Avaya Media Gateway G250 User manual
JZ; Reviewed:
PV 6/21/06 Solution & Interoperability Test Lab Application Notes
©2006 Avaya Inc. All Rights Reserved. 1 of 31
DOT1X-IPT-GW.doc
Avaya Solution & Interoperability Test Lab
Configuring 802.1X Protocol on Avaya G250 and G350
Media Gateways for an Avaya IP Telephone with an
Attached PC – Issue 1.0
Abstract
The IEEE 802.1X standard defines a client-server based access control and authentication
protocol that restricts unauthorized clients from connecting to a LAN through publicly
accessible ports. 802.1X provides a means of authenticating and authorizing users attached to a
LAN port and of preventing access to that port in cases where the authentication process fails.
Avaya G250 and G350 Media Gateways support 802.1X as authenticators and Avaya IP
telephones support 802.1X as supplicants. These Application Notes provide the steps
necessary to configure 802.1X on the Avaya G350 Media Gateway and the Avaya IP
telephone with an attached PC using a FreeRADIUS server. The same approach can be
followed when using an Avaya G250 Media Gateway.
JZ; Reviewed:
PV 6/21/06 Solution & Interoperability Test Lab Application Notes
©2006 Avaya Inc. All Rights Reserved. 2 of 31
DOT1X-IPT-GW.doc
1 Introduction
The 802.1X protocol is an IEEE standard for media-level access control, offering the capability
to permit or deny network connectivity, control LAN access, and apply traffic policy, based on
user or machine identity. The 802.1X consists of three components (or entities):
•Supplicant – a port access entity (PAE) that requests access to the network. For
example, an Avaya IP Telephone and the attached PC can be 802.1X supplicants.
•Authenticator – a PAE that facilities the authentication of the supplicant. The Avaya
G250 and G350 Media Gateways function as authenticator PAEs that control the
physical access to the network based on the authentication status of a supplicant.
•Authentication server – a PAE, typically a Remote Authentication Dial-In User Service
(RADIUS) server that actually provides authentication service.
The 802.1X protocol makes use of Extensible Authentication Protocol (EAP) messages. The
protocol in 802.1X is called EAP encapsulation over LANs (EAPOL). It is currently defined for
Ethernet-like LANs including 802.11 wireless. The Authenticator becomes the middleman for
relaying EAP received in 802.1X packets to an authentication server by using the RADIUS
format to carry the EAP information.
The following shows typical EAP-MD5 message exchanges for the 802.1X protocol. The
authenticator or the supplicant can initiate authentication. When the switch detects the port link
state transitions from down to up, the switch will send an EAP-request/identity frame to the
client to request its identity. When the client receives the frame, it responds with an EAP-
response/identity frame. If the client does not receive an EAP-request/identity frame from the
switch during its booting process, the client can initiate authentication by sending an EAPOL-
start frame, which prompts the switch to request the client's identity. Figure 1 shows typical
flows for the Avaya IP telephone, the Avaya G250 or G350 Media Gateway and an
authentication server using the EAP-MD5 authentication.
JZ; Reviewed:
PV 6/21/06 Solution & Interoperability Test Lab Application Notes
©2006 Avaya Inc. All Rights Reserved. 3 of 31
DOT1X-IPT-GW.doc
Supplicant PAE
(Avaya IP Telephone) Authenticator PAE
(Avaya G250/G350) Authentication Server
Port or MAC unauthorized
EAPOL-Start
EAP-Request/Identity
EAP-Response/Identity
EAP-Request/MD5 Challenge
EAP-Response/MD5, Response
EAP Success
Port or MAC authorized
EAP Re ject
Port or MAC unauthorized
EAPOL-Logoff
Port or MAC unauthorized
Figure 1: 802.1X Message Exchanges
The following describes the 802.1X flows for Figure 1:
1. The supplicant (the Avaya IP telephone) sends an “EAPOL Start” packet to the
authenticator (Avaya G250 or G350 Media Gateway).
