Nortel 2033 Installation And Operation Manual page 494

Page 494 of 600
Extensible Authentication Protocol
Authorization
553-3001-368 Standard 20.00
Appendix C: 802.1x Port-based network access control
Extensible Authentication Protocol (EAP) supports multiple authentication
methods, such as MD5, PEAP, TLS, and TTLS, and represents a technology
framework that facilitates the adoption of Authentication, Authorization, and
Accounting (AAA) schemes, such as Remote Authentication Dial In User
Service (RADIUS). RADIUS is defined in RFC 2865.
802.1x defines the following three roles:
• Supplicant—an IP Phone which requires access to the network to use
network services.
• Authenticator—the network entry point to which the supplicant
physically connects (typically a Layer 2/3 switch). The authenticator acts
as the proxy between the supplicant and the authentication server.
The authenticator controls access to the network based on the
authentication status of the supplicant.
• Authentication server—performs authentication of the supplicant.
If 802.1x is configured and the IP Phone is physically connected to the
network, the IP Phone (supplicant) initiates 802.1x authentication by
contacting the Layer 2/3 switch (authenticator). The IP Phone also initiates
802.1x authentication after the Ethernet connection (network interface only)
is restored following a network link failure.
However, if the phone resets, the IP Phone assumes the Layer 2 link has
remained in service and is authenticated.
The IP Phone fails to authorize if the DeviceID and the IP Phone passwords
do not match the DeviceID and IP Phone password provisioned on the
RADIUS Server. The Layer 2 switch (authenticator) locks out the IP Phone
and network access is denied. If this happens during reauthorization, all
phone services are lost. The connected PC operates as normal.
For information about configuring EAP, refer to the applicable IP Phone
section in this document.
December 2006