manualshive.com logo in svg

Yealink 802.1X, Technical White Paper

Share
Download
Yealink 802.1X Technical White Paper Download Page 28

Yealink Technical White Paper                                                                                                802.1X Authentication 

28 

network administrator. 

 

Contact Yealink FAE for support when the above steps cannot solve your problem. 

a)

 

Capture the packet and export configurations of the phone, switch and 
authentication server. 

b)

 

Provide the related information to Yealink FAE. 

Appendix A: Glossary 

IEEE 

(Institute of Electrical and Electronics Engineers) 

A professional association headquartered 

in New York City that is dedicated to advancing technological innovation and excellence. 

802.1X –

A port-based network access control, meaning it only provides an authentication 

mechanism for devices wishing to attach to a LAN.

 

EAP 

(Extensible Authentication Protocol)

 –

An authentication framework which supports multiple 

authentication methods. 

TLS 

(Transport Layer Security)

 –

Provides for mutual authentication, integrity-protected cipher 

suite negotiation between two endpoints. 

MD5 

(Message-Digest Algorithm)

 –

Only provides authentication of the EAP peer for the EAP 

server but not mutual authentication. 

PEAP

 (Protected Extensible Authentication Protocol)

 –

A protocol that encapsulates the EAP 

within an encrypted and authenticated TLS tunnel.

 

MSCHAPv2

 (Microsoft Challenge Handshake Authentication Protocol version 2)

 –

Provides for 

mutual authentication, but does not require a supplicant-side certificate. 

TTLS 

(Tunneled Transport Layer Security) –Extends TLS to improve some weak points, but it 

does not require a supplicant-side certificate. 

EAPOL

 (Extensible Authentication Protocol over Local Area Network)

 –

A delivery mechanism 

and doesn’t provide the actual authentication mechanisms. 

 

 

Summary of Contents for 802.1X

Page 1: ......

Page 2: ...s Anonymous Identity 24 Troubleshooting 27 Why doesn t the IP phone pass 802 1X authentication 27 Appendix A Glossary 28 Appendix B 802 1X Authentication Process 29 A Successful Authentication Using EAP MD5 Protocol 29 A Successful Authentication Using EAP TLS Protocol 30 A Successful Authentication Using EAP PEAP MSCHAPv2 Protocol 32 A Successful Authentication Using EAP TTLS EAP MSCHAPv2 Protoco...

Page 3: ...alidated and authorized An analogy to this is like providing a valid visa at the airport s arrival immigration before being allowed to enter the country With 802 1X port based authentication the supplicant provides credentials such as user name password or digital certificate for the authenticator and the authenticator forwards the credentials to the authentication server for verification If the a...

Page 4: ...9 P E2 W56P Firmware version 80 or later T54S T52 T48S T46S T42S T41S T40G T27G W52P Firmware version 81 or later EAP TTLS EAP MSCHAPv2 T46G T42G T41P CP860 Firmware version 71 or later T48G Firmware version 72 or later T58V A T56A T49G T40P T29G T27P T23P G T21 P E2 T19 P E2 W56P Firmware version 80 or later T54S T52S T48S T46S T42S T41S T40G T27G W52P Firmware version 81 or later EAP PEAP GTC T4...

Page 5: ...off prevents another device from using the port without first authenticating via 802 1X The Pass thru Mode is available on Yealink IP phones running specified firmware version You can ask your system administrator or contact Yealink Field Application Engineer FAE for more information Configuring 802 1X Settings The 802 1X authentication on Yealink IP phones is disabled by default You can configure...

Page 6: ...and W56P IP phones running firmware version 81 or later Other IP phones or the IP phones listed above running old firmware version use the old auto provisioning mechanism For Old Auto Provisioning Mechanism 1 Add Edit 802 1X authentication parameters in the configuration file The following table shows the information of parameters Parameters Permitted Values Default network 802_1x mode 0 1 2 3 4 5...

Page 7: ...escription Configures the password for 802 1x authentication Note It works only if the value of the parameter network 802_1x mode is set to 1 3 4 5 6 or 7 If you change this parameter the IP phone will reboot to make the change take effect Web User Interface Network Advanced 802 1x MD5 Password Phone User Interface Menu Settings Advanced Settings default password admin Network 802 1x Settings MD5 ...

Page 8: ...oning server Applying the Configuration Files to Your Phone Once you have edited and configuration file e g y0000000000xx cfg using the parameters introduced above you need to do the following to apply the files to your phone 1 Connect your phone to a network that is not 802 1X enabled 2 Perform the auto provisioning process to apply the configuration files to the phone Then the IP phone will rebo...