2. The authenticator responds with an “EAP-Request/Identity” packet to the supplicant.
3. The supplicant responds with an "EAP-Response/Identity" packet to the authenticator.
The authenticator strips the Ethernet header and encapsulates the remaining EAP frame
in the RADIUS format, and then sends it to the authentication server.
4. The authentication server recognizes the packet as an EAP-MD5 type and sends back a
challenge message to the authenticator. The authenticator removes the authentication
server’s frame header and encapsulates the remaining EAP frame into the Ethernet
format (EAPOL) and then sends it to the supplicant.
JZ; Reviewed:
PV 6/21/06 Solution & Interoperability Test Lab Application Notes
©2006 Avaya Inc. All Rights Reserved. 4 of 31
DOT1X-IPT-GW.doc
5. The supplicant responds to the challenge and the authenticator passes the response onto
the authentication server.
6. If the supplicant provides proper credentials, the authentication server responds with a
success message. The authenticator passes the message onto the supplicant and allows
access to the LAN.
7. If the supplicant does not provide proper credentials, the authentication server responds
with a reject message. The authenticator passes the message onto the supplicant and
blocks access to the LAN.
8. When the supplicant is logged off, the supplicant sends an EAPOL-Logoff message, and
the authenticator blocks access to the LAN.
The Avaya G250 and G350 Media Gateways support the following EAP types: MD5, PEAP,
TTLS and TLS. The Avaya IP telephones support EAP-MD5 authentication. Figure 2 shows
the network diagram used in these Application Notes. The PCs attached to the Avaya IP
telephones are installed with the Funk Odyssey client software (802.1X supplicants).
Avaya G650
Media Gateway
Avaya S8500
Media Server
Avaya 6210Analog
Telephone
123
456
789
*0#
ABC DEF
GHIJKLMNO
PQRS TUV WXYZ
PHONE/EXI T PAGE
LEFT PAGE
RIGHT OPTIONS
HOLD
TRANSFER
CONFERENCE
DROP
REDIAL
MUTE
HEADSET
SPEAKER
123
645
978
#
*0
ABC DEF
JKL MNOGHI
TUVQRSPXYZW
COMPACT
PHONE/EXIT PAGE
LEFT PAGE
RIGHT OPTIONS
HOLD
TRANSFER
CONFERENCE
DROP
REDIAL
MUTE
HEADSET
SPEAKER
0SWIP 123
645
978
#
*0
ABC DEF
JKL MNOGHI
TUVQRSPXYZW
Avaya G250 Media
Gateway
PMI: 192.168.88.3
Avaya G350
Media Gateway
PMI: 192.168.88.4
Avaya 4610SW IP
Telephone
PHONE/EX IT PAGE
LEFT PAGE
RIGHT OPTIONS
HOLD
TRANSFER
CONFE REN C E
DROP
REDIAL
MUTE
HEADSE T
SPEAKER
123
645
978
#
*0
ABC DEF
JKL MNOGHI
TUVQRSPXYZW
PHONE/EXI T PAGE
LEFT PAGE
RIGHT OPTIONS
HOLD
TRANSFER
CONFERENCE
DROP
REDIAL
MUTE
HEADSET
SPEAKER
0SWIP 123
645
978
#
*0
ABC DE F
JKL MNOGHI
TUVQRSPXYZW
Avaya 4610SW IP
Telephone
FreeRADIUS Ser ver
Red Hat linux
192.168.88.61 Odyssey Clients
Odyssey Clients
1
ALM
23456 789101112
13 1415161718 192021222324
LNKCOL Rx FDX FC LAG
SI
Tx
SI
123456 789101112
13 14 15 16 17 18 19 20 21 22 23 24
Hspd PoE
ALM
TST
ACT
AVAYA
MM722
BRI
V1
1 2
ALM
TST
ACT
1 2 3 4 5 6 7 8
AVAYA
ANALOG
MODULE
LINE TRUNK
ALM
TST
ACT
1 2 3 4 5 6 7 8
AVAYA
MM712
DCP
VH3
ALM
TST
ACT
OKTO
REMOVESERVICES USB1 USB2
SHUTDOWN
AVAYA
ICC
MODULE
ALM
TST
ACT
AVAYA
E1/T1
MODULE
SIG
SO EISMEMSIEO
ETR
ALM
TST
ACT
TRUNK LINE L INE CCA ETH WAN ETHLAN
123
MDM
ALM
CPU
PWR
SYSTEM
CONSOLE
USB
RST ASB
Removebe fore removin g or inser ting S 8300 mod ule
V6
V2
V1
V5
V4
V3
G350
V7
Microsoft DHCPServer
Avaya TFTP Server
192.168.88.31
Cisco Catalyst 6509
Switch IP: 192.168.88.2
Router IP: 192.168.88.1
192.168.89.1
auto Avaya 4620SW, 4621SW,
4622SW IP Telephones
Avaya 4620SW, 4621SW,
4622SW IP Telephones
auto
auto
auto
force-authorize
force-authorize
Figure 2 – 802.1X Configuration with Avaya IP Telephones
JZ; Reviewed:
PV 6/21/06 Solution & Interoperability Test Lab Application Notes
©2006 Avaya Inc. All Rights Reserved. 5 of 31
DOT1X-IPT-GW.doc
2 Equipment and Software Validated
Table 1 below shows the versions verified in these Application Notes.
