A-Series 802.1X

Defaults

Sangoma A-Series phones do not perform 802.1X authentication by default.  A-Series phones are also not capable of performing automatic logoff of PC-port attached clients.

Recommended Firmware

All released A-Series firmwares provide some form of 802.1X capability.

Compatibility

A20, A22 and A25 models only support EAP-MD5 authentication.  A30 models also support EAP-TLS and PEAP-MSCHAPv2.

Important Notes

Client certificates must contain both the private key and the certificate within the PEM or CER file.

Root Certificates have been tested in PEM, DER, CRT and CER format.

For methods where it's optional to validate the CA certificate of the Authenticator, it's highly recommended to do so for security reasons.

EAP-MD5

To configure EAP-MD5 for the phone, users should set the following:

A2x 802.1X EAP-MD5 configuration

A30 802.1X EAP-MD5 configuration

With this method set, a user must supply their username and their password.

EAP-PEAPv0/MSCHAPv2

To configure EAP-PEAPv0/MSCHAPv2, users should set:

A23 802.1X EAP-PEAPv0/MSCHAPv2 configuration

This sets the method to EAP-PEAPv0/MSCHAPv2 and passes in the supplied username and password.

It is also possible for the phone to validate the CA certificate of the server.  If this behavior is desired, the following options should be set:

A23 802.1X EAP-PEAPv0/MSCHAPv2 configuration with certificate validation

EAP-TLS

To configure EAP-TLS, users should set:

A23 802.1X EAP-TLS configuration

EAP-TLS requires an identity (username and password), a CA cert and a client certificate.  The certificates should be uploaded to the phone using the phone's web UI.