Advertisement

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the 802.1X and is the answer not in the manual?

Questions and answers

Summary of Contents for Yealink 802.1X

  • Page 2: Table Of Contents

    Sample Screenshots – Identity ....................21 Sample Screenshots - Anonymous Identity ................24 Troubleshooting ..........................27 Why doesn’t the IP phone pass 802.1X authentication? ............27 Appendix A: Glossary ........................28 Appendix B: 802.1X Authentication Process ................. 29 A Successful Authentication Using EAP-MD5 Protocol............29 A Successful Authentication Using EAP-TLS Protocol ..............
  • Page 3: About 802.1X

    Yealink IP Phones Compatible with 802.1X 802.1X is the most widely accepted form of port-based network access control in use and is available on Yealink IP phones. Yealink IP phones support 802.1X authentication based on EAP-MD5, EAP-TLS, EAP-PEAP/MSCHAPv2, EAP-TTLS/EAP-MSCHAPv2, EAP-PEAP/GTC, EAP-TTLS/EAP-GTC and EAP-FAST protocols.
  • Page 4 Yealink Technical White Paper 802.1X Authentication Authentication Protocol IP Phone Models Firmware Version T58V/A, T56A, T49G, T40P, T29G, T27P, Firmware version 80 or later T23P/G, T21(P) E2, T19(P) E2, W56P T54S, T52S, T48S, T46S, T42S, T41S, T40G, T27G, Firmware version 81 or later...
  • Page 5: Configuring 802.1X Settings

    Ethernet switch. This functionality, also known as proxy logoff, prevents another device from using the port without first authenticating via 802.1X. The Pass-thru Mode is available on Yealink IP phones running specified firmware version. You can ask your system administrator or contact Yealink Field Application Engineer (FAE) for more information.
  • Page 6: Configuring 802.1X Using Configuration Files

    Yealink Technical White Paper 802.1X Authentication EAP-TTLS/EAP-GTC or EAP-FAST protocol is preferred in your 802.1X environment, make sure that the firmware running on your new phone supports the protocol. The followings provide system administrator with the procedures to successfully configure Yealink IP phones in a secure 802.1X environment.
  • Page 7 Description: Configures the user name for 802.1x authentication. Note: It works only if the value of the parameter “network.802_1x.mode” is set to 1, 2, 3, 4, 5, 6 or 7. If you change this parameter, the IP phone will reboot to make the change take effect.
  • Page 8 (EAP-TLS). The format of the certificate must be *.pem. Web User Interface: Network->Advanced->802.1x->Device Certificates Phone User Interface: None The following shows an example of the EAP-TLS protocol for 802.1X authentication in configuration files: network.802_1x.mode = 2 network.802_1x.identity = yealink network.802_1x.root_cert_url = http://192.168.1.8:8080/ca.crt network.802_1x.client_cert_url = http://192.168.1.8:8080/client.pem...
  • Page 9 3-EAP-PEAP/MSCHAPv2 4-EAP-TTLS/EAP-MSCHAPv2 5-EAP-PEAP/GTC 6-EAP-TTLS/EAP-GTC 7-EAP-FAST If it is set to 0 (EAP-None), 802.1x authentication is not required. Note: If you change this parameter, the IP phone will reboot to make the change take effect. Web User Interface: Network->Advanced->802.1x->802.1x Mode Phone User Interface: Menu->Settings->Advanced Settings (default password: admin)
  • Page 10 Description: Configures the anonymous identity (user name) for 802.1X authentication. It is used for constructing a secure tunnel for 802.1X authentication. Note: It works only if the value of the parameter “static.network.802_1x.mode” is set to 2, 3, 4, 5, 6 or 7. If you change this parameter, the IP phone will reboot to make the change take effect.
  • Page 11 (EAP-TLS). The format of the certificate must be *.pem. Web User Interface: Network->Advanced->802.1x->Device Certificates Phone User Interface: None The following shows an example of the EAP-TLS protocol for 802.1X authentication in configuration files: static.network.802_1x.mode = 2 static.network.802_1x.anonymous_identity = Anonymous static.network.802_1x.identity = yealink static.network.802_1x.root_cert_url = http://192.168.1.8:8080/ca.crt...
  • Page 12: Configuring 802.1X Via Web User Interface