Page 9: ..._1x eap_fast_provision_mode 0 or 1 0 Description Configures the EAP In Band provisioning method for EAP FAST 0 Unauthenticated Provisioning 1 Authenticated Provisioning If it is set to 0 Unauthenticated Provisioning EAP In Band provisioning is enabled by server unauthenticated PAC Protected Access Credential provisioning using anonymous Diffie Hellman key exchange If it is set to 1 Authenticated P...

Page 10: ...x identity String within 32 characters Blank Description Configures the user name for 802 1x authentication Note It works only if the value of the parameter static network 802_1x mode is set to 1 2 3 4 5 6 or 7 If you change this parameter the IP phone will reboot to make the change take effect Web User Interface Network Advanced 802 1x Identity Phone User Interface Menu Settings Advanced Settings...

Page 11: ...1x CA Certificates Phone User Interface None static network 802_1x client_cert_url URL within 511 characters Blank Description Configures the access URL of the device certificate Note It works only if the value of the parameter static network 802_1x mode is set to 2 EAP TLS The format of the certificate must be pem Web User Interface Network Advanced 802 1x Device Certificates Phone User Interface...

Page 12: ...P phone will reboot to make the settings effective For more information on auto provisioning refer to Yealink_SIP T2_Series_T19 P E2_T4_Series_T5_Series_W5_Series_CP860_IP_Phones_Auto_Provisioning_Guide_V81 3 Connect the phone to the 802 1X enabled network and reboot the phone You can make a phone call to verify whether the phone is authenticated Configuring 802 1X via Web User Interface The follo...

Page 13: ...authentication in the Anonymous Identity field 2 Enter the user name for authentication in the Identity field 3 Leave the MD5 Password field blank 4 In the CA Certificates field click Browse to select the desired CA certificate pem crt cer or der from your local system 5 In the Device Certificates field click Browse to select the desired client pem or cer certificate from your local system ...

Page 14: ...3 Enter the password for authentication in the MD5 Password field 4 In the CA Certificates field click Browse to select the desired CA certificate pem crt cer or der from your local system 5 Click Upload to upload the certificate d If you select EAP TTLS EAP MSCHAPv2 1 Optional Enter the anonymous user name for authentication in the Anonymous Identity field 2 Enter the user name for authentication...

Page 15: ... upload the certificate e If you select EAP PEAP GTC 1 Optional Enter the anonymous user name for authentication in the Anonymous Identity field 2 Enter the user name for authentication in the Identity field 3 Enter the password for authentication in the MD5 Password field 4 In the CA Certificates field click Browse to select the desired CA certificate pem crt cer or der from your local system ...

Page 16: ...ield click Browse to select the desired CA certificate pem crt cer or der from your local system 5 Click Upload to upload the certificate g If you select EAP FAST 1 Optional Enter the anonymous user name for authentication in the Anonymous Identity field 2 Enter the user name for authentication in the Identity field 3 Enter the password for authentication in the MD5 Password field 4 Select the des...

Page 17: ...you should upload CA certificate in advance using configuration files or via web user interface For SIP IP phones running firmware version 81 or later the CA certificate needs to be uploaded only when Authenticated Provisioning mode is selected from the Provisioning Mode field If you select EAP TLS mode you should upload CA certificate and device certificate in advance using configuration files or...

Page 18: ...the MD5 Password field b If you select EAP TLS 1 Enter the user name for authentication in the Identity field 2 Leave the MD5 Password field blank c If you select EAP PEAP MSCHAPv2 1 Enter the user name for authentication in the Identity field 2 Enter the password for authentication in the MD5 Password field d If you select EAP TTLS EAP MSCHAPv2 1 Enter the user name for authentication in the Iden...

Page 19: ...tion in the MD5 Password field 3 Press Save to accept the change The IP phone reboots automatically to make the settings effective after a period of time 802 1X Authentication Process Reboot the phone to activate the 802 1X authentication on the phone The 802 1X authentication process is divided into two basic stages Pre authentication The 802 1X pre authentication process begins with the IP phone...

Page 20: ...ion server After these keys are established the authenticator grants the IP phone access to the protected network on an authorized port The following figure summarizes an implementation of the 802 1X authentication process using a RADIUS server as the authentication server For more details about the 802 1X authentication process using EAP MD5 EAP TLS EAP PEAP MSCHAPv2 EAP TTLS EAP MSCHAPv2 EAP PEA...

