Yealink IP Phones Compatible with 802.1X 802.1X is the most widely accepted form of port-based network access control in use and is available on Yealink IP phones. Yealink IP phones support 802.1X authentication based on EAP-MD5, EAP-TLS, EAP-PEAP/MSCHAPv2, EAP-TTLS/EAP-MSCHAPv2, EAP-PEAP/GTC, EAP-TTLS/EAP-GTC and EAP-FAST protocols.
Page 4
Yealink Technical White Paper 802.1X Authentication Authentication Protocol IP Phone Models Firmware Version T58V/A, T56A, T49G, T40P, T29G, T27P, Firmware version 80 or later T23P/G, T21(P) E2, T19(P) E2, W56P T54S, T52S, T48S, T46S, T42S, T41S, T40G, T27G, Firmware version 81 or later...
Ethernet switch. This functionality, also known as proxy logoff, prevents another device from using the port without first authenticating via 802.1X. The Pass-thru Mode is available on Yealink IP phones running specified firmware version. You can ask your system administrator or contact Yealink Field Application Engineer (FAE) for more information.
Yealink Technical White Paper 802.1X Authentication EAP-TTLS/EAP-GTC or EAP-FAST protocol is preferred in your 802.1X environment, make sure that the firmware running on your new phone supports the protocol. The followings provide system administrator with the procedures to successfully configure Yealink IP phones in a secure 802.1X environment.
Page 7
Description: Configures the user name for 802.1x authentication. Note: It works only if the value of the parameter “network.802_1x.mode” is set to 1, 2, 3, 4, 5, 6 or 7. If you change this parameter, the IP phone will reboot to make the change take effect.
Page 8
(EAP-TLS). The format of the certificate must be *.pem. Web User Interface: Network->Advanced->802.1x->Device Certificates Phone User Interface: None The following shows an example of the EAP-TLS protocol for 802.1X authentication in configuration files: network.802_1x.mode = 2 network.802_1x.identity = yealink network.802_1x.root_cert_url = http://192.168.1.8:8080/ca.crt network.802_1x.client_cert_url = http://192.168.1.8:8080/client.pem...
Page 9
3-EAP-PEAP/MSCHAPv2 4-EAP-TTLS/EAP-MSCHAPv2 5-EAP-PEAP/GTC 6-EAP-TTLS/EAP-GTC 7-EAP-FAST If it is set to 0 (EAP-None), 802.1x authentication is not required. Note: If you change this parameter, the IP phone will reboot to make the change take effect. Web User Interface: Network->Advanced->802.1x->802.1x Mode Phone User Interface: Menu->Settings->Advanced Settings (default password: admin)
Page 10
Description: Configures the anonymous identity (user name) for 802.1X authentication. It is used for constructing a secure tunnel for 802.1X authentication. Note: It works only if the value of the parameter “static.network.802_1x.mode” is set to 2, 3, 4, 5, 6 or 7. If you change this parameter, the IP phone will reboot to make the change take effect.
Page 11
(EAP-TLS). The format of the certificate must be *.pem. Web User Interface: Network->Advanced->802.1x->Device Certificates Phone User Interface: None The following shows an example of the EAP-TLS protocol for 802.1X authentication in configuration files: static.network.802_1x.mode = 2 static.network.802_1x.anonymous_identity = Anonymous static.network.802_1x.identity = yealink static.network.802_1x.root_cert_url = http://192.168.1.8:8080/ca.crt...
Login to the web user interface of the phone. Click on Network->Advanced. In the 802.1x block, select the desired protocol from the pull-down list of 802.1x Mode. If you select EAP-MD5: Enter the user name for authentication in the Identity field.
Page 13
Yealink Technical White Paper 802.1X Authentication Enter the password for authentication in the MD5 Password field. If you select EAP-TLS: (Optional.) Enter the anonymous user name for authentication in the Anonymous Identity field. Enter the user name for authentication in the Identity field.
Page 14
Yealink Technical White Paper 802.1X Authentication Click Upload to upload the certificates. If you select EAP-PEAP/MSCHAPv2: (Optional.) Enter the anonymous user name for authentication in the Anonymous Identity field. Enter the user name for authentication in the Identity field. Enter the password for authentication in the MD5 Password field.
Page 15
Yealink Technical White Paper 802.1X Authentication In the CA Certificates field, click Browse to select the desired CA certificate (*.pem, *.crt, *.cer or *.der) from your local system. Click Upload to upload the certificate. If you select EAP-PEAP/GTC: (Optional.) Enter the anonymous user name for authentication in the Anonymous Identity field.
Page 16
Yealink Technical White Paper 802.1X Authentication Click Upload to upload the certificate. If you select EAP-TTLS/EAP-GTC: (Optional.) Enter the anonymous user name for authentication in the Anonymous Identity field. Enter the user name for authentication in the Identity field. Enter the password for authentication in the MD5 Password field.
A dialog box pops up to prompt that settings will take effect after a reboot. Click OK to reboot the phone. Connect the phone to the 802.1X-enabled network after reboot. If the Pass-thru mode is available on your new phone, you can select the Pass-thru mode from Note the pull-down list of DOT1XSTAT Options via web user interface.