Equipment Software
Avaya Communication Manager
Avaya S8500 Media Server
3.1.1 (load 628.7)
Avaya G650 Media Gateway
IPSI (TN2312BP)
C-LAN (TN799DP)
MEDPRO (TN2302AP)
HW12 FW030
HW01 FW017
HW11 FW108
Avaya G250-DS1 Media Gateway 25.23.0
Avaya G350 Media Gateway
MM316 PoE Module 25.23.0
Avaya 4610SW IP Telephone 2.32.3e*
Avaya 4620SW IP Telephone 2.32.3e*
Avaya 4621SW IP Telephone 2.32.3e*
Avaya 4622 SW IP Telephone 2.32.3e*
Avaya 6210 Analog Telephone N/A
Cisco Catalyst 6509 Cat 8.5(3)
Red Hat Enterprise ES
FreeRADIUS Server
OpenSSL
R4
1.1.1
0.9.8a
Funk Odyssey Client 4.30
Table 1: Equipment and Software Validated
* Testing was performed using this beta release. At time of publication, 802.1X support was
not included in a generally available version of the telephone firmware. However, it is
expected that 802.1X support will be included in a forthcoming generally available version of
the telephone firmware.
JZ; Reviewed:
PV 6/21/06 Solution & Interoperability Test Lab Application Notes
©2006 Avaya Inc. All Rights Reserved. 6 of 31
DOT1X-IPT-GW.doc
3 Configurations
The Avaya G250 and G350 Media Gateways can control the port authorization state. Three
control modes can be configured on a port:
•Force-authorized – Disables 802.1X port-based authentication and causes the port to
transition to the authorized state without any authentication exchange required.
•Force-unauthorized – Causes the port to remain in the unauthorized state, ignoring all
attempts by the client to authenticate.
•Auto – Enables 802.1X port-based authentication. Whether the port is in the authorized
state or the unauthorized state depends on the authentication result. This is the default
mode once 802.1X is enabled.
Avaya G250 and G350 Media Gateways support two authentication modes:
•Port-based – the authentication mode defined by the 802.1X standard and the default
mode for the port. This mode requires that each 10/100 802.1X-enabled port be
connected to a single 802.1X supplicant, so security will be maintained. If more clients
are connected to that port, the first authenticated client opens the port and all other
clients are able to enter the network without the need for authentication. For the port-
based mode, the G250 and G350 Media Gateways always use a Multicast address for
all EAPOL messages exchanged with the 802.1X supplicants.
•MAC-based – an extension to the 802.1X standard. In this mode, multiple supplicants
are connected to an 802.1X-enabled port. Authentication is performed per MAC
address. The main application for the MAC-based mode is to authenticate an Avaya IP
telephone and an attached PC individually. When the Avaya G250 and G350 Media
Gateways receive a new EAPOL Start message, the Media Gateways will use the
Unicast address for all EAPOL messages with this supplicant.
