Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Defaults

By default, the phone does not perform its own 802.1X authentication nor does the phone allow pass-through of EAPOL packets nor does it perform automatic logoff of PC-port attached clients.  All of these options must be turned on.

Recommended Firmware

For D6x phones, it is recommended to use firmware 2_2_0_4_5a54ff2 or greater.  Versions prior to this may experience problems when validating certificate start dates or TTLS methods.  For D40, D45, D50, and D70 model phones, firmware 2.2.0.8 or greater is recommended.

Compatibility

D40, D45, D50 and D70 models only support EAP Pass-through, EAPPOL auto-logoff, and EAP-MD5 authentication for firmwares prior to 2.2.0.8.  All other methods of 802.1X authentication are supported on D60, D62 and D65 model phones only or in D40, D45, D50 and D70 models with firmware 2.2.0.8 or greater.

Important Notes

Client certificates must contain both the private key and the certificate within the PEM or CER file.

...

For methods where it's optional to validate the CA certificate of the Authenticator, it's highly recommended to do so for security reasons.

EAP-MD5

To configure EAP-MD5 for the phone, users should set the following:

...

With this method set, a user must supply their username, an anonymous identifier (which can be the special-case literal PHONE_MAC the causes the phone to send its own MAC address as the anonymous identifier), and their password.  Some systems may require the regular username to be transmitted as the anonymous identifier.

802.1X Pass-through and EAPOL Auto-Logoff

To configure pass-through, users should set:

...

By default, these values are zero, meaning that pass-through is blocked and no auto-logoff occurs.  When pass-through is enabled, the phone will allow EAPOL packets to traverse the switch (from the PC port-attached device to the upstream LAN port-attached ethernet switch).  When EAPOL disconnect is enabled, the phone will keep a record of the MAC addresses of all devices that it sees sending EAPOL events from the PC port to the LAN port and will, when the PC port-attached device drops link, send an EAPOL Logoff message to the upstream authenticator on-behalf of the device, impersonating its MAC.

EAP-PEAPv0/MSCHAPv2

To configure EAP-PEAPv0/MSCHAPv2, users should set:

...

Here, the user should specify the URL from which the phone can retrieve the CA pem file as well as the name of the pem file in the value field.

EAP-TLS

To configure EAP-TLS, users should set:

...

EAP-TLS requires an identity, a CA cert and a client certificate.  

EAP-PEAPv0/EAP-GTC

To configure EAP-PEAPv0/EAP-GTC, users should set:

...

Here, the user should specify the URL from which the phone can retrieve the CA pem file as well as the name of the pem file in the value field.

EAP-TTLS/EAP-MSCHAPv2

To configure EAP-TTLS/EAP-MSCHAPv2, users should set:

...

Here, the user should specify the URL from which the phone can retrieve the CA pem file as well as the name of the pem file in the value field.

EAP-TTLS/GTC

To configure EAP-TTLS/GTC, users should set:

...

Here, the user should specify the URL from which the phone can retrieve the CA pem file as well as the name of the pem file in the value field.

Debugging

To configure 802.1X debugging, users should set:

...

the debug file should be provided to Digium's Support department.

Replacing Certificates

When a phone is factory defaulted, any stored certificates are deleted.

...

This will cause the phone to download, from the same or from a newly-specified URL, and the new certificate will be stored and referenced locally on the phone as "ca-new.pem."

Disabling 802.1X Authentication

By default, a phone will not perform any 802.1X authentication.  The phone disables 802.1X authentication when the following parameter is configured null, the default:

...