Page 18
Yealink Technical White Paper 802.1X Authentication Press , or the Switch soft key to select the desired value from the 802.1x Mode field. If you select EAP-MD5: Enter the user name for authentication in the Identity field. Enter the password for authentication in the MD5 Password field.
The IP phone reboots automatically to make the settings effective after a period of time. 802.1X Authentication Process Reboot the phone to activate the 802.1X authentication on the phone. The 802.1X authentication process is divided into two basic stages: Pre-authentication The 802.1X pre-authentication process begins with the IP phone that contains a supplicant...
Page 20
Yealink Technical White Paper 802.1X Authentication IP phone and creates an 802.1X session. The IP phone provides its authentication information for the authenticator, and then the authenticator forwards the information to the authentication server. Authentication After the authentication server authenticates the IP phone, the authentication server initiates the authentication stage of the process.
Yealink Technical White Paper 802.1X Authentication Sample Screenshots – Identity The following screenshot of the Wireshark shows a sample of a successful authentication process using the EAP-MD5 protocol: The following screenshot of the Wireshark shows a sample of a successful authentication...
Page 22
Yealink Technical White Paper 802.1X Authentication The following screenshot of the Wireshark shows a sample of a successful authentication process using the EAP-PEAP/MSCHAPv2 protocol: The following screenshot of the Wireshark shows a sample of a successful authentication process using the EAP-TTLS/EAP-MSCHAPv2 protocol:...
Page 23
Yealink Technical White Paper 802.1X Authentication The following screenshot of the Wireshark shows a sample of a successful authentication process using the EAP-PEAP/GTC protocol: The following screenshot of the Wireshark shows a sample of a successful authentication process using the EAP-TTLS/EAP-GTC protocol:...
Yealink Technical White Paper 802.1X Authentication The following screenshot of the Wireshark shows a sample of a successful authentication process using the EAP-FAST protocol: Sample Screenshots - Anonymous Identity The following screenshot of the Wireshark shows a sample of a successful authentication...
Page 25
Yealink Technical White Paper 802.1X Authentication The following screenshot of the Wireshark shows a sample of a successful authentication process with anonymous identity using EAP-PEAP/MSCHAPv2 protocol: The following screenshot of the Wireshark shows a sample of a successful authentication process with anonymous identity using EAP-TTLS/EAP-MSCHAPv2 protocol:...
Page 26
Yealink Technical White Paper 802.1X Authentication The following screenshot of the Wireshark shows a sample of a successful authentication process with anonymous identity using EAP-PEAP/GTC protocol: The following screenshot of the Wireshark shows a sample of a successful authentication process with anonymous identity using EAP-TTLS/EAP-GTC protocol:...
The following screenshot of the Wireshark shows a sample of a successful authentication process with anonymous identity using EAP-FAST protocol: Troubleshooting Why doesn’t the IP phone pass 802.1X authentication? Do the following in sequence: Ensure that the 802.1X authentication environment is operational.
Yealink Technical White Paper 802.1X Authentication network administrator. Contact Yealink FAE for support when the above steps cannot solve your problem. Capture the packet and export configurations of the phone, switch and authentication server. Provide the related information to Yealink FAE.
802.1X Authentication Appendix B: 802.1X Authentication Process A Successful Authentication Using EAP-MD5 Protocol The following figure illustrates the scenario of a successful 802.1X authentication process using the EAP-MD5 protocol. The supplicant sends an “EAPOL-Start” packet to the authenticator. The authenticator responds with an “EAP-Request/Identity” packet to the supplicant.
Yealink Technical White Paper 802.1X Authentication A Successful Authentication Using EAP-TLS Protocol The following figure illustrates the scenario of a successful 802.1X authentication process using the EAP-TLS protocol. The supplicant sends an “EAPOL-Start” packet to the authenticator. The authenticator responds with an “EAP-Request/Identity” packet to the supplicant.
Page 31
Yealink Technical White Paper 802.1X Authentication 11. The supplicant responds with an “EAP-Response” packet to the authenticator. The packet includes a TLS change cipher spec message, a client certificate message, a client key exchange message and a certificate verify message 12.
802.1X Authentication A Successful Authentication Using EAP-PEAP/MSCHAPv2 Protocol The following figure illustrates the scenario of a successful 802.1X authentication process using the EAP-PEAP/MSCHAPv2 protocol. The supplicant sends an “EAPOL-Start” packet to the authenticator. The authenticator responds with an “EAP-Request/Identity” packet to the supplicant.
Page 33
Yealink Technical White Paper 802.1X Authentication The supplicant responds with an “EAP-Respond” packet containing a TLS client hello handshake message to the authenticator. The TLS client hello message includes TLS version supported by the supplicant, a session ID, a random number and a set of cipher suites.
EAP-PEAP/MSCHAPv2 protocol. For more information, refer to the network resource. A Successful Authentication Using EAP-FAST Protocol The 802.1X authentication process using the EAP-FAST protocol is quite similar to that using the EAP-PEAP/MSCHAPv2 protocol. For more information, refer to the network resource.
Page 35
Yealink Technical White Paper 802.1X Authentication Customer Feedback We are striving to improve our documentation quality and we appreciate your feedback. Email your opinions and comments to DocsFeedback@yealink.com.
Need help?
Do you have a question about the 802.1X and is the answer not in the manual?
Questions and answers