User's Manual

ManualsBrandsAvaya ManualsIP phonesSIP Software 3.1 for 1100 Series

271

272

273

274

275

276

277

278

279

280

Server authentication

A server certificate, user name, and password are required to establish TLS connection

between the IP Deskphone and the provisioning server. The server certificate must be signed

by a certificate authority.

The IP Deskphone uses the server certificate to validate the identity of the provisioning server

that the IP Deskphone is connected to; the provisioning server uses the user name and

password to authenticate the IP Deskphone. The IP Deskphone must be preloaded with the

root certificate used in signing the server certificate. The root certificate is downloaded to the

IP Deskphone using a USB flash drive or by connecting to a provisioning server through EAP-

MD5, and using one of the insecure protocols supported by the IP Deskphone, such as HTTP,

TFTP, or FTP.

EAP-MD5 ensures that the connection between the IP Deskphone and the provisioning server

is secure. The user name and password are required to authenticate the IP Deskphone to the

provisioning server and must be loaded in a secure manner before the IP Deskphone

establishes the HTTPS connection with the provisioning server. There is no mechanism for

getting a user name and password on the IP Deskphone in a secure "no-touch" manner; the

IP Deskphone must be deployed to a secure network where the TFTP download of insecure

files is not transmitted over an insecure network.

Mutual Authentication

A device certificate and server certificate are required to establish TLS connection between

the IP Deskphone and the provisioning server.

The server certificate must be signed by a certificate authority. The IP Deskphone uses the

server certificate to validate the identity of the provisioning server that the IP Deskphone is

connected to; the provisioning server uses the device certificate to validate the identify of the

IP Deskphone. The IP Deskphone must be preloaded with the root certificate used in signing

the server certificate.

The root certificate is downloaded to the IP Deskphone by a USB flash drive or by connecting

to a provisioning server through EAP-MD5, and using one of the insecure protocols supported

by the IP Deskphone, such as HTTP, TFTP, or FTP.

EAP-MD5 ensures that the connection between the IP Deskphone and the provisioning server

is secure. The administrator must use the existing device certificate ( this certificate is used for

EAP-TLS, SIP-TLS and HTTPS) to establish mutual authentication.

For information about device certificate installation and certificate profiles, see

Device

certificate installation process on page 254.

Certificate-based authentication

276 SIP Software for Avaya 1100 Series IP Deskphones-Administration November 2012

Comments? infodev@avaya.com