Filter
Top Products
IEEE 802.1X
Issue 2 December 2007 99
802.1X Pass-Through and Proxy Logoff
9600 Series SIP IP Telephones with a secondary Ethernet interface support pass-through of
802.1X packets to and from an attached PC. This enables an attached PC running 802.1X
supplicant software to be authenticated by an Ethernet data switch.
The SIP IP Telephones support two pass-through modes:
● pass-through and
● pass-through with proxy logoff.
The DOT1X parameter setting controls the pass-through mode. In Proxy Logoff mode
(DOT1X=1), when the secondary Ethernet interface loses link integrity, the telephone sends an
802.1X EAPOL-Logoff message on the Ethernet line interface to the data switch on behalf of
the attached PC. The message alerts the switch that the device is no longer present. Proxy
logoff occurs only after at least one EAPOL frame with the Port Access Entity (PAE) group
multicast address as the destination MAC address was received on the secondary Ethernet
interface. The destination MAC address of the proxy EAPOL-Logoff frame is the PAE group
multicast address. The source MAC address of the proxy EAPOL-Logoff frame is the same as
the source MAC address of the last frame received on the secondary Ethernet interface that
had the PAE group multicast address as the destination MAC address.
Note:
Note: When DOT1X = 0 or 2, the Proxy Logoff function is not supported.
802.1X Supplicant Operation
9600 SIP IP Telephones that support Supplicant operation also support Extensible
Authentication Protocol (EAP), but only with the MD5-Challenge authentication method as
specified in IETF RFC 3748 [8.5-33a] or with TLS.
If an EAP method in the configuration parameter DOT1XEAPS requires the authentication of a
digital certificate, the standard authentication requirements apply, including matching the
TLSSRVRID with that on the certificate.
If an EAP response requires an identity or a password, the values of the DOT1XID and
DOT1XPSWD parameters will be used unless a new identity and/or password has been
entered by the user via an 802.1X User Input interrupt screen, in which case the new values
entered by the user will be used instead. The ID and password are not overwritten by telephone
software downloads. For all EAP methods, if the Supplicant is unauthenticated, an 802.1X
Waiting interrupt screen is displayed when a response is transmitted, unless an 802.1X User
Input interrupt screen is already being displayed.
If an EAP-Failure frame is received after transmitting a response that contains an identity or a
password, an 802.1X User Input interrupt screen is displayed, unless an 802.1X User Input
interrupt screen is already being displayed. If an EAP-Failure frame is received after