Avaya 16-601443, 1600 Series 802.1X Pass-Through and Proxy Logoff, 802.1X Supplicant Operation

Administering Telephone Options

78 Avaya 1600 Series IP Deskphones Administrator Guide

Note:

Note: If the Ethernet line interface link fails, the 802.1X Supplicant, if enabled, enters

the Disconnected state. The 802.1X Supplicant variable userLogoff normally has

a value of FALSE. This variable will be set to TRUE before the telephone drops

the link on the Ethernet line interface (and back to FALSE after the link has been

restored). The userLogoff variable may also be briefly set to TRUE to force the

Supplicant into the LOGOFF state when new credentials are entered.

802.1X Pass-Through and Proxy Logoff

1600 Series IP Telephones with a secondary Ethernet interface support pass-through of 802.1X

packets to and from an attached PC. This enables an attached PC running 802.1X supplicant

software to be authenticated by an Ethernet data switch.

The IP Telephones support two pass-through modes:

●pass-through and

●pass-through with proxy logoff.

The DOT1X parameter setting controls the pass-through mode. In Proxy Logoff mode

(DOT1X=1), when the secondary Ethernet interface loses link integrity, the telephone sends an

802.1X EAPOL-Logoff message to the data switch on behalf of the attached PC. The message

alerts the switch that the device is no longer present. For example, a message would be sent

when the attached PC is physically disconnected from the IP telephone. When DOT1X = 0 or 2,

the Proxy Logoff function is not supported

802.1X Supplicant Operation

1600 IP Telephones that support Supplicant operation also support Extensible Authentication

Protocol (EAP), but only with the MD5-Challenge authentication method as specified in IETF

RFC 3748 [8.5-33a].

A Supplicant identity (ID) and password of no more than 12 numeric characters are stored in

reprogrammable non-volatile memory. The ID and password are not overwritten by telephone

software downloads. The default ID is the MAC address of the telephone, converted to ASCII

format without colon separators, and the default password is null. Both the ID and password are

set to defaults at manufacture. EAP-Response/Identity frames use the ID in the Type-Data field.

EAP-Response/MD5-Challenge frames use the password to compute the digest for the Value

field, leaving the Name field blank.

When a telephone is installed for the first time and 802.1x is in effect, the dynamic address

process prompts the installer to enter the Supplicant identity and password. The IP telephone

does not accept null value passwords. See “Dynamic Addressing Process” in the Avaya 1600

Series IP Deskphones Installation and Maintenance Guide. The IP telephone stores 802.1X

credentials when successful authentication is achieved. Post-installation authentication