request. If the certificate enrollment process is automatic, it takes less time than
manual enrollment.
3. Administer the RADIUS server to accept the identity certificates provided by the phones.
4. To turn on 802.1x authentication, change the 46xxsettings.txt file by setting DOT1XSTAT to
a value of 1 or 2.
5. Restart the phones to apply the new settings. The phones start their supplicants with the
EAP-TLS authentication method. Configure the Layer 2 switches to which you attach these
phones. The switches can then support EAP-TLS on those ports to which you attach the
phones.
If you do not require the phone to connect to a network that does not support DOT1X ,
reset the phones manually or using the CM and only then, change the switch configuration
to support EAP-TLS.
Result
The switches then prompt the phones to authenticate using EAP-TLS and the phones must
authenticate themselves using the enrolled certificates. After you setup the phones, the phones
must maintain their configurations across restarts and upgrades. Depending on the value of
MYCERTRENEW
, the phones try to renew their certificates enrollment, periodically. The
administrator must monitor pending enrollments.
Related links
EAP-TLS support for authentication
on page 134
Deploying EAP-TLS on phones running without any type of 802.1x
authentication
Before you begin
Configure the Layer 2 switches to which you attach the phones running without any type of 802.1x
authentication, so that the switches do not support EAP-TLS on the ports to which the phones are
attached.
Procedure
1. Clear the phones and then in the 46xxsettings.txt file, turn off the supplicant operation by
making the following entry:
SET DOT1XSTAT 0
.
2. Modify the upgrade.txt file to point to location for the H.323 Release 6.2 Service Pack 1
files.
3. Modify the settings file, to incorporate the following SCEP parameters appropriately:
MYCERTURL
,
MYCERTWAIT
,
MYCERTRENEW
and
MYCERTDN
if needed.
4. Reboot the phone, and ensure that the phone upgrades to H.323 Release 6.2 Service
Pack 1. The phone starts the process of certificate enrollment automatically, by sending a
SCEP request to
MYCERTURL
.
5. Monitor the CA, to check whether all the phones that the system has upgraded, have
enrolled their certificates with the CA.
Administering your phone
May 2018
Installing and Administering Avaya J169/J179 IP Phone H.323
138