Download
Share
Print this page
Avaya G250 Configuring Manual
  1. Manuals
  2. Brands
  3. Avaya Manuals
  4. Gateway
  5. Media Gateway G250
  6. Configuring manual
Avaya G250 Configuring Manual

Avaya G250 Configuring Manual

Configuring 802.1x protocol media gateways for an avaya ip telephone with an attached pc – issue 1.0
Hide thumbs Also See for G250:

Advertisement

Quick Links

Download this manual
Avaya Solution & Interoperability Test Lab
Configuring 802.1X Protocol on Avaya G250 and G350
Media Gateways for an Avaya IP Telephone with an
Attached PC – Issue 1.0
The IEEE 802.1X standard defines a client-server based access control and authentication
protocol that restricts unauthorized clients from connecting to a LAN through publicly
accessible ports. 802.1X provides a means of authenticating and authorizing users attached to a
LAN port and of preventing access to that port in cases where the authentication process fails.
Avaya G250 and G350 Media Gateways support 802.1X as authenticators and Avaya IP
telephones support 802.1X as supplicants. These Application Notes provide the steps
necessary to configure 802.1X on the Avaya G350 Media Gateway and the Avaya IP
telephone with an attached PC using a FreeRADIUS server. The same approach can be
followed when using an Avaya G250 Media Gateway.
JZ; Reviewed:
PV 6/21/06
Abstract
Solution & Interoperability Test Lab Application Notes
©2006 Avaya Inc. All Rights Reserved.
1 of 31
DOT1X-IPT-GW.doc

Advertisement

loading
Need help?

Need help?

Do you have a question about the G250 and is the answer not in the manual?

Questions and answers

Related Manuals for Avaya G250

Summary of Contents for Avaya G250

  • Page 1 LAN port and of preventing access to that port in cases where the authentication process fails. Avaya G250 and G350 Media Gateways support 802.1X as authenticators and Avaya IP telephones support 802.1X as supplicants. These Application Notes provide the steps necessary to configure 802.1X on the Avaya G350 Media Gateway and the Avaya IP...
  • Page 2 EAPOL- start frame, which prompts the switch to request the client's identity. Figure 1 shows typical flows for the Avaya IP telephone, the Avaya G250 or G350 Media Gateway and an authentication server using the EAP-MD5 authentication.
  • Page 3 Figure 1: 802.1X Message Exchanges The following describes the 802.1X flows for Figure 1: 1. The supplicant (the Avaya IP telephone) sends an “EAPOL Start” packet to the authenticator (Avaya G250 or G350 Media Gateway). 2. The authenticator responds with an “EAP-Request/Identity” packet to the supplicant.
  • Page 4 8. When the supplicant is logged off, the supplicant sends an EAPOL-Logoff message, and the authenticator blocks access to the LAN. The Avaya G250 and G350 Media Gateways support the following EAP types: MD5, PEAP, TTLS and TLS. The Avaya IP telephones support EAP-MD5 authentication. Figure 2 shows the network diagram used in these Application Notes.