Avaya IP telephones support three 802.1X operational modes. The operational mode can be
changed by pressing “mute80219#”.
•Pass-thru Mode – Unicast supplicant operation for the IP telephone itself, with PAE
multicast pass-through for the attached PC, but without proxy Logoff (default).
•Pass-thru with logoff Mode (p –t w/Logoff) – Unicast supplicant operation for the IP
telephone itself, with PAE multicast pass-through and proxy Logoff for the attached PC.
When the attached PC is physically disconnected from the IP telephone, the phone will
send an EAPOL-Logoff for the attached PC.
•Supplicant Mode – Unicast or multicast supplicant operation for the IP telephone itself,
without PAE multicast pass-through or proxy Logoff for the attached PC.
JZ; Reviewed:
PV 6/21/06 Solution & Interoperability Test Lab Application Notes
©2006 Avaya Inc. All Rights Reserved. 7 of 31
DOT1X-IPT-GW.doc
3.1 Configuring 802.1X on the Avaya G350 Media Gateway
The following shows the annotated global RADIUS and 802.1X configuration. The RADIUS
authentication secret must match the configuration on the FreeRADIUS server. When 802.1X is
globally enabled, the RADIUS server will be used for the 802.1X authentication.
! --- Configure radius server
G350-003(super)# set radius authentication server 192.168.88.61 primary
Done!
! --- Configure radius authentication secret
G350-003(super)# set radius authentication secret 1234567890123
Done!
! --- Globally enable the radius authentication
G350-003(super)# set radius authentication enable
Done!
! --- Globally enable the 802.1X system control
G350-003(super)# set dot1x system-auth-control enable
dot1x system-auth-control enabled
By default, all ports are configured in the auto mode. The command set port dot1x port-
control can be used to configure a port in the force-unauthorize, auto or force-authorize
mode. It is recommended to configure all ports connected to the IP Telephones or the PCs in the
auto mode for high security. The port on the Avaya G350 Media Gateway connected to the
Cisco Catalyst 6509 in Figure 1 is configured to the force-authorize mode.
G350-003(super)# set port dot1x port-control ?
Set port dot1x port-control commands:
---------------------------------------------------------------------------
Syntax : set port dot1x port-control <module/port> <mode>
<module/port> - the module and the port number (or range of ports)
<mode> - force-unauthorize - the port is always in blocking state
auto - forwarding/blocking depends on authorization outcome
force-authorize - the port is always in forwarding state
Example: set port dot1x port-control 6/5 auto
Refer to Section 3.4 for the FreeRADIUS server configuration. By default, the Avaya IP
telephone will use its MAC addresses as a username. To put an IP telephone and the attached
PC into different VLANs, configure a port with an untagged VLAN for the attached PC and a
static-VLAN for the Avaya IP telephone. The following screen shows how to configure port 6/1
with an untagged VLAN 89 for the attached PC and a static-VLAN 88 for an Avaya IP
telephone.
JZ; Reviewed:
PV 6/21/06 Solution & Interoperability Test Lab Application Notes
©2006 Avaya Inc. All Rights Reserved. 8 of 31
DOT1X-IPT-GW.doc
! --- Configure (untagged) VLAN 89 on port 6/1
G350-003(super)# set port vlan 89 6/1
Port 6/1 added to VLAN 89
! --- Configure (tagged) VLAN 88 on port 6/1
G350-003(super)# set port static-vlan 6/1 88
VLAN 88 is bound to port 6/1
! --- Verify the configuration
G350-003(super)# show trunk 6/1
Port Mode Binding mode Native vlan Vlans allowed on trunk
------ ----- ------------------------- ----------- ----------------------
6/1 off statically bound 89 88-89
By default, re-authentication is not enabled. It is recommended to enable re-authentication for
higher security. The default re-authentication period is 1 hour.
G350-003(super)# set port dot1x re-authentication 6/1-40 enable
port 6/1 re-authenticate was set to enable
port 6/2 re-authenticate was set to enable
port 6/3 re-authenticate was set to enable
…
3.2 Configuring Port-based Authentication on the Avaya G350 Media
Gateway and IP Telephones without Requiring the Attached PCs
to Authenticate
This section describes how to configure the Avaya G350 Media Gateway and an IP telephone
so that the IP telephone will be used to authenticate the port. Note that in this case a PC
attached to the phone will be allowed access without requiring it to authenticate.
