IEEE 802.1X
Issue 1 June 2007
71
802.1X Pass-Through and Proxy Logoff
1600 Series IP Telephones with a secondary Ethernet interface support pass-through of 802.1X
packets to and from an attached PC. This enables an attached PC running 802.1X supplicant
software to be authenticated by an Ethernet data switch.
The IP Telephones support two pass-through modes:
●
pass-through and
●
pass-through with proxy logoff.
The DOT1X parameter setting controls the pass-through mode. In Proxy Logoff mode
(DOT1X=1), when the secondary Ethernet interface loses link integrity, the telephone sends an
802.1X EAPOL-Logoff message to the data switch on behalf of the attached PC. The message
alerts the switch that the device is no longer present. For example, a message would be sent
when the attached PC is physically disconnected from the IP telephone. When DOT1X = 0 or 2,
the Proxy Logoff function is not supported.
802.1X Supplicant Operation
1600 IP Telephones that support Supplicant operation also support Extensible Authentication
Protocol (EAP), but only with the MD5-Challenge authentication method as specified in IETF
RFC 3748 [8.5-33a].
A Supplicant identity (ID) and password of no more than 12 numeric characters are stored in
reprogrammable non-volatile memory. The ID and password are not overwritten by telephone
software downloads. The default ID is the MAC address of the telephone, converted to ASCII
format without colon separators, and the default password is null. Both the ID and password are
set to defaults at manufacture. EAP-Response/Identity frames use the ID in the Type-Data field.
EAP-Response/MD5-Challenge frames use the password to compute the digest for the Value
field, leaving the Name field blank.
When a telephone is installed for the first time and 802.1x is in effect, the dynamic address
process prompts the installer to enter the Supplicant identity and password. The IP telephone
does not accept null value passwords. See “Dynamic Addressing Process” in the
Avaya
one-X™ Deskphone Value Edition for 1600 Series IP Telephones Installation and Maintenance
Guide
. The IP telephone stores 802.1X credentials when successful authentication is achieved.
Post-installation authentication attempts occur using the stored 802.1X credentials, without
prompting the user for ID and password entry.
An IP telephone can support several different 802.1X authentication scenarios, depending on
the capabilities of the Ethernet data switch to which it is connected. Some switches may
authenticate only a single device per switch port. This is known as single-supplicant or
port-based operation. These switches typically send multicast 802.1X packets to authenticating
devices.
These switches support the following three scenarios: