numb in Typ term Dom Serial Number Hardware version Software version
3010 OK IPT 4038GEE 0 FCN00734500687 3GV23021JCCA030749 4.20.80
3044 OK IPT 4038 0 H0400408606094 3GV23014ACCA030415 4.20.80
3020 OK IPT 4038 0 H0400414208453 3GV23014ACCA040419 4.20.80
3003 OK IPT 4068 0 H0500614417190 3GV23014JDFA080620 4.20.80
3017 OK IPT 4038 0 H0500520809982 3GV23014BCFA020529 4.20.80
3016 OK IPT 4038 5 H0400408606128 3GV23014ACCA030415 4.20.80
3004 OK IPT 4038 0 H0400414208235 3GV23014ACCA040418 4.20.80

3. HOW TO CHECK THE VALIDITY OF THE CERTIFICATE?

The validity of the factory certificate can be checked thanks to the IP Touch Embedded command:
certificate
See example for extension number 3003
• Get IP address
ippstat d 3003

...
|00003|00:80:9f:5d:8b:20 |V|01227|3003 |Williams Fr|172.025.033.008| Ipt|
...

• Allow telnet
ippstat
...
Timeout for telnet session of IP Touch set : 15
....
Enter your choice : 15
Enter a directory number you want to manage : 3003
Enter a timeout value expressed in minutes (between 0 to 1440) : 1400

TC1436 4 Ed. 01 / 14 February 2011

 OmniPCX Enterprise
IP TOUCH PHONE DOESN'T START WHEN
802.1X EAP-TLS AUTHENTICATION IS
ACTIVATED DUE TO FAULTY FACTORY
CERTIFICATE

• Check certificate
Result for an IP Touch with a good certificate
(1203)caimans> telnet 172.25.33.8
Trying 172.25.33.8...
Connected to 172.25.33.8.
Escape character is '^]'.
NoePhone > certificate
certificate
#certificate#
0: /CN=00809F5D8B20/C=FR/O=ALCATEL/OU=PKI ALCATEL
certificate OK
NoePhone >

Result for an IP Touch with a Faulty Certificate

(1203)caimans> telnet 172.25.33.8
Trying 172.25.33.8...
Connected to 172.25.33.8.
Escape character is '^]'.
NoePhone > certificate
certificate
#certificate#
certificate OK
NoePhone >

In this case we see that the PKI Information is missing!

Only for this case go to Section 4.

4. HOW TO PROCEED?
In case you encounter the issue:
• Please check that your IP Touch is in the range of the affected sets (see paragraph §0, §3).
• Open a Technical Support Service Request.
Technical Support will confirm the issue and communicate the necessary actions to fix the issue.

Ed. 01 / 14 February 2011 5 TC1436