[cisco-voip] MRA Onboarding via activation code... phone trust list?

Thu Nov 18 12:29:26 EST 2021

I will note that I am seeing EXTREMELY long registration and
re-registration times for the MRA phones... like 10 minutes+

It appears to cycle between downloading TFTP and VPN Not Configured and
then eventually registers...

No errors, just takes forever.

Jonathan

On Wed, Nov 17, 2021 at 5:00 PM Jonathan Charles <jonvoip at gmail.com> wrote:

> I asked TAC for it and they just sent me the CAPF doco...
>
> However, I found:
>
> https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/expressway/config_guide/X12-7/exwy_b_mra-deployment/exwy_m_provisioning-mra-devices.html
>
> [image: image.png]
>
> But it seems to suggest only your internal CA needs to be in there...
>
>
> Jonathan
>
> On Wed, Nov 17, 2021 at 4:49 PM Brian V <bvanbens at gmail.com> wrote:
>
>> @Jonathan Charles <jonvoip at gmail.com>  one very interesting thing you
>> mentioned
>> " *Phone-Edge-Trust uploads the certs to the Cisco Cloud, so when the
>> phone gets the activation code it downloads those certs into its trust
>> store.*"
>> Would you happen to know where that is documented, and if so share
>> the link ?  I was not aware of that.
>> So you did NOT need to bring the phone back inside the network to have it
>> learn about the new Root CA Trust Cert / Chain ?
>> thats cool !
>>
>> On Wed, Nov 17, 2021 at 8:45 AM Jonathan Charles <jonvoip at gmail.com>
>> wrote:
>>
>>> OK, TAC never responded to me, but I found the solution.... I did a
>>> packet capture from the phone and saw it come back with an invalid CA for
>>> the Let's Encrypt certs... I uploaded the cert chain for Let's Encrypt to
>>> Phone-Edge-Trust on the CCM Publisher and the phone registered.
>>>
>>> Phone-Edge-Trust uploads the certs to the Cisco Cloud, so when the phone
>>> gets the activation code it downloads those certs into its trust store.
>>>
>>> This cert store is designed for people using their own internal certs,
>>> but my phone was a CP-8845-K9=V03 I got in 2017 and probably predates the
>>> Lets Encrypt CA.... so, if you see TLS error or Invalid CA in the PCAP, it
>>> is worth a shot to upload the E's external cert chain to the Pub.
>>>
>>>
>>> Jonathan
>>>
>>> On Thu, Nov 11, 2021 at 4:57 PM Jonathan Charles <jonvoip at gmail.com>
>>> wrote:
>>>
>>>> Yes, they will, the Expressway E was designed around an ACME cert and
>>>> Let's Encrypt is super free.
>>>>
>>>> Anyway, I think the issue is between the Expressway and CUCM at this
>>>> point... escalating to TAc...
>>>>
>>>>
>>>> Jonathan
>>>>
>>>> On Thu, Nov 11, 2021 at 4:49 PM Brian V <bvanbens at gmail.com> wrote:
>>>>
>>>>> WIll the phones trust a LetsEncrypt cert ?
>>>>> Jabber works because the OS (Windows/MAC/iOS/Droid) gets updated root
>>>>> CA certs on a regular basis
>>>>> The trusted certs in the phone have to be placed there in the software
>>>>> by Cisco.
>>>>> This might be a situation where newer code on a phone is required if
>>>>> the trusted Root CA (or chain) for Lets Encrypt is missing on the phone.
>>>>>
>>>>> On Thu, Nov 11, 2021 at 11:27 AM Matthew Huff <mhuff at ox.com> wrote:
>>>>>
>>>>>> I wouldn’t put a lot of weight in the status on the phone with the
>>>>>> TLS error, I’ve seen that with working phones. Do you have the phone MRA
>>>>>> domain set? We have a separate device pool for MRA devices so it can set
>>>>>> the time from external ntp sources. If the time on the phone is off,
>>>>>> the crypto can fail as well.
>>>>>>
>>>>>>
>>>>>>
>>>>>> *Matthew Huff* | Director of Technical Operations | OTA Management
>>>>>> LLC
>>>>>>
>>>>>>
>>>>>>
>>>>>> *Office: 914-460-4039*
>>>>>>
>>>>>> *mhuff at ox.com <mhuff at ox.com> | **www.ox.com <http://www.ox.com>*
>>>>>>
>>>>>>
>>>>>> *...........................................................................................................................................*
>>>>>>
>>>>>>
>>>>>>
>>>>>> *From:* Jonathan Charles <jonvoip at gmail.com>
>>>>>> *Sent:* Thursday, November 11, 2021 11:50 AM
>>>>>> *To:* Matthew Huff <mhuff at ox.com>
>>>>>> *Cc:* Brian Meade <bmeade90 at vt.edu>; cisco-voip voyp list <