By default, all ports are configured in the port-based authentication. When a port is configured
in the port-based mode, additional clients can get access to the network once one client is
authenticated successfully on that port. Compared to the MAC-based mode in Section 3.3, the
port-based mode is less secure. It is recommended to configure all ports connected to the
Avaya IP telephones in the MAC-based mode.
If the attached PC does not support the 802.1X supplicant, the authentication mode can be set to
port-based so that the IP telephone can be used to authenticate the port.
When a port uses the port-based authentication, the Avaya G350 Media Gateway will use a
well-known Multicast MAC address 01:80:C2:00:00:03 for all EAPOL messages. The Avaya
IP telephones must be configured to the supplicant mode to respond to these Multicast EAPOL
messages. Note that the Avaya IP telephone does not respond to the Multicast EAPOL
messages when the phone is configured in the pass-thru and p –t w/Logoff modes. Change the
JZ; Reviewed:
PV 6/21/06 Solution & Interoperability Test Lab Application Notes
©2006 Avaya Inc. All Rights Reserved. 9 of 31
DOT1X-IPT-GW.doc
operational mode to the supplicant mode by pressing “mute80219#” on the phone and select
“supplicant mode”.
3.3 Configuring MAC-based Authentication on the Avaya G350 Media
Gateway and IP Telephones Requiring the Attached PCs to
Authenticate
This section describes how to configure the Avaya G350 Media Gateway and an IP telephone
so that the IP telephone will be used to authenticate itself and a PC attached to the phone will
also be required to authenticate.
It is recommended to configure the MAC-based authentication for high security. When the
MAC-based authentication is configured on a port, each supplicant must be authenticated
individually. If an IP telephone with the attached PC is connected to that port, the IP telephone
and the PC have to be authenticated independently.
When a port is configured to the MAC-based mode, the Avaya G350 Media Gateway will use
the Unicast EAPOL messages with the supplicants. Since most 802.1X supplicants use the
Multicast MAC address for the EAPOL messages, the IP telephone must be configured to the
pass-thru or p-t w/Logoff mode to pass-through these Multicast messages. It is recommended
to use the p-t w/Logoff mode. When the phone is in the p-t w/Logoff mode, the phone will do
proxy logoff for the attached PC when the PC is physically disconnected. When the Avaya
G350 Media Gateway receives the logoff message, the PC will be removed from the authorized
MAC list. Change the operational mode to the p-t w/Logoff mode by pressing “mute80219#”
on the phone and select “p-t w/Logoff” mode.
Use the command set port dot1x port-mode mac-based-authentication <port #> to configure
a port or ports to the MAC-based authentication mode.
G350-003(super)# set port dot1x port-mode mac-based-authentication 6/1-40
port 6/1 was set to mac-based-authentication mode
port 6/2 was set to mac-based-authentication mode
port 6/3 was set to mac-based-authentication mode
…
JZ; Reviewed:
PV 6/21/06 Solution & Interoperability Test Lab Application Notes
©2006 Avaya Inc. All Rights Reserved. 10 of 31
DOT1X-IPT-GW.doc
3.4 Configuring the FreeRADIUS Server
Refer to [1] and [2] for detailed information on how to install and configure the FreeRADIUS
server and the OpenSSL software on the Red Hat Linux Operating System. Refer to [3] for
detailed information on how to configure Microsoft Authentication Service as a RADIUS
server for the Avaya G250 and G350 Media Gateways.
