802.1X Supplicant Operation - Avaya 9608 Administrator's Manual

Administering Telephone Options
the attached PC to the Authenticator (multicast pass-through). Proxy Logoff is not
supported.
When DOT1X = 1, the deskphone supports the same multicast pass-through as when
●
DOT1X=0, but Proxy Logoff is also supported. When the secondary Ethernet interface
loses link integrity, the telephone sends an 802.1X EAPOL-Logoff message to the
Authenticator with a source MAC address from the previously attached device. This
message alerts the Authenticator that the device is no longer connected.
When DOT1X = 2, the deskphone forwards multicast packets from the Authenticator only
●
to the deskphone, ignoring multicast packets from the attached PC (no multicast
pass-through). Proxy Logoff is not supported.
Regardless of the DOT1X setting, the deskphone always properly directs unicast packets
●
from the Authenticator to the deskphone or its attached PC, as dictated by the destination
MAC address in the packet.

802.1X Supplicant Operation

9600 IP Deskphones that support Supplicant operation also support Extensible Authentication
Protocol (EAP), but only with the MD5-Challenge authentication method as specified in IETF
RFC 3748 or with TLS.
If an EAP method in the configuration parameter DOT1XEAPS requires the authentication of a
digital certificate, the standard authentication requirements apply, including matching the
TLSSRVRID with that on the certificate.
When a deskphone is installed for the first time and 802.1x is in effect, the dynamic address
process prompts the installer to enter the Supplicant identity and password. See "Dynamic
Addressing Process" in the Avaya one-X™ Deskphone SIP Installation and Maintenance Guide
for 9608, 9611G, 9621G, and 9641G Deskphones (Document Number 16-603604) for
information on this process. The deskphone does not accept null value passwords. The default
credentials consisting of the values of the DOT1XID and DOT1XPSWD parameters will be used
when a new telephone is first plugged in if the EAP method requires an identity and password.
In this case, authentication will fail because the password is null, thus the authentication attempt
will not actually contain a password (whether or not the default identity is correct). An
EAP-Failure message will be received in response, and an 802.1X User Input interrupt screen
prompting "Enter Credentials" is then displayed. For all EAP methods, if the Supplicant is
unauthenticated, an 802.1X Waiting interrupt screen is displayed when a response is
transmitted, unless an 802.1X User Input interrupt screen is already being displayed.
If an EAP-Failure frame is received after transmitting a response that contains an identity or a
password, an 802.1X User Input interrupt screen is displayed, unless an 802.1X User Input
interrupt screen is already being displayed. If an EAP-Failure frame is received after
transmitting a response that did not contain an identity or a password, an 802.1X Failure
interrupt screen is displayed.
The deskphone stores 802.1X credentials when successful authentication is achieved.
Post-installation authentication attempts occur using the stored 802.1X credentials, without
118 Deskphone SIP 9608, 9611G, 9621G, 9641G Administrator Guide Release 6.0.1