802.1X Supplicant Operation - Avaya 4600 Series Administrator's Manual

Server Administration

802.1X Supplicant Operation

As of Release 2.7, the 4602SW+ and 4625SW IP Telephones support Supplicant operation. As
of Release 2.6, the 4610SW, 4620SW, 4621SW, and 4622SW IP Telephones support
Supplicant operation. As of software Release 2.9, supplicant operation can be disabled using
the system parameter DOT1X.
IP telephones that support Supplicant operation also support Extensible Authentication Protocol
(EAP), but only with the MD5-Challenge authentication method as specified in IETF RFC 3748
[8.5-33a].
A Supplicant identity (ID) and password of no more than 12 numeric characters are stored in
reprogrammable non-volatile memory. The ID and password are not overwritten by telephone
software downloads. The default ID is the MAC address of the telephone, converted to ASCII
format without colon separators, and the default password is null. Both the ID and password are
set to defaults at manufacture. EAP-Response/Identity frames use the ID in the Type-Data field.
EAP-Response/MD5-Challenge frames use the password to compute the digest for the Value
field, leaving the Name field blank.
When a telephone is installed for the first time and 802.1x is in effect, the dynamic address
process prompts the installer to enter the Supplicant identity and password. The IP telephone
does not accept null value passwords. See "Dynamic Addressing" in the 4600 Series IP
Telephone Installation Guide. The IP telephone stores 802.1X credentials when successful
authentication is achieved. Post-installation authentication attempts occur using the stored
802.1X credentials, without prompting the user for ID and password entry.
An IP telephone can support several different 802.1X authentication scenarios, depending on
the capabilities of the Ethernet data switch to which it is connected. Some switches may
authenticate only a single device per switch port. This is known as single-supplicant or
port-based operation. These switches typically send multicast 802.1X packets to authenticating
devices.
These switches support the following three scenarios:
Standalone telephone (Telephone Only Authenticates) - When the IP telephone is
●
configured for Supplicant Mode (DOT1X=2), the telephone can support authentication
from the switch.
Telephone with attached PC (Telephone Only Authenticates) - When the IP telephone
●
is configured for Supplicant Mode (DOT1X=2), the telephone can support authentication
from the switch. The attached PC in this scenario gains access to the network without
being authenticated.
Telephone with attached PC (PC Only Authenticates) - When the IP telephone is
●
configured for Pass-Through Mode or Pass-Through Mode with Logoff (DOT1X=0 or 1),
an attached PC running 802.1X supplicant software can be authenticated by the data
switch. The telephone in this scenario gains access to the network without being
authenticated.
Some switches support authentication of multiple devices connected through a single switch
port. This is known as multi-supplicant or MAC-based operation. These switches typically send
96 4600 Series IP Telephone LAN Administrator Guide