manualshive.com logo in svg

Yealink 802.1X, Технический белый лист

Поделиться
Скачать
Yealink 802.1X Скачать руководство пользователя страница 30

Yealink Technical White Paper                                                                                                802.1X Authentication 

30 

A Successful Authentication Using EAP-TLS Protocol 

The following figure illustrates the scenario of a successful 802.1X authentication process using 
the EAP-TLS protocol. 

 

1.

 

The supplicant sends an “EAPOL-Start” packet to the authenticator. 

2.

 

The authenticator responds with an “EAP-Request/Identity” packet to the supplicant. 

3.

 

The supplicant responds with an "EAP-Response/Identity" packet to the authenticator. 

4.

 

The authenticator strips the Ethernet header and encapsulates the remaining EAP frame in 
the RADIUS format, and then sends it to the authentication server. 

5.

 

The authentication server recognizes the packet as an EAP-TLS type and sends an 
“EAP-Request” packet with a TLS start message to the authenticator. 

6.

 

The authenticator strips the authentication server’s frame header, encapsulates the 
remaining EAP frame in the EAPOL format, and then sends it to the supplicant. 

7.

 

The supplicant responds with an “EAP-Response” packet containing a TLS client hello 
handshake message to the authenticator. The client hello message includes the TLS version 
supported by the supplicant, a session ID, a random number and a set of cipher suites. 

8.

 

The authenticator passes the response to the authentication server.

 

9.

 

The authentication server sends an “EAP-Request” packet to the authenticator. The packet 
includes a TLS server hello handshake message, a server certificate message, a certificate 
request message and a server hello done message.

 

10.

 

The authenticator passes the request to the supplicant.

 

Содержание 802.1X

Страница 1: ......

Страница 2: ...s Anonymous Identity 24 Troubleshooting 27 Why doesn t the IP phone pass 802 1X authentication 27 Appendix A Glossary 28 Appendix B 802 1X Authentication Process 29 A Successful Authentication Using EAP MD5 Protocol 29 A Successful Authentication Using EAP TLS Protocol 30 A Successful Authentication Using EAP PEAP MSCHAPv2 Protocol 32 A Successful Authentication Using EAP TTLS EAP MSCHAPv2 Protoco...

Страница 3: ...alidated and authorized An analogy to this is like providing a valid visa at the airport s arrival immigration before being allowed to enter the country With 802 1X port based authentication the supplicant provides credentials such as user name password or digital certificate for the authenticator and the authenticator forwards the credentials to the authentication server for verification If the a...

Страница 4: ...9 P E2 W56P Firmware version 80 or later T54S T52 T48S T46S T42S T41S T40G T27G W52P Firmware version 81 or later EAP TTLS EAP MSCHAPv2 T46G T42G T41P CP860 Firmware version 71 or later T48G Firmware version 72 or later T58V A T56A T49G T40P T29G T27P T23P G T21 P E2 T19 P E2 W56P Firmware version 80 or later T54S T52S T48S T46S T42S T41S T40G T27G W52P Firmware version 81 or later EAP PEAP GTC T4...

Страница 5: ...off prevents another device from using the port without first authenticating via 802 1X The Pass thru Mode is available on Yealink IP phones running specified firmware version You can ask your system administrator or contact Yealink Field Application Engineer FAE for more information Configuring 802 1X Settings The 802 1X authentication on Yealink IP phones is disabled by default You can configure...

Страница 6: ...and W56P IP phones running firmware version 81 or later Other IP phones or the IP phones listed above running old firmware version use the old auto provisioning mechanism For Old Auto Provisioning Mechanism 1 Add Edit 802 1X authentication parameters in the configuration file The following table shows the information of parameters Parameters Permitted Values Default network 802_1x mode 0 1 2 3 4 5...

Страница 7: ...escription Configures the password for 802 1x authentication Note It works only if the value of the parameter network 802_1x mode is set to 1 3 4 5 6 or 7 If you change this parameter the IP phone will reboot to make the change take effect Web User Interface Network Advanced 802 1x MD5 Password Phone User Interface Menu Settings Advanced Settings default password admin Network 802 1x Settings MD5 ...

Страница 8: ...oning server Applying the Configuration Files to Your Phone Once you have edited and configuration file e g y0000000000xx cfg using the parameters introduced above you need to do the following to apply the files to your phone 1 Connect your phone to a network that is not 802 1X enabled 2 Perform the auto provisioning process to apply the configuration files to the phone Then the IP phone will rebo...

