No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

eSpace 8950 IP Phone V200R003C00 Administrator Guide

Provides information about deployment, operate and maintain the Video Phone.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
802.1x

802.1x

This topic describes two 802.1x authentication methods supported by IP phone: EAP-MD5 and EAP-TLS.

802.1x is a port-based network access control protocol defined by IEEE. This protocol implements access authentication and control for devices attempting to connect to an enterprise's internal network. Devices (for example, IP phones) are granted access to internal network resources only after being authenticated.

The IP phone currently supports two 802.1x authentication methods: Extensible Authentication Protocol-Message Digest Algorithm 5 (EAP-MD5) and Extensible Authentication Protocol-Transport Layer Security (EAP-TLS). If one method was originally configured, the IP phone will be forced to request the same method.

NOTE:
To ensure network access security, it is recommended that you enable the 802.1x function. If EAP-MD5 is used, obtain the 802.1x user name and password from the network administrator beforehand.

EAP-MD5 Authentication Process

Figure 3-1 illustrates the EAP-MD5 authentication process.
Figure 3-1  EAP-MD5 Authentication Process
The authentication steps are as follows:
  1. The IP phone initiates an 802.1x authentication request to the switch.
  2. The switch asks the IP phone to provide its user name.
  3. The IP phone sends its user name to the switch.
  4. The switch forwards the user name to the RADIUS server.
  5. After identity authentication, the RADIUS server sends an EAP-MD5 authentication request to the switch.
  6. The switch forwards the EAP-MD5 authentication request to the IP phone.
  7. The IP phone sends MD5 digest to the switch and then to the RADIUS server.
  8. If authentication is successful, the switch opens all ports and the IP phone can then access network resources.
  9. If authentication fails, an authentication failure message is displayed on the IP phone, and the IP phone cannot access network resources.

EAP-TLS Authentication Process

Before EAP-TLS authentication, make sure that the following prerequisites have been met:
  • The switch supports MAC-address and certificate-based authentication.
  • The IP phone supports EAP-TLS authentication.
Figure 3-2 illustrates the EAP-TLS authentication process.
Figure 3-2  EAP-TLS Authentication Process
The authentication steps are as follows:
  1. The IP phone initiates an 802.1x authentication request to the switch.
  2. The switch asks the IP phone to provide its user name.
  3. The IP phone sends its user name to the switch.
  4. The switch forwards the user name to the RADIUS server.
  5. After identity authentication, the RADIUS server sends an EAP-TLS authentication request to the switch.
  6. The switch forwards the EAP-TLS authentication request to the IP phone.
  7. The IP phone and the RADIUS server implement TLS handshake negotiations.
  8. If authentication is successful, the switch opens all ports and the IP phone can then access network resources.
  9. Optional: If authentication fails, the IP phone obtains the eSight server IP address from the DHCP server and then connects to the eSight server to download a new certificate.
  10. Optional: After the new certificate is downloaded, the IP phone automatically restarts and initiates authentication again (starting from Step 1)

EAP-TLS Certificate Update Process

The EAP-TLS certificate is stored on the eSight server. The IP phone can connect to the eSight server to download the EAP-TLS certificate. Figure 3-3 illustrates the EAP-TLS certificate update process.
Figure 3-3  EAP-TLS Certificate Update Process
The certificate update steps are as follows:
  1. The eSight server applies for a certificate based on the IP phone's serial number (SN) that has been imported.
  2. The IP phone initiates an EAP-TLS authentication request to the RADIUS server.
  3. The RADIUS server returns a authentication failure message to the switch and then to the IP phone.
  4. The switch adds the IP phone to the Guest VLAN.
  5. The IP phone obtains its IP address and the eSight server IP address from the DHCP server.
  6. The IP phone time-synchronizes with the NTP server.
  7. The IP phone obtains its certificate from the eSight server.
  8. The IP phone automatically restarts.
  9. The IP phone initiates an EAP-TLS certificate to the RADIUS server. Authentication is successful.
Translation
Download
Updated: 2018-09-12

Document ID: EDOC1000067158

Views: 52372

Downloads: 1833

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next