Activating EAP-TLS for authentication
Before you begin
To activate the 802.1x EAP-TLS mode, you must “SET DOT1XEAPS TLS on the 46xxsettings.txt
file of the file server.
About this task
You can use the EAP-TLS method to authenticate the phones with the call server. For
implementing this type of authentication, you must configure the EAP-TLS parameters in the
46xxsettings file and on the call server.
Procedure
1. SET MYCERTURL < URL for enrolling with a SCEP fronted Certificate Authority >.
URL Example: http://149.49.44.53/certsrv/mscep/mscep.dll.
2. SET MYCERTWAIT 1
3. SET MYCERTCN $MACADDR
4. SET DOT1XEAPS
TLS
5. SET TRUSTCERTS & <Root CA Filename>
6. Connect the phone to a port that does not have 802.1x enabled. The phone receives the
settings from 46xxsettings.txt file.
The phone contacts the call server to activate the SCEP process.
7. Unplug the phone and connect the phone to a port that you have configured for EAP-TLS
and enable the supplicant on the phone through the CRAFT procedure. You can also
enable the supplicant by configuring the 46xxsettings.txt with
SET DOT1XSTAT 2
.
Note:
The MAC option
SET MYCERTCN $MACADDR
supports the
MYCERTCN
parameter in H.
323 Release 6.2 Service Pack 1.
For H.323 Release 6.2 Service Pack 1, after the phone starts with EAP-TLS mode, the
user does not need to enter device Id or password as in MD5.
Related links
EAP-TLS support for authentication
on page 134
Scenarios for using EAP-TLS based authentication
You can deploy the EAP-TLS method for authentication that requires an identity certificate that is
stored in the phone.
The following sections describe the authentication scenarios where you might need to deploy
EAP-TLS. Before deploying EAP-TLS, you must set the phones to a default state that can be one
of the following:.
• Phones not running any type of 802.1x authentication
Administering your phone
May 2018
Installing and Administering Avaya J169/J179 IP Phone H.323
136