To support the Avaya G350 Media Gateway as an authenticator, the Avaya G350 Media
Gateway must be configured in the clients.conf. For the sample configuration, this file is under
/usr/local/etc/raddb directory. The Avaya G350 is added as an authenticator at the end of the
clients.conf file. The secret must match the secret configuration on the Avaya G350 Media
Gateway as shown in Section 3.1. The NAS-IP-Address must be the primary management
interface (PMI) IP address of the Avaya Media Gateway.
client 192.168.88.3/32 {
secret = 1234567890123
shortname = G250
NAS-IP-Address = 192.168.88.3
client 192.168.88.4/32 {
secret = 1234567890123
shortname = G350
NAS-IP-Address = 192.168.88.4
Configure a username with a password in the users file under /usr/local/etc/raddb directory. For
an IP telephone, configure the MAC address of the Avaya IP telephone as a username. For the
mac-based mode, a username with a password should be configured for the attached PC.
00040D508820 User-Password == "123456"
steve User-Password == "123456"
JZ; Reviewed:
PV 6/21/06 Solution & Interoperability Test Lab Application Notes
©2006 Avaya Inc. All Rights Reserved. 11 of 31
DOT1X-IPT-GW.doc
3.5 Configuring the Odyssey Client
After the Funk Odyssey Client Software is installed on a client PC, start the Funk Odyssey
Client Manager through Start -> Programs -> Funk Software -> Odyssey Client -> Odyssey
Client Manager. Figure 3 shows the Funk Odyssey Client Manager. Click Profiles and then
click Add or highlight the existing profile and press Properties.
Figure 3: The Funk Odyssey Client Manager
JZ; Reviewed:
PV 6/21/06 Solution & Interoperability Test Lab Application Notes
©2006 Avaya Inc. All Rights Reserved. 12 of 31
DOT1X-IPT-GW.doc
Click the User Info tab in Figure 4 and type Login name as configured on the FreeRADIUS
server. Check Permit login using password. Select prompt for password or use the
following password. When prompt for password is selected, a window will pop up on the
client to request a password when a new connection is made or the current password fails the
authentication.
Figure 4: Use Information for the Funk Odyssey Client Profile
JZ; Reviewed:
PV 6/21/06 Solution & Interoperability Test Lab Application Notes
©2006 Avaya Inc. All Rights Reserved. 13 of 31
DOT1X-IPT-GW.doc
Click the Authentication tab in Figure 4 and add EAP-MD5-Challenge as an authentication
protocol (Figure 5). Ignore TTLS Settings and PEAP Settings, which are not related to EAP-
MD5.
Figure 5: Authentication Configuration for the Funk Odyssey Client Profile
JZ; Reviewed:
PV 6/21/06 Solution & Interoperability Test Lab Application Notes
©2006 Avaya Inc. All Rights Reserved. 14 of 31
DOT1X-IPT-GW.doc
Click the Adapters icon in Figure 3, and add the wired Ethernet adapter (Figure 6).
Figure 6: Adapters Configuration for the Funk Odyssey Client Manager
JZ; Reviewed:
PV 6/21/06 Solution & Interoperability Test Lab Application Notes
©2006 Avaya Inc. All Rights Reserved. 15 of 31
DOT1X-IPT-GW.doc
Click the Connection icon in Figure 3. In Figure 7, select the Ethernet adapter in the Adapter
field, check Connect using profile box and select the profile for the MD5. If the client is
authenticated, the Status for the Connection information should be open and authenticated.
If not, check Section 4 for troubleshooting. Note that the 802.1X supplicant software for the
attached PC is not needed if the Avaya G350 Media Gateway is configured with the port-based
mode.
Figure 7: Connection Configuration for the Funk Odyssey Client Manager
JZ; Reviewed:
PV 6/21/06 Solution & Interoperability Test Lab Application Notes
©2006 Avaya Inc. All Rights Reserved. 16 of 31
DOT1X-IPT-GW.doc
4 Verification
4.1 Verify 802.1X With Port-based Authentication
Use the command show port dot1x to display the 802.1X configuration. Verify that the port-
control is configured to auto and the port-based authentication is enabled.
G350-003(super)# show port dot1x
Port PortAuth Port Re Quiet ReAuth Server Supp Tx Max
Number Mode Control Auth Period Period Timeout Timeout Period Req
------ --------- -------- ---- ------ ------ ------- ------- ------ ---
6/1 PortBased Auto Enab 60 3600 30 30 30 2
6/2 PortBased Auto Enab 60 3600 30 30 30 2
6/3 PortBased Auto Enab 60 3600 30 30 30 2
…
Verify that the Avaya IP telephone is configured to the supplicant mode by pressing “mute
80219#”. You will be prompted to enter the credentials if the authentication fails.
