User's Manual

479

Appendix

802.1x Port-based network access

control

Extensible Authentication Protocol

Extensible Authentication Protocol (EAP) supports multiple authentication

methods, such as EAP-PEAP, EAP-MD5, and EAP-TLS and represents

a technology framework that facilitates the adoption of Authentication,

Authorization, and Accounting (AAA) schemes, such as Remote

Authentication Dial In User Service (RADIUS). RADIUS is defined in RFC

2865.

802.1x defines the following three roles

• Supplicant—an IP Phone which requires access to the network to use

network services.

•

Authenticator—the network entry point to which the supplicant

physically connects (typically a Layer 2/3 switch). The authenticator

acts as the proxy between the supplicant and the authentication

server. The authenticator controls access to the network based on the

authentication status of the supplicant.

•

Authentication server—performs authentication of the supplicant.

Authorization

If 802.1x is configured and the IP Phone is physically connected to the

network, the IP Phone (supplicant) initiates 802.1x authentication by

contacting the Layer 2/3 switch (authenticator). The IP Phone also initiates

802.1x authentication after the Ethernet connection (network interface

only) is restored following a network link failure. However, if the phone

resets, the IP Phone resets then reinitiates a reauthentication. The IP

Phone fails to authorize if the credentials that the IP Phone presents do

not authenticate. Each EAP type requires different credentials. The Layer

Nortel Communication Server 1000

IP Phones Fundamentals

NN43001-368 02.07

5 February 2009