Avaya 1600 Series Administrator's Manual page 86

A Supplicant identity (ID) and password of no more than 12 numeric characters are stored in
reprogrammable non-volatile memory. The ID and password are not overwritten by deskphone
software downloads. The default ID is the MAC address of the deskphone, converted to ASCII format
without colon separators, and the default password is null. Both the ID and password are set to defaults
at manufacture. EAP-Response/Identity frames use the ID in the Type-Data field. EAP-Response/
MD5-Challenge frames use the password to compute the digest for the Value field, leaving the Name
field blank.
When a deskphone is installed for the first time and 802.1x is in effect, the dynamic address process
prompts the installer to enter the Supplicant identity and password. The IP deskphone does not accept
null value passwords. See "Dynamic Addressing Process" in the Avaya 1600 Series IP Deskphones
Installation and Maintenance Guide. The IP deskphone stores 802.1X credentials when successful
authentication is achieved. Post-installation authentication attempts occur using the stored 802.1X
credentials, without prompting the user for ID and password entry.
An IP deskphone can support several different 802.1X authentication scenarios, depending on the
capabilities of the Ethernet data switch to which it is connected. Some switches may authenticate only
a single device per switch port. This is known as single-supplicant or port-based operation. These
switches typically send multicast 802.1X packets to authenticating devices.
These switches support the following three scenarios:
Standalone deskphone (Deskphone Only Authenticates) - When the IP deskphone is
●
configured for Supplicant Mode (DOT1XSTAT=2), the deskphone can support authentication from
the switch.
Deskphone with attached PC (Deskphone Only Authenticates) - When the IP deskphone is
●
configured for Supplicant Mode (DOT1X=2 and DOT1XSTAT=2), the deskphone can support
authentication from the switch. The attached PC in this scenario gains access to the network
without being authenticated.
Deskphone with attached PC (PC Only Authenticates) - When the IP deskphone is configured
●
for Pass-Through Mode or Pass-Through Mode with Logoff (DOT1X=0 or 1 and DOT1XSTAT=0),
an attached PC running 802.1X supplicant software can be authenticated by the data switch. The
deskphone in this scenario gains access to the network without being authenticated.
Some switches support authentication of multiple devices connected through a single switch port. This
is known as multi-supplicant or MAC-based operation. These switches typically send unicast 802.1X
packets to authenticating devices. These switches support the following two scenarios:
Standalone deskphone (Deskphone Only Authenticates) - When the IP deskphone is
●
configured for Supplicant Mode (DOT1XSTAT=2), the deskphone can support authentication from
the switch. When DOT1X is "0" or "1", the deskphone is unable to authenticate with the switch.
Deskphone and PC Dual Authentication - Both the IP deskphone and the connected PC can
●
support 802.1X authentication from the switch. The IP deskphone may be configured for
Pass-Through Mode or Pass-Through Mode with Logoff (DOT1X=0 or 1 and DOT1XSTAT=1 or
2). The attached PC must be running 802.1X supplicant software.
IEEE 802.1X
Issue 6 August 2014 77