Use the command show port dot1x supp-mac <port #> to verify that the port is authenticated
using the MAC address of the IP telephone.
G350-003(super)# show port dot1x supp-mac 6/1
Port Supplicant Port Auth Auth BEnd Supplicant
Number MAC Mode State State Status
------ ----------------- ---------- -------- ----- ----------
6/1 00-04-0d-50-88-20 PortBased Authed Idle Auth
Use the command show cam <port#> to verify that the Avaya G350 Media Gateway learns the
MAC addresses of the IP telephone and the attached PC in different VLANs. Note that the
MAC address of the IP telephone is associated with the untagged VLAN and the static-VLAN.
G350-003(super)# show cam 6/1
Total Matching CAM Entries Displayed = 3
Dest MAC/Route Dest vlan Destination Ports
------------------- ---- -----------------
00:04:0d:50:88:20 88 6/1
00:04:0d:50:88:20 89 6/1
00:b0:d0:3e:a7:61 89 6/1
JZ; Reviewed:
PV 6/21/06 Solution & Interoperability Test Lab Application Notes
©2006 Avaya Inc. All Rights Reserved. 17 of 31
DOT1X-IPT-GW.doc
4.2 Verify 802.1X With MAC-based Authentication
Use the command show port dot1x to display the dot1x configuration. Verify that the port-
control is configured to auto and the MAC-based authentication is enabled.
G350-003(super)# show port dot1x
Port PortAuth Port Re Quiet ReAuth Server Supp Tx Max
Number Mode Control Auth Period Period Timeout Timeout Period Req
------ --------- -------- ---- ------ ------ ------- ------- ------ ---
6/1 MAC-Based Auto Enab 60 3600 30 30 30 2
6/2 MAC-Based Auto Enab 60 3600 30 30 30 2
6/3 MAC-Based Auto Enab 60 3600 30 30 30 2
Verify that the Avaya IP telephone is configured to the p-t w/Logoff by pressing “mute
80219#”. You will be prompted to enter the credentials if the authentication fails.
Use the command show port dot1x supp-mac <port #> to verify that the telephone and the
attached PC are authenticated individually.
G350-003(super)# show port dot1x supp-mac 6/1
Port Supplicant Port Auth Auth BEnd Supplicant
Number MAC Mode State State Status
------ ----------------- ---------- -------- ----- ----------
6/1 00-04-0d-50-88-20 MAC-Based Authed Idle Auth
6/1 00-b0-d0-3e-a7-61 MAC-Based Authed Idle Auth
Use the command show cam <port#> to verify that the Avaya G350 Media Gateway learns the
MAC addresses of the IP telephone and the attached PC in different VLANs.
G350-003(super)# show cam 6/1
Total Matching CAM Entries Displayed = 4
Dest MAC/Route Dest vlan Destination Ports
------------------- ---- -----------------
00:04:0d:50:88:20 88 6/1
00:b0:d0:3e:a7:61 88 6/1
00:04:0d:50:88:20 89 6/1
00:b0:d0:3e:a7:61 89 6/1
JZ; Reviewed:
PV 6/21/06 Solution & Interoperability Test Lab Application Notes
©2006 Avaya Inc. All Rights Reserved. 18 of 31
DOT1X-IPT-GW.doc
4.3 Troubleshooting 802.1X on the Avaya G350 Media Gateway
802.1X debugging can be enabled on the Avaya G350 Media Gateway for troubleshooting.
Enter the following commands from the console port to enable 802.1X debugging.
G350-003(super)# set logging session condition dot1x debug
Done!
G350-003(super)# set logging session enable
Done!
The following shows annotated syslog debug messages from the Avaya G350 Media Gateway
for the MAC-based authentication when the IP telephone with the attached PC is reset and the
attached PC is physically disconnected. The IP telephone is configured in the p-t w/Logoff
mode.
