Single Authentication
A server certificate, user name, and password are required to establish TLS connection between the
IP Deskphone and the provisioning server. The server certificate must be signed by a certificate
authority. The IP Deskphone uses the server certificate to validate the identity of the provisioning
server that the IP Deskphone is connected to; the provisioning server uses the user name and
password to authenticate the IP Deskphone. The IP Deskphone must be preloaded with the root
certificate used in signing the server certificate. The root certificate is downloaded to the
IP Deskphone by connecting to a provisioning server through EAP-MD5, and using one of the
insecure protocols supported by the IP Deskphone, such as HTTP, TFTP or FTP. EAP-MD5
ensures that the connection between the IP Deskphone and the provisioning server is secure. The
user name and password are required to authenticate the IP Deskphone to the provisioning server
and must be loaded in a secure manner before the IP Deskphone establishes the HTTPS
connection with the provisioning server. There is no mechanism for getting a user name and
password on the IP Deskphone in a secure "no-touch" manner; the IP Deskphone must be deployed
to a secure network where the TFTP download of insecure files is not transmitted over an insecure
network.
Mutual Authentication
A device certificate and server certificate are required to establish TLS connection between the
IP Deskphone and the provisioning server. The server certificate must be signed by a certificate
authority. The IP Deskphone uses the server certificate to validate the identity of the provisioning
server that the IP Deskphone is connected to; the provisioning server uses the device certificate to
validate the identify of the IP Deskphone. The IP Deskphone must be preloaded with the root
certificate used in signing the server certificate. The root certificate is downloaded to the
IP Deskphone by connecting to a provisioning server through EAP-MD5, and using one of the
insecure protocols supported by the IP Deskphone, such as HTTP, TFTP or FTP. EAP-MD5
ensures that the connection between the IP Deskphone and the provisioning server is secure. The
administrator can use the existing device certificates, such as EAP-TLS or SIP-TLS device
certificate, instead of having a special device certificate for HTTPS, to establish mutual
authentication. For details about device certificate installation and certificate profiles, see
Device
certificate installation on page 247.
Security and error logs
You can access the Security Log and the Error Log to view errors and failures that may have
occurred during the operation of the IP Deskphone.
Before you can access the Security and Error Logs, you must configure the Security Policy file with
the following parameter:
Certificate-based authentication
270 SIP Software for Avaya 1200 Series IP Deskphones-Administration March 2015
Comments? infodev@avaya.com
To Next Page
Loading...
