Avaya 4600 Manual Do Utilizador
IEEE 802.1X
Issue 4 August 2006
95
802.1X Pass-Through and Proxy Logoff
As of Release 2.2.3, IP telephones support pass-through of 802.1x packets to and from an
attached PC. This enables an attached PC running 802.1x supplicant software to be
authenticated by an Ethernet data switch.
attached PC. This enables an attached PC running 802.1x supplicant software to be
authenticated by an Ethernet data switch.
As of release 2.6, the IP Telephones support two pass-through modes:
●
pass-through and
●
pass-through with proxy logoff.
The DOT1X parameter setting controls the pass-through mode. In Proxy Logoff mode
(DOT1X=1), when the secondary Ethernet interface loses link integrity, the telephone sends an
802.1X EAPOL-Logoff message to the data switch on behalf of the attached PC. The message
alerts the switch that the device is no longer present. For example, a message would be sent
when the attached PC is physically disconnected from the IP telephone. When DOT1X = 0 or 2,
the Proxy Logoff function is not supported.
(DOT1X=1), when the secondary Ethernet interface loses link integrity, the telephone sends an
802.1X EAPOL-Logoff message to the data switch on behalf of the attached PC. The message
alerts the switch that the device is no longer present. For example, a message would be sent
when the attached PC is physically disconnected from the IP telephone. When DOT1X = 0 or 2,
the Proxy Logoff function is not supported.
802.1X Supplicant Operation
As of Release 2.6, the 4602SW+, 4610SW, 4620SW, 4621SW, and 4622SW IP Telephones
support Supplicant operation.
support Supplicant operation.
IP telephones that support Supplicant operation also support Extensible Authentication Protocol
(EAP), but only with the MD5-Challenge authentication method as specified in IETF RFC 3748
[8.5-33a].
(EAP), but only with the MD5-Challenge authentication method as specified in IETF RFC 3748
[8.5-33a].
A Supplicant identity (ID) and password of no more than 12 numeric characters are stored in
reprogrammable non-volatile memory. The ID and password are not overwritten by telephone
software downloads. The default ID is the MAC address of the telephone, converted to ASCII
format without colon separators, and the default password is null. Both the ID and password are
set to defaults at manufacture. EAP-Response/Identity frames use the ID in the Type-Data field.
EAP-Response/MD5-Challenge frames use the password to compute the digest for the Value
field, leaving the Name field blank.
reprogrammable non-volatile memory. The ID and password are not overwritten by telephone
software downloads. The default ID is the MAC address of the telephone, converted to ASCII
format without colon separators, and the default password is null. Both the ID and password are
set to defaults at manufacture. EAP-Response/Identity frames use the ID in the Type-Data field.
EAP-Response/MD5-Challenge frames use the password to compute the digest for the Value
field, leaving the Name field blank.
When a telephone is installed for the first time and 802.1x is in effect, the dynamic address
process prompts the installer to enter the Supplicant identity and password. The IP telephone
does not accept null value passwords. See “Dynamic Addressing” in the 4600 Series IP
Telephone Installation Guide. The IP telephone stores 802.1X credentials when successful
authentication is achieved. Post-installation authentication attempts occur using the stored
802.1X credentials, without prompting the user for ID and password entry.
process prompts the installer to enter the Supplicant identity and password. The IP telephone
does not accept null value passwords. See “Dynamic Addressing” in the 4600 Series IP
Telephone Installation Guide. The IP telephone stores 802.1X credentials when successful
authentication is achieved. Post-installation authentication attempts occur using the stored
802.1X credentials, without prompting the user for ID and password entry.
An IP telephone can support several different 802.1X authentication scenarios, depending on
the capabilities of the Ethernet data switch to which it is connected. Some switches may
authenticate only a single device per switch port. This is known as single-supplicant or
port-based operation. These switches typically send multicast 802.1X packets to authenticating
devices.
the capabilities of the Ethernet data switch to which it is connected. Some switches may
authenticate only a single device per switch port. This is known as single-supplicant or
port-based operation. These switches typically send multicast 802.1X packets to authenticating
devices.