Page 21: ...creenshots Identity The following screenshot of the Wireshark shows a sample of a successful authentication process using the EAP MD5 protocol The following screenshot of the Wireshark shows a sample of a successful authentication process using the EAP TLS protocol ...

Page 22: ...llowing screenshot of the Wireshark shows a sample of a successful authentication process using the EAP PEAP MSCHAPv2 protocol The following screenshot of the Wireshark shows a sample of a successful authentication process using the EAP TTLS EAP MSCHAPv2 protocol ...

Page 23: ...he following screenshot of the Wireshark shows a sample of a successful authentication process using the EAP PEAP GTC protocol The following screenshot of the Wireshark shows a sample of a successful authentication process using the EAP TTLS EAP GTC protocol ...

Page 24: ... of the Wireshark shows a sample of a successful authentication process using the EAP FAST protocol Sample Screenshots Anonymous Identity The following screenshot of the Wireshark shows a sample of a successful authentication process with anonymous identity using EAP TLS protocol ...

Page 25: ...f the Wireshark shows a sample of a successful authentication process with anonymous identity using EAP PEAP MSCHAPv2 protocol The following screenshot of the Wireshark shows a sample of a successful authentication process with anonymous identity using EAP TTLS EAP MSCHAPv2 protocol ...

Page 26: ...hot of the Wireshark shows a sample of a successful authentication process with anonymous identity using EAP PEAP GTC protocol The following screenshot of the Wireshark shows a sample of a successful authentication process with anonymous identity using EAP TTLS EAP GTC protocol ...

Page 27: ...e correct If EAP TLS EAP PEAP MSCHAPv2 EAP TTLS EAP MSCHAPv2 EAP PEAP GTC EAP TTLS EAP GTC and EAP FAST protocols are used ensure that the certificate uploaded to the phone is valid a Double click the certificate to check the validity time b Check if the time and date on the phone is within the validity time of the uploaded certificate If not re generate a certificate and upload it the phone Ensur...

Page 28: ...cation framework which supports multiple authentication methods TLS Transport Layer Security Provides for mutual authentication integrity protected cipher suite negotiation between two endpoints MD5 Message Digest Algorithm Only provides authentication of the EAP peer for the EAP server but not mutual authentication PEAP Protected Extensible Authentication Protocol A protocol that encapsulates the...

Page 29: ...o the authenticator 6 The authenticator strips the authentication server s frame header encapsulates the remaining EAP frame into the EAPOL format and sends it to the supplicant 7 The supplicant responds to the Challenge message 8 The authenticator passes the response to the authentication server 9 The authentication server validates the authentication information and sends an authentication succe...

Page 30: ...as an EAP TLS type and sends an EAP Request packet with a TLS start message to the authenticator 6 The authenticator strips the authentication server s frame header encapsulates the remaining EAP frame in the EAPOL format and then sends it to the supplicant 7 The supplicant responds with an EAP Response packet containing a TLS client hello handshake message to the authenticator The client hello me...

Page 31: ...passes the request to the supplicant 15 The supplicant responds with an EAP Response packet to the authenticator 16 The authenticator passes the response to the authentication server 17 The authentication server responds with a success message indicating the supplicant and the authentication server have successfully authenticated each other 18 The authenticator passes the message to the supplicant...

Page 32: ... packet to the supplicant 3 The supplicant responds with an EAP Response Identity packet to the authenticator 4 The authenticator strips the Ethernet header and encapsulates the remaining EAP frame in the RADIUS format and then sends it to the authentication server 5 The authentication server recognizes the packet as a PEAP type and sends an EAP Request packet with a PEAP start message to the auth...

Page 33: ...the authenticator 16 The authenticator passes the response to the authentication server The TLS tunnel is established 17 The authentication server sends an EAP Request Identity packet to the authenticator 18 The authenticator passes the request to the supplicant 19 The supplicant responds with an EAP Response Identity packet to the authenticator 20 The authenticator passes the response to the auth...

Page 34: ...ul Authentication Using EAP PEAP GTC Protocol The 802 1X authentication process using the EAP PEAP GTC protocol is quite similar to that using the EAP PEAP MSCHAPv2 protocol For more information refer to the network resource A Successful Authentication Using EAP TTLS EAP GTC Protocol The 802 1X authentication process using the EAP TTLS EAP GTC protocol is quite similar to that using the EAP PEAP M...

Page 35: ...Technical White Paper 802 1X Authentication 35 Customer Feedback We are striving to improve our documentation quality and we appreciate your feedback Email your opinions and comments to DocsFeedback yealink com ...

Reviews:

No comments

Brands by name

Popular brands

Load more brands