EAP-TLS support for authentication
You can use the EAP-TLS as the mode of authentication. To activate this mode, you must add a
new parameter DOT1XEAPS, with valid values of MD5 or TLS to the settings file. The default value
is MD5. The call server supports EAP-TLS as specified in RFC 2716 if and only if an identity
certificate is present in the deskphone and if the value of DOT1XEAPS is TLS. If an EAP method
requires the authentication of a digital certificate, and if you have enabled the Supplicant on the
phone and the value of DOT1XEAPS changes, the Supplicant will transmit an EAPOL-Logoff
message and return to the CONNECTING state.
Related links
Enabling certificate support on page 105
Activating EAP-TLS for authentication on page 106
Scenarios for using EAP-TLS based authentication on page 107
Deploying EAP-TLS based authentication for phones using 802.1x and MD5 on page 107
Deploying EAP-TLS on phones running without any type of 802.1x authentication on page 109
Enabling certificate support
You can use Simple Certificate Enrollment Protocol (SCEP) to provide an identity certificate for
use with certificate-based VPN authentication methods. The 802.1x EAP-TLS method also uses
the identity certificate for authentication. When you use TLS with HTTPS, you can use the identity
certificate to authenticate the phone and save the agent greetings or perform a backup or restore.
The phone stores the identity certificate and the phone uses the identity certificate during the TLS
handshake as required when the phone is acting as a server. When the phone is acting as a
client, the phone transmits the identity certificate on request. The 9600 Series IP Deskphones
support Media Encryption (SRTP) and use built-in Avaya certificates for trust management. Trust
management includes downloading certificates and managing policies for additional trusted
Certificate Authorities (CA). Simple Certificate Enrollment Protocol (SCEP) handles identity
management with phone certificates and private keys. You can apply SCEP to your VPN operation
or to standard enterprise network operation. Alternatively, you can download the PKCS #12 file
that contains an identity certificate and its private key. You must enter the authentication password
after reboot.
Before you begin
For SCEP servers that are outside the corporate firewall, configure the phones that use a VPN
connection to establish an SCEP connection through an HTTP proxy server to reach the SCEP
server. In this instance, use the WMLPROXY system parameter to configure the HTTP proxy
server.
When the phone initiates SCEP, the phone attempts to contact an SCEP server through HTTP,
using the value of the configuration parameter MYCERTURL as the URI. SCEP supports an HTTP
proxy server. The phone creates a private/public key pair, where the length of each key is equal to
the value of the configuration parameter MYCERTKEYLEN. The certificate request uses the public
key and the values of the configuration parameters MYCERTCAID, MYCERTCN, MYCERTDN,
and SCEPPASSWORD.
Administering Deskphone Options
March 2018 Administering Avaya 9608/9608G/9611G/9621G/9641G/9641GS IP Deskphones H.
323 105
Comments on this document? infodev@avaya.com
To Next Page
Loading...