    Login to the web user interface of the phone. Click on Network->Advanced. In the 802.1x block, select the desired protocol from the pull-down list of 802.1x Mode. If you select EAP-MD5: Enter the user name for authentication in the Identity field.
  • Page 13 Yealink Technical White Paper 802.1X Authentication Enter the password for authentication in the MD5 Password field. If you select EAP-TLS: (Optional.) Enter the anonymous user name for authentication in the Anonymous Identity field. Enter the user name for authentication in the Identity field.
  • Page 14 Yealink Technical White Paper 802.1X Authentication Click Upload to upload the certificates. If you select EAP-PEAP/MSCHAPv2: (Optional.) Enter the anonymous user name for authentication in the Anonymous Identity field. Enter the user name for authentication in the Identity field. Enter the password for authentication in the MD5 Password field.
  • Page 15 Yealink Technical White Paper 802.1X Authentication In the CA Certificates field, click Browse to select the desired CA certificate (*.pem, *.crt, *.cer or *.der) from your local system. Click Upload to upload the certificate. If you select EAP-PEAP/GTC: (Optional.) Enter the anonymous user name for authentication in the Anonymous Identity field.
  • Page 16 Yealink Technical White Paper 802.1X Authentication Click Upload to upload the certificate. If you select EAP-TTLS/EAP-GTC: (Optional.) Enter the anonymous user name for authentication in the Anonymous Identity field. Enter the user name for authentication in the Identity field. Enter the password for authentication in the MD5 Password field.
  • Page 17: Configuring 802.1X Via Phone User Interface

    A dialog box pops up to prompt that settings will take effect after a reboot. Click OK to reboot the phone. Connect the phone to the 802.1X-enabled network after reboot. If the Pass-thru mode is available on your new phone, you can select the Pass-thru mode from Note the pull-down list of DOT1XSTAT Options via web user interface.
  • Page 18 Yealink Technical White Paper 802.1X Authentication Press , or the Switch soft key to select the desired value from the 802.1x Mode field. If you select EAP-MD5: Enter the user name for authentication in the Identity field. Enter the password for authentication in the MD5 Password field.
  • Page 19: 802.1X Authentication Process

    The IP phone reboots automatically to make the settings effective after a period of time. 802.1X Authentication Process Reboot the phone to activate the 802.1X authentication on the phone. The 802.1X authentication process is divided into two basic stages: Pre-authentication The 802.1X pre-authentication process begins with the IP phone that contains a supplicant...
  • Page 20 Yealink Technical White Paper 802.1X Authentication IP phone and creates an 802.1X session. The IP phone provides its authentication information for the authenticator, and then the authenticator forwards the information to the authentication server. Authentication After the authentication server authenticates the IP phone, the authentication server initiates the authentication stage of the process.
  • Page 21: Sample Screenshots - Identity

    Yealink Technical White Paper 802.1X Authentication Sample Screenshots – Identity The following screenshot of the Wireshark shows a sample of a successful authentication process using the EAP-MD5 protocol: The following screenshot of the Wireshark shows a sample of a successful authentication...
  • Page 22 Yealink Technical White Paper 802.1X Authentication The following screenshot of the Wireshark shows a sample of a successful authentication process using the EAP-PEAP/MSCHAPv2 protocol: The following screenshot of the Wireshark shows a sample of a successful authentication process using the EAP-TTLS/EAP-MSCHAPv2 protocol:...
  • Page 23 Yealink Technical White Paper 802.1X Authentication The following screenshot of the Wireshark shows a sample of a successful authentication process using the EAP-PEAP/GTC protocol: The following screenshot of the Wireshark shows a sample of a successful authentication process using the EAP-TTLS/EAP-GTC protocol:...
  • Page 24: Sample Screenshots - Anonymous Identity

