+- Yealink Forums (http://forum.yealink.com/forum)
+-- Forum: IP Phone Series (/forumdisplay.php?fid=4)
+--- Forum: Configuration (/forumdisplay.php?fid=24)
+--- Thread: T46g & T48G RADIUS 802.1x and SHA256 (/showthread.php?tid=13199)
RE: T46g & T48G RADIUS 802.1x and SHA256 - Bigmac - 12-01-2016 09:34 AM
Hi Karl,
Any news from R&D?
Unfortunately, the 802.1x authentication still does not work with the new version T48-35.81.0.20.
The RADIUS Server Log displays the following message:
####
Reason Code: 23
Reason: An error occurred while the Network Policy Server was using the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.
####
I believe the EAP-MSCHAP v2 does not work correctly on the T48.
As previously posted, the version T48-35.80.0.70 works with 802.1x.
The T46 has the same problem with the version T46-28.81.0.20.
The version T46-28.80.0.70 works very well.
The firmware T46-28.80.0.70 send the Authentication-Type 5 = EAP
The firmware T46-28.81.0.20 send the Authentication-Type 11 = Unknown
BR, Torsten
RE: T46g & T48G RADIUS 802.1x and SHA256 - dgcorp - 02-13-2017 10:00 PM
- Can Yealink acknowledge that there is a problem with 802.1x PEAP-MSCHAPv2 on the more recent ROMs and is anything being done to fix this?
I just found this forum thread and wanted to say that I'm seeing the same problems as Bigmac.
We are preparing to enable 802.1x across our wired network.
Planned 802.1x Auth Method = PEAP/MSCHAPv2
Switches are HP / Aruba
RADIUS is Win2012R2 Network Policy Server
CA Root is Win2012R2 Certificate Services.
Root Cert is Base64 PEM encoded (file ends in .cer) using SHA1 (not SHA256 I don't think)
Yealink T46 with ROM: 28.80.0.136 (provisioned by our supplier Teliqo)
I spent yesterday unable to get my test T46G phone to connect but it was just failing repeatedly, no matter what I adjusted in the RADIUS settings.
RADIUS logs error:
"Terminate Cause: Unexpected error. Possible error in server or client configuration." (most unhelpful I know)
Windows Security Log EventID 6273:
Reason Code: 23
Reason: An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.
Windows System Log EventID 36887: (around the same time)
"A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 46."
-
I was starting to pull my hair out, until I thought to try an older ROM. Here are my results:
28.72.23.6 = PEAP works
28.80.0.95 = PEAP works
28.80.0.136 = does NOT work
28.81.0.25 = does NOT work
I saw a similar PCAP network trace as I think Bigmac posted, but I haven't analysed it in great detail.
Regards, Derek
-
RE: T46g & T48G RADIUS 802.1x and SHA256 - Karl_Yealink - 04-05-2017 02:21 AM
Please send the PCAP files to me for test.
RE: T46g & T48G RADIUS 802.1x and SHA256 - Bryan Nelson - 04-07-2017 09:48 PM
Hello all,
We were also having issues with 802.1x and newer firmware, and our issue was related to the Extended Key Usage extension on the certificate itself. If client authentication was an allowed purpose, the certificate is rejected by the phone with "certificate unknown" as the error.
Extended Key Usage
Allowed Purposes: Server Authentication
,Client Authentication
This may or may not be the problem you are running into, as we likely use a very different setup. If anyone has any questions, feel free to PM me.
Thanks to Karl for assisting in solving this problem for us!
RE: T46g & T48G RADIUS 802.1x and SHA256 - abeggled - 04-26-2017 10:51 AM
Hi
I ran also in the 802.1x PEAP-MSCHAP v2 problems. The only firmware that' works is 35.80.0.70 on T48G.
Is there any chance to get this corrected?
Nay news from R&D?
@Bigmac: How have you solved it?
Regards,
Daniel
RE: T46g & T48G RADIUS 802.1x and SHA256 - Bigmac - 04-26-2017 11:16 AM
Hi Daniel,
today I received a new firmware from Karl to test.
After installing, the T48G must be started twice, then 802.1x worked fine.
Unfortunately, the device is now slower when I use the display buttons.
Regards,
Torsten
RE: T46g & T48G RADIUS 802.1x and SHA256 - Bigmac - 05-16-2017 08:08 AM
Not Solved
The new firmware T48-35.81.0.90.rom & T46-28.81.0.90.rom
have the same Problem.
I got the Firmware T48-35.81.0.76.rom & T46-28.81.0.78.rom
from Yealink_Karl which has fix the problem and working fine.
Why is in the new firmware again the old bug?
BR,
Torsten
RE: T46g & T48G RADIUS 802.1x and SHA256 - thecyborg - 05-22-2017 01:45 PM
(05-16-2017 08:08 AM)Bigmac Wrote: Not SolvedI have the same issue; 802.1x fails in T48-35.81.0.90.rom and succeeds in T48-35.80.0.70.rom. Can we expect a bugfix firmware anytime soon?
The new firmware T48-35.81.0.90.rom & T46-28.81.0.90.rom
have the same Problem.
I got the Firmware T48-35.81.0.76.rom & T46-28.81.0.78.rom
from Yealink_Karl which has fix the problem and working fine.
Why is in the new firmware again the old bug?
BR,
Torsten
RE: T46g & T48G RADIUS 802.1x and SHA256 - Pico - 06-07-2017 07:35 AM
We are also seeing the same behaviour on different handsets - the T23G does exactly the same on firmwares > xx.80.0.70.
RE: T46g & T48G RADIUS 802.1x and SHA256 - KMTire - 07-12-2017 05:58 PM
Has there been any resolve to this? We are having what appears to be the same issue (except with Yealink T27G phones). I have tried FW versions 69.81.0.110 and, I believe, 69.81.0.25. Both of these version result in a response of error 23 from the radius server. This exact same configuration works fine with T28P w/ FW 2.73.0.40. There are not very many FW's available for the T27G phone and I am guessing all of the releases from 69.81.x.x will have this problem.
Any updates with this is welcomed.
Thanks,
Joe