Skip to end of metadata
Go to start of metadata

Defaults

By default, the phone does not perform its own 802.1X authentication nor does the phone allow pass-through of EAPOL packets nor does it perform automatic logoff of PC-port attached clients.  All of these options must be turned on.

Recommended Firmware

For D6x phones, it is recommended to use firmware 2_2_0_4_5a54ff2 or greater.  Versions prior to this may experience problems when validating certificate start dates or TTLS methods.  For D40, D45, D50, and D70 model phones, firmware 2.2.0.8 or greater is recommended.

Compatibility

D40, D45, D50 and D70 models only support EAP Pass-through, EAPPOL auto-logoff, and EAP-MD5 authentication for firmwares prior to 2.2.0.8.  All other methods of 802.1X authentication are supported on D60, D62 and D65 model phones only or in D40, D45, D50 and D70 models with firmware 2.2.0.8 or greater.

Important Notes

Client certificates must contain both the private key and the certificate within the PEM or CER file.

Root Certificates have been tested in PEM, DER, CRT and CER format.

For methods where it's optional to validate the CA certificate of the Authenticator, it's highly recommended to do so for security reasons.

EAP-MD5

To configure EAP-MD5 for the phone, users should set the following:

With this method set, a user must supply their username, an anonymous identifier (which can be the special-case literal PHONE_MAC the causes the phone to send its own MAC address as the anonymous identifier), and their password.  Some systems may require the regular username to be transmitted as the anonymous identifier.

802.1X Pass-through and EAPOL Auto-Logoff

To configure pass-through, users should set:

By default, these values are zero, meaning that pass-through is blocked and no auto-logoff occurs.  When pass-through is enabled, the phone will allow EAPOL packets to traverse the switch (from the PC port-attached device to the upstream LAN port-attached ethernet switch).  When EAPOL disconnect is enabled, the phone will keep a record of the MAC addresses of all devices that it sees sending EAPOL events from the PC port to the LAN port and will, when the PC port-attached device drops link, send an EAPOL Logoff message to the upstream authenticator on-behalf of the device, impersonating its MAC.

EAP-PEAPv0/MSCHAPv2

To configure EAP-PEAPv0/MSCHAPv2, users should set:

This sets the method to EAP-PEAPv0/MSCHAPv2 and passes in the supplied username and password.

It is also possible for the phone to validate the CA certificate of the server.  If this behavior is desired, the following option should also be set:

Here, the user should specify the URL from which the phone can retrieve the CA pem file as well as the name of the pem file in the value field.

EAP-TLS

To configure EAP-TLS, users should set:

EAP-TLS requires an identity, a CA cert and a client certificate.  

EAP-PEAPv0/EAP-GTC

To configure EAP-PEAPv0/EAP-GTC, users should set:

This sets the method to EAP-PEAPv0/EAP-GTC and passes in the supplied username and password.

It is also possible for the phone to validate the CA certificate of the server.  If this behavior is desired, the following option should also be set:

Here, the user should specify the URL from which the phone can retrieve the CA pem file as well as the name of the pem file in the value field.

EAP-TTLS/EAP-MSCHAPv2

To configure EAP-TTLS/EAP-MSCHAPv2, users should set:

This sets the method to EAP-TTLS/EAP-MSCHAPv2 and passes in the supplied username and password.

It is also possible for the phone to validate the CA certificate of the server.  If this behavior is desired, the following option should also be set:

Here, the user should specify the URL from which the phone can retrieve the CA pem file as well as the name of the pem file in the value field.

EAP-TTLS/GTC

To configure EAP-TTLS/GTC, users should set:

This sets the method to EAP-TTLS/GTC and passes in the supplied username and password.

It is also possible for the phone to validate the CA certificate of the server.  If this behavior is desired, the following option should also be set:

Here, the user should specify the URL from which the phone can retrieve the CA pem file as well as the name of the pem file in the value field.

Debugging

To configure 802.1X debugging, users should set:

or:

for even more verbose logs.

In the event that 802.1X logins fail, a user should enable debugging, reboot their phone, allow it to attempt to authenticate, wait for it to fail, turn up the switch port manually, allow it to acquire an IP, and then capture a phone debug by taking a web browser to:

http://[ip address of phone]/cgi-bin/ptsr

the debug file should be provided to Digium's Support department.

Replacing Certificates

When a phone is factory defaulted, any stored certificates are deleted.

If a user needs to cause a phone to switch to a different certificate, then the value parameter of the certificate definition must be change.  When the phone detects that the retrieved value is different from the stored value, the phone will load a new certificate.  An example:

Where a phone has previously been configured with a CA certificate such as:

and where the administrator needs to provide an updated CA certificate, the user can affect this by changing the value name, e.g.:

This will cause the phone to download, from the same or from a newly-specified URL, and the new certificate will be stored and referenced locally on the phone as "ca-new.pem."

Disabling 802.1X Authentication

By default, a phone will not perform any 802.1X authentication.  The phone disables 802.1X authentication when the following parameter is configured null, the default:

Any additional 8021x_method_xyz parameters are ignored when 8021x_method is set to null.

 

  • No labels