    Yealink Technical White Paper 802.1X Authentication The following screenshot of the Wireshark shows a sample of a successful authentication process using the EAP-FAST protocol: Sample Screenshots - Anonymous Identity The following screenshot of the Wireshark shows a sample of a successful authentication...
  • Page 25 Yealink Technical White Paper 802.1X Authentication The following screenshot of the Wireshark shows a sample of a successful authentication process with anonymous identity using EAP-PEAP/MSCHAPv2 protocol: The following screenshot of the Wireshark shows a sample of a successful authentication process with anonymous identity using EAP-TTLS/EAP-MSCHAPv2 protocol:...
  • Page 26 Yealink Technical White Paper 802.1X Authentication The following screenshot of the Wireshark shows a sample of a successful authentication process with anonymous identity using EAP-PEAP/GTC protocol: The following screenshot of the Wireshark shows a sample of a successful authentication process with anonymous identity using EAP-TTLS/EAP-GTC protocol:...
  • Page 27: Troubleshooting

    The following screenshot of the Wireshark shows a sample of a successful authentication process with anonymous identity using EAP-FAST protocol: Troubleshooting Why doesn’t the IP phone pass 802.1X authentication? Do the following in sequence: Ensure that the 802.1X authentication environment is operational.
  • Page 28: Appendix A: Glossary

    Yealink Technical White Paper 802.1X Authentication network administrator. Contact Yealink FAE for support when the above steps cannot solve your problem.  Capture the packet and export configurations of the phone, switch and authentication server. Provide the related information to Yealink FAE.
  • Page 29: Appendix B: 802.1X Authentication Process

    802.1X Authentication Appendix B: 802.1X Authentication Process A Successful Authentication Using EAP-MD5 Protocol The following figure illustrates the scenario of a successful 802.1X authentication process using the EAP-MD5 protocol. The supplicant sends an “EAPOL-Start” packet to the authenticator. The authenticator responds with an “EAP-Request/Identity” packet to the supplicant.
  • Page 30: A Successful Authentication Using Eap-Tls Protocol

    Yealink Technical White Paper 802.1X Authentication A Successful Authentication Using EAP-TLS Protocol The following figure illustrates the scenario of a successful 802.1X authentication process using the EAP-TLS protocol. The supplicant sends an “EAPOL-Start” packet to the authenticator. The authenticator responds with an “EAP-Request/Identity” packet to the supplicant.
  • Page 31 Yealink Technical White Paper 802.1X Authentication 11. The supplicant responds with an “EAP-Response” packet to the authenticator. The packet includes a TLS change cipher spec message, a client certificate message, a client key exchange message and a certificate verify message 12.
  • Page 32: A Successful Authentication Using Eap-Peap/Mschapv2 Protocol

    802.1X Authentication A Successful Authentication Using EAP-PEAP/MSCHAPv2 Protocol The following figure illustrates the scenario of a successful 802.1X authentication process using the EAP-PEAP/MSCHAPv2 protocol. The supplicant sends an “EAPOL-Start” packet to the authenticator. The authenticator responds with an “EAP-Request/Identity” packet to the supplicant.
  • Page 33 Yealink Technical White Paper 802.1X Authentication The supplicant responds with an “EAP-Respond” packet containing a TLS client hello handshake message to the authenticator. The TLS client hello message includes TLS version supported by the supplicant, a session ID, a random number and a set of cipher suites.
  • Page 34: A Successful Authentication Using Eap-Ttls/Eap-Mschapv2 Protocol

    EAP-PEAP/MSCHAPv2 protocol. For more information, refer to the network resource. A Successful Authentication Using EAP-FAST Protocol The 802.1X authentication process using the EAP-FAST protocol is quite similar to that using the EAP-PEAP/MSCHAPv2 protocol. For more information, refer to the network resource.
  • Page 35 Yealink Technical White Paper 802.1X Authentication Customer Feedback We are striving to improve our documentation quality and we appreciate your feedback. Email your opinions and comments to DocsFeedback@yealink.com.

Table of Contents