Enabling Certificate Support; Activating Eap-Tls For Authentication - Avaya 9608 Administrator's Manual

Ip deskphone h.323

Hide thumbs Also See for 9608:

Administration (188 pages)

Administrator's manual (176 pages)

User manual (104 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

page of 159

/ 159
Contents
Table of Contents
Bookmarks

Table of Contents

Administering Deskphone Options

Enabling certificate support

You can use Simple Certificate Enrollment Protocol (SCEP) to provide an identity certificate for use

with certificate-based VPN authentication methods. The 802.1x EAP-TLS method also uses the

identity certificate for authentication. When you use TLS with HTTPS, you can use the identity

certificate to authenticate the phone and save the agent greetings or perform a backup or restore.

The phone stores the identity certificate and the phone uses the identity certificate during the TLS

handshake as required when the phone is acting as a server. When the phone is acting as a client,

the phone transmits the identity certificate on request. The 9600 Series IP Deskphones support

Media Encryption (SRTP) and use built-in Avaya certificates for trust management. Trust

management includes downloading certificates and managing policies for additional trusted

Certificate Authorities (CA). Simple Certificate Enrollment Protocol (SCEP) handles identity

management with phone certificates and private keys. You can apply SCEP to your VPN operation

or to standard enterprise network operation.

Before you begin

For SCEP servers that are outside the corporate firewall, configure the phones that use a VPN

connection to establish an SCEP connection through an HTTP proxy server to reach the SCEP

server. In this instance, use the WMLPROXY system parameter to configure the HTTP proxy server.

When the phone initiates SCEP, the phone attempts to contact an SCEP server through HTTP,

using the value of the configuration parameter MYCERTURL as the URI. SCEP supports an HTTP

proxy server. The phone creates a private/public key pair, where the length of each key is equal to

the value of the configuration parameter MYCERTKEYLEN. The certificate request uses the public

key and the values of the configuration parameters MYCERTCAID, MYCERTCN, MYCERTDN, and

SCEPPASSWORD.

About this task

You must configure the 46xxsettings.txt file on the file server with the specified parameters to use an

identity certificate to authenticate the phones.

Procedure

Configure the following parameters in the 46xxsettings.txt file:

• SET MYCERTURL < URL for enrolling with a SCEP fronted Certificate Authority> for

example, http://149.49.44.53/certsrv/mscep/mscep.dll.

• SET MYCERTCN $MACADDR.

• SET MYCERTWAIT 1.

• SET TRUSTCERTS &"root_ certificate".

Activating EAP-TLS for authentication

Before you begin

To activate the 802.1x EAP-TLS mode, you must "SET DOT1XEAPS TLS on the 46xxsettings.txt

file of the file server.

Administering 9608/9608G/9611G/9621G/9641G IP Deskphones H.323

Comments? infodev@avaya.com

June 2014

Table of Contents

Show Quick Links

Hide quick links:

Table of Contents

This manual is also suitable for:

9608g 9611g 9621g 9641g

Enabling Certificate Support; Activating Eap-Tls For Authentication - Avaya 9608 Administrator's Manual

Enabling certificate support

Activating EAP-TLS for authentication

Hide quick links:

Related Manuals for Avaya 9608

Related Content for Avaya 9608

This manual is also suitable for:

Table of Contents