04/26/2006,07:06:23:SWITCHFABRIC-Notification: Agent Interface Up (linkUp
Trap)on Module 6 port 1 (interface 234882561)
04/26/2006,07:06:23:STP-Notification: Spanning Tree State on Module 10 Port
1281 was changed to learning
04/26/2006,07:06:23:STP-Notification: Spanning Tree State on Module 10 Port
1281 was changed to forwarding
! --- The attached PC is authenticated (the PC’s MAC address is shown)
04/26/2006,07:06:37:DOT1X-Informational: Device with MAC address
00:b0:d0:3e:a7:61 succeeded to authenticate module/port 6/1
! --- The attached PC is authenticated (the PC’s MAC address is shown)
04/26/2006,07:06:47:DOT1X-Informational: Device with MAC address
00:04:0d:50:88:20 succeeded to authenticate module/port 6/1
04/26/2006,07:06:49:DHCP-RELAY-Informational:
DHCP packet received from 0.0.0.0 00:04:0d:50:88:20 to 255.255.255.255
on interface Vlan 88 but global relay is off
and DHCP server is disabled
! ---The phone does proxy Logoff for the attached PC when the attached PC is
! – disconnected from the phone.
04/26/2006,07:09:16:DOT1X-Informational: Device with MAC address
00:b0:d0:3e:a7:61 logoff module/port 6/1
JZ; Reviewed:
PV 6/21/06 Solution & Interoperability Test Lab Application Notes
©2006 Avaya Inc. All Rights Reserved. 19 of 31
DOT1X-IPT-GW.doc
4.4 Troubleshooting 802.1X on the FreeRADIUS server
If the IP telephone or the attached PC cannot be authenticated by the FreeRADIUS server, use
the command radiusd –X to run the server in the debugging mode. The following shows a
correct debugging output for the authentications of the Avaya IP telephone and the attached PC
for the MAC-based mode.
[root@freeradius radacct]# radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = "/usr/local"
main: localstatedir = "/usr/local/var"
main: logdir = "/usr/local/var/log/radius"
main: libdir = "/usr/local/lib"
main: radacctdir = "/usr/local/var/log/radius/radacct"
main: hostname_lookups = no
main: snmp = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/usr/local/var/log/radius/radius.log"
main: log_auth = no
JZ; Reviewed:
PV 6/21/06 Solution & Interoperability Test Lab Application Notes
©2006 Avaya Inc. All Rights Reserved. 20 of 31
DOT1X-IPT-GW.doc
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
Other manuals for Media Gateway G250
13
This manual suits for next models
1
Table of contents
Other Avaya Gateway manuals
Avaya
Avaya G250 Series User manual
Avaya
Avaya Media Gateway G350 User manual
Avaya
Avaya Media Gateway G250 Instruction Manual
Avaya
Avaya Aura Quick reference guide
Avaya
Avaya G700 Quick start guide
Avaya
Avaya G450 Manager User manual
Avaya
Avaya W310 Operating manual
Avaya
Avaya S8500 Series User manual
Avaya
Avaya G450 Manager User manual
Avaya
Avaya W310 User manual
Avaya
Avaya Media Gateway G250 Installation guide
Avaya
Avaya INDeX Media Gateway User manual
Avaya
Avaya Media Gateway G350 User manual
Avaya
Avaya G450 Manager Instruction Manual
Avaya
Avaya QuesCom 400 Supplement
Avaya
Avaya G450 Manager Instruction sheet
Avaya
Avaya G700 Instruction Manual
Avaya
Avaya Media Gateway G250 User manual
Avaya
Avaya G650 Instruction Manual
Avaya
Avaya G700 Quick start guide
Popular Gateway manuals by other brands
AudioCodes
AudioCodes MP-5 Series Configuration guide
Fortress Power
Fortress Power Guardian Quick setup guide
hilscher
hilscher netBRICK NB 100 user manual
B+B SmartWorx
B+B SmartWorx SmartSwarm 342 Quick start guides
Pirelli
Pirelli Discus DRG A226M Specification sheet
ZyXEL Communications
ZyXEL Communications P-660HU-T1 Brochure & specs
