Filter
Top Products
Advanced Operational Features
6-20 41-001343-02 REV04 – 05.2014
802.1x Support
The IP phones support the IEEE 802.1x protocol. The 802.1x protocol is a standard for passing Extensible Authentication
Protocol (EAP) over a wired or wireless Local Area Network (LAN).
The 802.1x protocol on the IP phone facilitates media-level access control, and offers the capability to permit or deny
network connectivity, control LAN access, and apply traffic policy, based on user or endpoint identity. This feature sup-
ports both the EAP-MD5 and EAP-TLS protocols.
If 802.1x on the phone is enabled, a “802.1x Authenticating...” message displays during startup of the phone.
If the 802.1x failed to authenticate with the server, the phone continues its normal startup process using DHCP. However,
the network port on the phone may or may not be disabled, depending on the switch configuration.
Certificates and Private Key Information
• If the certificates and private key are NOT stored in the phone:
– the phone connects to an open unauthenticated VLAN and the certificates are downloaded.
or
– the phone connects using EAP-MD5 to a restricted VLAN and the certificates are downloaded.
• If the certificates and private key ARE stored in the phone, the phone uses them during the authentication process.
• If the phone uses EAP-TLS for successful authentication, after the phone reboots, it downloads the latest certificates
and private key files to the phone.
• The private key uses AES-128 to encrypt the private key file.
• Switch Supplicant Mode - The switch supports the following 2 modes:
– Single supplicant - This mode enables the port once any machine connected to this port is authenticated. For
security reasons, the IP phone has the option to disable the pass-through port.
– Multiple supplicants - Using this mode, the switch can support multiple clients connected to same port. The
switch distinguishes between the clients based on their MAC address.
• Factory default and recovery mode deletes all certificates and private keys, and sets the EAP type to disabled.
You can configure the 802.1x feature on the IP phone using the configuration files, the IP Phone UI, or the Aastra Web UI.
5. Enter the certificate file names and the private key file name in the appropriate fields.
The Root and Intermediate Certificate files contain one root certificate and zero or more intermediate certificates which must be placed in
order of certificate signing with root certificate being the first in the file. If the local certificate is signed by some well known certificate
authority, then that authority provides the user with the Root and Intermediate Certificate files (most likely just CA root certificate).
The Trusted Certificate files define a list of trusted certificates. The phone’s trusted list must contain the CA root certificates for all the servers
it is connecting to. For example, if the phone is connecting to server A which has a certificate signed by CA1, and server B, which has a cer-
tificate signed by CA2, the phone must have CA1 root certificate and CS2 root certificate in its Trusted Certificate file.
Notes:
• If configuring TLS, you must specify the files for Root and Intermediate Certificates, the Local Certificate, the Private Key, and the Trusted
Certificates in order for the phone to receive calls.
• If configuring Persistent TLS, you must specify the Trusted Certificates (which contains the trusted certificate list). All other certificates and
the Private Key are optional.
• The certificate files and Private Key file names must use the format “.pem”.
• To create custom certificate files and private key files to use on your IP phone, contact Aastra Technical Support.
6. Click Save Settings to save your changes.
Note:
If configuring 802.1x using the IP Phone UI, the certificates and private keys must already be configured and stored on
the phone. Use the configuration files or the Aastra Web UI to load certificates and private keys.
Aastra Web UI