  • Page 5: Equipment And Software Validated

    However, it is expected that 802.1X support will be included in a forthcoming generally available version of the telephone firmware. JZ; Reviewed: Solution & Interoperability Test Lab Application Notes 5 of 31 PV 6/21/06 ©2006 Avaya Inc. All Rights Reserved. DOT1X-IPT-GW.doc...
  • Page 6 3 Configurations The Avaya G250 and G350 Media Gateways can control the port authorization state. Three control modes can be configured on a port: • Force-authorized – Disables 802.1X port-based authentication and causes the port to transition to the authorized state without any authentication exchange required.
  • Page 7 PC into different VLANs, configure a port with an untagged VLAN for the attached PC and a static-VLAN for the Avaya IP telephone. The following screen shows how to configure port 6/1 with an untagged VLAN 89 for the attached PC and a static-VLAN 88 for an Avaya IP telephone.
  • Page 8 Gateway and IP Telephones without Requiring the Attached PCs to Authenticate This section describes how to configure the Avaya G350 Media Gateway and an IP telephone so that the IP telephone will be used to authenticate the port. Note that in this case a PC attached to the phone will be allowed access without requiring it to authenticate.
  • Page 9 If an IP telephone with the attached PC is connected to that port, the IP telephone and the PC have to be authenticated independently. When a port is configured to the MAC-based mode, the Avaya G350 Media Gateway will use the Unicast EAPOL messages with the supplicants. Since most 802.1X supplicants use the Multicast MAC address for the EAPOL messages, the IP telephone must be configured to the pass-thru or p-t w/Logoff mode to pass-through these Multicast messages.
  • Page 10 Configure a username with a password in the users file under /usr/local/etc/raddb directory. For an IP telephone, configure the MAC address of the Avaya IP telephone as a username. For the mac-based mode, a username with a password should be configured for the attached PC.
  • Page 11 Client Manager. Figure 3 shows the Funk Odyssey Client Manager. Click Profiles and then click Add or highlight the existing profile and press Properties. Figure 3: The Funk Odyssey Client Manager JZ; Reviewed: Solution & Interoperability Test Lab Application Notes 11 of 31 PV 6/21/06 ©2006 Avaya Inc. All Rights Reserved. DOT1X-IPT-GW.doc...
  • Page 12 Figure 4: Use Information for the Funk Odyssey Client Profile JZ; Reviewed: Solution & Interoperability Test Lab Application Notes 12 of 31 PV 6/21/06 ©2006 Avaya Inc. All Rights Reserved. DOT1X-IPT-GW.doc...
  • Page 13 (Figure 5). Ignore TTLS Settings and PEAP Settings, which are not related to EAP- MD5. Figure 5: Authentication Configuration for the Funk Odyssey Client Profile JZ; Reviewed: Solution & Interoperability Test Lab Application Notes 13 of 31 PV 6/21/06 ©2006 Avaya Inc. All Rights Reserved. DOT1X-IPT-GW.doc...
  • Page 14 Click the Adapters icon in Figure 3, and add the wired Ethernet adapter (Figure 6). Figure 6: Adapters Configuration for the Funk Odyssey Client Manager JZ; Reviewed: Solution & Interoperability Test Lab Application Notes 14 of 31 PV 6/21/06 ©2006 Avaya Inc. All Rights Reserved. DOT1X-IPT-GW.doc...
  • Page 15 Status for the Connection information should be open and authenticated. If not, check Section 4 for troubleshooting. Note that the 802.1X supplicant software for the attached PC is not needed if the Avaya G350 Media Gateway is configured with the port-based mode.
  • Page 16 Idle Auth Use the command show cam <port#> to verify that the Avaya G350 Media Gateway learns the MAC addresses of the IP telephone and the attached PC in different VLANs. Note that the MAC address of the IP telephone is associated with the untagged VLAN and the static-VLAN.
  • Page 17 Authed Idle Auth Use the command show cam <port#> to verify that the Avaya G350 Media Gateway learns the MAC addresses of the IP telephone and the attached PC in different VLANs. G350-003(super)# show cam 6/1 Total Matching CAM Entries Displayed = 4...
  • Page 18 4.3 Troubleshooting 802.1X on the Avaya G350 Media Gateway 802.1X debugging can be enabled on the Avaya G350 Media Gateway for troubleshooting. Enter the following commands from the console port to enable 802.1X debugging. G350-003(super)# set logging session condition dot1x debug...
  • Page 19 If the IP telephone or the attached PC cannot be authenticated by the FreeRADIUS server, use the command radiusd –X to run the server in the debugging mode. The following shows a correct debugging output for the authentications of the Avaya IP telephone and the attached PC for the MAC-based mode.
  • Page 20 Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms JZ; Reviewed: Solution & Interoperability Test Lab Application Notes 20 of 31 PV 6/21/06 ©2006 Avaya Inc. All Rights Reserved. DOT1X-IPT-GW.doc...
  • Page 21 = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no JZ; Reviewed: Solution & Interoperability Test Lab Application Notes 21 of 31 PV 6/21/06 ©2006 Avaya Inc. All Rights Reserved. DOT1X-IPT-GW.doc...
  • Page 22 Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no JZ; Reviewed: Solution & Interoperability Test Lab Application Notes 22 of 31 PV 6/21/06 ©2006 Avaya Inc. All Rights Reserved. DOT1X-IPT-GW.doc...
  • Page 23 ! --- The RADIUS Server listens on port 1812 and 1813 Listening on authentication *:1812 Listening on accounting *:1813 JZ; Reviewed: Solution & Interoperability Test Lab Application Notes 23 of 31 PV 6/21/06 ©2006 Avaya Inc. All Rights Reserved. DOT1X-IPT-GW.doc...
  • Page 24 ! --- Identify the request type as the EAP-MD5 auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 JZ; Reviewed: Solution & Interoperability Test Lab Application Notes 24 of 31 PV 6/21/06 ©2006 Avaya Inc. All Rights Reserved. DOT1X-IPT-GW.doc...
  • Page 25 "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "00040D508820", looking up realm NULL rlm_realm: No such realm "NULL" JZ; Reviewed: Solution & Interoperability Test Lab Application Notes 25 of 31 PV 6/21/06 ©2006 Avaya Inc. All Rights Reserved. DOT1X-IPT-GW.doc...
  • Page 26 Waking up in 6 seconds... ! --- Receive MD5 response for the attached PC rad_recv: Access-Request packet from host 192.168.88.4:1812, id=133, length=102 JZ; Reviewed: Solution & Interoperability Test Lab Application Notes 26 of 31 PV 6/21/06 ©2006 Avaya Inc. All Rights Reserved. DOT1X-IPT-GW.doc...
  • Page 27 Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/md5 JZ; Reviewed: Solution & Interoperability Test Lab Application Notes 27 of 31 PV 6/21/06 ©2006 Avaya Inc. All Rights Reserved. DOT1X-IPT-GW.doc...
  • Page 28 "mschap" returns noop for request 3 rlm_realm: No '@' in User-Name = "00040D508820", looking up realm NULL rlm_realm: No such realm "NULL" JZ; Reviewed: Solution & Interoperability Test Lab Application Notes 28 of 31 PV 6/21/06 ©2006 Avaya Inc. All Rights Reserved. DOT1X-IPT-GW.doc...
  • Page 29 Cleaning up request 2 ID 133 with timestamp 4443e8fe Cleaning up request 3 ID 134 with timestamp 4443e8fe Nothing to do. Sleeping until we see a request. JZ; Reviewed: Solution & Interoperability Test Lab Application Notes 29 of 31 PV 6/21/06 ©2006 Avaya Inc. All Rights Reserved. DOT1X-IPT-GW.doc...

  • Page 30: Additional References

    802.1X supplicants using EAP-MD5. When the IP telephone is configured in the p-t w/Logoff mode and the Media Gateway port connected to the Avaya IP telephone in the MAC-based mode, the Avaya IP telephone and the attached PC can be authenticated individually.
  • Page 31 Application Notes. Please e-mail any questions or comments pertaining to these Application Notes along with the full title name and filename, located in the lower right corner, directly to the Avaya Solution & Interoperability Test Lab at interoplabnotes@list.avaya.com...

This manual is also suitable for:

G350