>>>>>> cisco-voip at puck.nether.net>
>>>>>> *Subject:* Re: [cisco-voip] MRA Onboarding via activation code...
>>>>>> phone trust list?
>>>>>>
>>>>>>
>>>>>>
>>>>>> It is running 12.8... it has been locally reg'd before...
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Thu, Nov 11, 2021 at 10:44 AM Matthew Huff <mhuff at ox.com> wrote:
>>>>>>
>>>>>> In the lab, have you tried setting up the phone without MRA and get
>>>>>> the firmware uploaded first? Depending on how old the firmware is, you may
>>>>>> have issues with onboarding. Our 8861 wouldn’t onboard until at least 12.5.
>>>>>>
>>>>>>
>>>>>>
>>>>>> *Matthew Huff* | Director of Technical Operations | OTA Management
>>>>>> LLC
>>>>>>
>>>>>>
>>>>>>
>>>>>> *Office: 914-460-4039*
>>>>>>
>>>>>> *mhuff at ox.com <mhuff at ox.com> | **www.ox.com <http://www.ox.com>*
>>>>>>
>>>>>>
>>>>>> *...........................................................................................................................................*
>>>>>>
>>>>>>
>>>>>>
>>>>>> *From:* cisco-voip <cisco-voip-bounces at puck.nether.net> *On Behalf
>>>>>> Of *Jonathan Charles
>>>>>> *Sent:* Thursday, November 11, 2021 11:10 AM
>>>>>> *To:* Brian Meade <bmeade90 at vt.edu>
>>>>>> *Cc:* cisco-voip voyp list <cisco-voip at puck.nether.net>
>>>>>> *Subject:* Re: [cisco-voip] MRA Onboarding via activation code...
>>>>>> phone trust list?
>>>>>>
>>>>>>
>>>>>>
>>>>>> On the phone, we see TLS connection failed... the E's cert is signed
>>>>>> by Let's Encrypt...
>>>>>>
>>>>>>
>>>>>>
>>>>>> On the Expressway E we see some certificate exchange and then resets
>>>>>> in the connection...
>>>>>>
>>>>>>
>>>>>>
>>>>>> MRA works fine for Jabber.... just 8845 Activation Code onboarding is
>>>>>> failing...
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Jonathan
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Tue, Nov 9, 2021 at 5:57 PM Brian Meade <bmeade90 at vt.edu> wrote:
>>>>>>
>>>>>> What's the console logs show?
>>>>>>
>>>>>>
>>>>>>
>>>>>> The Expressway needs to be signed by one of the trusted CAs listed
>>>>>> that are part of the phone firmware.
>>>>>>
>>>>>>
>>>>>>
>>>>>> The Expressway cert authenticates the phone with the MIC.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Do you have activation code onboarding enabled under the MRA config
>>>>>> on the Expressway-C?
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Fri, Nov 5, 2021, 5:30 PM Jonathan Charles <jonvoip at gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>> So, I set up activation code MRA for an 8845 (lab first)...
>>>>>>
>>>>>>
>>>>>>
>>>>>> Cloud onboarding worked, got an activation code, tried it out...
>>>>>>
>>>>>>
>>>>>>
>>>>>> Phone kicks back 'check internet connectivtity' and on the status on
>>>>>> the phone says:
>>>>>>
>>>>>>
>>>>>>
>>>>>> GDS Handshake Succeeded
>>>>>>
>>>>>> A TLS connection failed...
>>>>>>
>>>>>>
>>>>>>
>>>>>> GDS is Cisco's cloud onboarding thingy.... I am assuming it didn't
>>>>>> like the TLS connection the expressway, but I don't see anything in the
>>>>>> Expressway logs...
>>>>>>
>>>>>>
>>>>>>
>>>>>> There is a bug and it says we need to load a Hydrant cert back into
>>>>>> the trust store...
>>>>>>
>>>>>> https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt67257?rfs=iqvred
>>>>>>
>>>>>>
>>>>>>
>>>>>> But where do we need to load it? Tomcat Trust? On the Expressways?
>>>>>> The bug doesn't say... it needs to be pushed to the phone's trust list, how
>>>>>> do you do that?
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Thanks!
>>>>>>
>>>>>>
>>>>>>
>>>>>> Jonathan
>>>>>>
>>>>>> _______________________________________________
>>>>>> cisco-voip mailing list
>>>>>> cisco-voip at puck.nether.net
>>>>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>>>>>
>>>>>> _______________________________________________
>>>>>> cisco-voip mailing list
>>>>>> cisco-voip at puck.nether.net
>>>>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>>>>>
>>>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20211118/acfe1cb9/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 45054 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20211118/acfe1cb9/attachment.png>