Страница 9: ..._1x eap_fast_provision_mode 0 or 1 0 Description Configures the EAP In Band provisioning method for EAP FAST 0 Unauthenticated Provisioning 1 Authenticated Provisioning If it is set to 0 Unauthenticated Provisioning EAP In Band provisioning is enabled by server unauthenticated PAC Protected Access Credential provisioning using anonymous Diffie Hellman key exchange If it is set to 1 Authenticated P...

Страница 10: ...x identity String within 32 characters Blank Description Configures the user name for 802 1x authentication Note It works only if the value of the parameter static network 802_1x mode is set to 1 2 3 4 5 6 or 7 If you change this parameter the IP phone will reboot to make the change take effect Web User Interface Network Advanced 802 1x Identity Phone User Interface Menu Settings Advanced Settings...

Страница 11: ...1x CA Certificates Phone User Interface None static network 802_1x client_cert_url URL within 511 characters Blank Description Configures the access URL of the device certificate Note It works only if the value of the parameter static network 802_1x mode is set to 2 EAP TLS The format of the certificate must be pem Web User Interface Network Advanced 802 1x Device Certificates Phone User Interface...

Страница 12: ...P phone will reboot to make the settings effective For more information on auto provisioning refer to Yealink_SIP T2_Series_T19 P E2_T4_Series_T5_Series_W5_Series_CP860_IP_Phones_Auto_Provisioning_Guide_V81 3 Connect the phone to the 802 1X enabled network and reboot the phone You can make a phone call to verify whether the phone is authenticated Configuring 802 1X via Web User Interface The follo...

Страница 13: ...authentication in the Anonymous Identity field 2 Enter the user name for authentication in the Identity field 3 Leave the MD5 Password field blank 4 In the CA Certificates field click Browse to select the desired CA certificate pem crt cer or der from your local system 5 In the Device Certificates field click Browse to select the desired client pem or cer certificate from your local system ...

Страница 14: ...3 Enter the password for authentication in the MD5 Password field 4 In the CA Certificates field click Browse to select the desired CA certificate pem crt cer or der from your local system 5 Click Upload to upload the certificate d If you select EAP TTLS EAP MSCHAPv2 1 Optional Enter the anonymous user name for authentication in the Anonymous Identity field 2 Enter the user name for authentication...

Страница 15: ... upload the certificate e If you select EAP PEAP GTC 1 Optional Enter the anonymous user name for authentication in the Anonymous Identity field 2 Enter the user name for authentication in the Identity field 3 Enter the password for authentication in the MD5 Password field 4 In the CA Certificates field click Browse to select the desired CA certificate pem crt cer or der from your local system ...

Страница 16: ...ield click Browse to select the desired CA certificate pem crt cer or der from your local system 5 Click Upload to upload the certificate g If you select EAP FAST 1 Optional Enter the anonymous user name for authentication in the Anonymous Identity field 2 Enter the user name for authentication in the Identity field 3 Enter the password for authentication in the MD5 Password field 4 Select the des...

Страница 17: ...you should upload CA certificate in advance using configuration files or via web user interface For SIP IP phones running firmware version 81 or later the CA certificate needs to be uploaded only when Authenticated Provisioning mode is selected from the Provisioning Mode field If you select EAP TLS mode you should upload CA certificate and device certificate in advance using configuration files or...

Страница 18: ...the MD5 Password field b If you select EAP TLS 1 Enter the user name for authentication in the Identity field 2 Leave the MD5 Password field blank c If you select EAP PEAP MSCHAPv2 1 Enter the user name for authentication in the Identity field 2 Enter the password for authentication in the MD5 Password field d If you select EAP TTLS EAP MSCHAPv2 1 Enter the user name for authentication in the Iden...

Страница 19: ...tion in the MD5 Password field 3 Press Save to accept the change The IP phone reboots automatically to make the settings effective after a period of time 802 1X Authentication Process Reboot the phone to activate the 802 1X authentication on the phone The 802 1X authentication process is divided into two basic stages Pre authentication The 802 1X pre authentication process begins with the IP phone...

Страница 20: ...ion server After these keys are established the authenticator grants the IP phone access to the protected network on an authorized port The following figure summarizes an implementation of the 802 1X authentication process using a RADIUS server as the authentication server For more details about the 802 1X authentication process using EAP MD5 EAP TLS EAP PEAP MSCHAPv2 EAP TTLS EAP MSCHAPv2 EAP PEA...

Страница 21: ...creenshots Identity The following screenshot of the Wireshark shows a sample of a successful authentication process using the EAP MD5 protocol The following screenshot of the Wireshark shows a sample of a successful authentication process using the EAP TLS protocol ...

