About Ieee 802.1X; 802.1X Supplicant Operation - Avaya 9608 Administration

Administering deskphone options

About IEEE 802.1X

9600 Series IP Deskphones support the IEEE 802.1X-2004 standard for Supplicant operation,
and support pass-through of 802.1X messages to an attached PC (except the 9601, which does
not have a secondary Ethernet interface). The system parameter DOT1X determines how the
deskphones handle pass-through of 802.1X multicast packets and proxy logoff, as follows:
When DOT1X = 0 (the default), the deskphone forwards 802.1X multicast packets from the
●
Authenticator to the PC attached to the deskphone and forwards multicast packets from
the attached PC to the Authenticator (multicast pass-through). Proxy Logoff feature is
inactive in this configuration.
When DOT1X = 1, the deskphone supports the same multicast pass-through as when
●
DOT1X=0, but Proxy Logoff is also supported. When the secondary Ethernet interface
loses link integrity, the deskphone sends an 802.1X EAPOL-Logoff message to the
Authenticator with a source MAC address from the previously attached device. This
message alerts the Authenticator that the device is no longer connected.
When DOT1X = 2, the deskphone forwards multicast packets from the Authenticator only
●
to the deskphone, ignoring multicast packets from the attached PC (no multicast
pass-through). Proxy Logoff is not supported.
Regardless of the DOT1X setting, the deskphone always properly directs unicast packets
●
from the Authenticator to the deskphone or its attached PC, as dictated by the destination
MAC address in the packet.

802.1X Supplicant Operation

9600 Series IP Deskphones that support Supplicant operation also support Extensible
Authentication Protocol (EAP), but only with the MD5-Challenge authentication method as
specified in IETF RFC 3748 or with TLS.
If an EAP method in the configuration parameter DOT1XEAPS requires the authentication of a
digital certificate, the standard authentication requirements apply, including matching the
TLSSRVRID with that on the certificate.
When a deskphone is installed for the first time and 802.1x is enabled with EAP-MD5 method,
the deskphone prompts the installer to enter the 802.1x supplicant credentials for EAP-MD5
authentication. The default 802.1x supplicant ID is the MAC address of the deskphone.
The deskphone does not accept null value passwords. The default credentials consisting of the
values of the DOT1XID and DOT1XPSWD parameters will be used when a new deskphone is
first plugged in if the EAP method requires an identity and password. In this case, authentication
will fail because the password is null, thus the authentication attempt will not actually contain a
password (whether or not the default identity is correct). An EAP-Failure message will be
received in response, and an 802.1X User Input interrupt screen prompting "Enter Credentials"
is then displayed. For all EAP methods, if the Supplicant is unauthenticated, an 802.1X Waiting
118 Administering Avaya 9601/9608/9608G/9611G/9621G/9641G IP Deskphones SIP
Comments? infodev@avaya.com