• Phones using 802.1x using MD5 as the authentication method
Related links
EAP-TLS support for authentication
on page 134
Deploying EAP-TLS based authentication for phones using 802.1x and MD5
Before you begin
The administration of EAP-TLS requires the installation of an identity certificate. So, the initial
network for phone installation can be a phone, an Ethernet switch, and a computer in the IT
department. The computer must be connected to the internet if you use an external CA for signing
the certificates. You can configure the settings file on the network to configure DOT1XSTAT to 1 or
2. This change takes effect the next time that the phone resets. The phone must be connected to
that network without resetting until a certificate is successfully installed. Or, you can enable 802.1x
manually by using the 802.1x craft procedure after you install a certificate.
Procedure
1. Clear the phones and ensure that the phones authenticate using MD5.
2. Connect the phones on a network that does not support 802.1X access control (switch and
phone), modify the 46xxsettings.txt file, and incorporate the following SCEP parameters:
a. SET TRUSTCERTS < RootCert >
b. SET MYCERTURL http:// <IP of CA server > /certsrv/mscep/mscep.dll
c. SET MYCERTWAIT 0
d. SET SCEPPASSWORD <password>#### optional
e. SET DOT1XEAPS TLS
f. SET DOT1XSTAT 2 #### optional
g. Clear the phone and then restart the phone, and ensure that the phone upgrades to
the latest firmware available.
h. Connect the phone to a network that supports DOT1x.
The phone starts the process of certificate enrollment automatically, by sending a
SCEP request to MYCERTURL. After the boot process completes, the phone obtains
the root certificate and the device certificate successfully and changes to the EAP-
TLS mode.
Note:
When you install the identity certificate using SCEP, you can download the
PKCS12 file.
i. Monitor the CA, to check that all phones that you have upgraded, have enrolled their
certificates with the CA. If you administer the CA to require manual approval of
certificate enrollment requests, then the phone will take a minimum of two minutes to
download the enrolled certificate after the CA approves the request. Therefore, do not
restart the phones until at least 2 minutes after approving the certificate enrollment
Administering Deskphone Options
May 2018
Installing and Administering Avaya J169/J179 IP Phone H.323
137