Страница 22: ...llowing screenshot of the Wireshark shows a sample of a successful authentication process using the EAP PEAP MSCHAPv2 protocol The following screenshot of the Wireshark shows a sample of a successful authentication process using the EAP TTLS EAP MSCHAPv2 protocol ...

Страница 23: ...he following screenshot of the Wireshark shows a sample of a successful authentication process using the EAP PEAP GTC protocol The following screenshot of the Wireshark shows a sample of a successful authentication process using the EAP TTLS EAP GTC protocol ...

Страница 24: ... of the Wireshark shows a sample of a successful authentication process using the EAP FAST protocol Sample Screenshots Anonymous Identity The following screenshot of the Wireshark shows a sample of a successful authentication process with anonymous identity using EAP TLS protocol ...

Страница 25: ...f the Wireshark shows a sample of a successful authentication process with anonymous identity using EAP PEAP MSCHAPv2 protocol The following screenshot of the Wireshark shows a sample of a successful authentication process with anonymous identity using EAP TTLS EAP MSCHAPv2 protocol ...

Страница 26: ...hot of the Wireshark shows a sample of a successful authentication process with anonymous identity using EAP PEAP GTC protocol The following screenshot of the Wireshark shows a sample of a successful authentication process with anonymous identity using EAP TTLS EAP GTC protocol ...

Страница 27: ...e correct If EAP TLS EAP PEAP MSCHAPv2 EAP TTLS EAP MSCHAPv2 EAP PEAP GTC EAP TTLS EAP GTC and EAP FAST protocols are used ensure that the certificate uploaded to the phone is valid a Double click the certificate to check the validity time b Check if the time and date on the phone is within the validity time of the uploaded certificate If not re generate a certificate and upload it the phone Ensur...

Страница 28: ...cation framework which supports multiple authentication methods TLS Transport Layer Security Provides for mutual authentication integrity protected cipher suite negotiation between two endpoints MD5 Message Digest Algorithm Only provides authentication of the EAP peer for the EAP server but not mutual authentication PEAP Protected Extensible Authentication Protocol A protocol that encapsulates the...

Страница 29: ...o the authenticator 6 The authenticator strips the authentication server s frame header encapsulates the remaining EAP frame into the EAPOL format and sends it to the supplicant 7 The supplicant responds to the Challenge message 8 The authenticator passes the response to the authentication server 9 The authentication server validates the authentication information and sends an authentication succe...

Страница 30: ...as an EAP TLS type and sends an EAP Request packet with a TLS start message to the authenticator 6 The authenticator strips the authentication server s frame header encapsulates the remaining EAP frame in the EAPOL format and then sends it to the supplicant 7 The supplicant responds with an EAP Response packet containing a TLS client hello handshake message to the authenticator The client hello me...

Страница 31: ...passes the request to the supplicant 15 The supplicant responds with an EAP Response packet to the authenticator 16 The authenticator passes the response to the authentication server 17 The authentication server responds with a success message indicating the supplicant and the authentication server have successfully authenticated each other 18 The authenticator passes the message to the supplicant...

Страница 32: ... packet to the supplicant 3 The supplicant responds with an EAP Response Identity packet to the authenticator 4 The authenticator strips the Ethernet header and encapsulates the remaining EAP frame in the RADIUS format and then sends it to the authentication server 5 The authentication server recognizes the packet as a PEAP type and sends an EAP Request packet with a PEAP start message to the auth...

Страница 33: ...the authenticator 16 The authenticator passes the response to the authentication server The TLS tunnel is established 17 The authentication server sends an EAP Request Identity packet to the authenticator 18 The authenticator passes the request to the supplicant 19 The supplicant responds with an EAP Response Identity packet to the authenticator 20 The authenticator passes the response to the auth...

Страница 34: ...ul Authentication Using EAP PEAP GTC Protocol The 802 1X authentication process using the EAP PEAP GTC protocol is quite similar to that using the EAP PEAP MSCHAPv2 protocol For more information refer to the network resource A Successful Authentication Using EAP TTLS EAP GTC Protocol The 802 1X authentication process using the EAP TTLS EAP GTC protocol is quite similar to that using the EAP PEAP M...

Страница 35: ...Technical White Paper 802 1X Authentication 35 Customer Feedback We are striving to improve our documentation quality and we appreciate your feedback Email your opinions and comments to DocsFeedback yealink com ...

Отзывы:

Нет отзывов

Бренды по названию

Популярные бренды

Загрузить еще бренды