802.1X authentication of Yealink terminals in the SwyxWare environment

help | 12 Devices | Certified SIP phones | 802.1X authentication of Yealink terminals in the SwyxWare environment

If you use certified SIP devices from Yealink, you have the option of further protecting access to your network.

The connected end devices can authenticate themselves via 802.1x protocol. Authentication against the authentication server is performed on Layer 2 (OSI).

Configuration on devices

The Yealink devices must be configured to use the IEEE 802.1X protocol.

Refer to the manufacturer's documentation at http://support.yealink.com/documentFront/forwardToDocumentFrontDisplayPage for details of the appropriate configuration.

Select <Terminal Model> | User & Administrator | Yealink 802.1X Authentication_VX_X.pdf.

Provisional provisioning network

If you are using a certificate-based authentication protocol such as EAP-TLS, you should set up an Initial Provision Network to upload certificates and configuration files to the endpoints. Further information can be found in the manufacturer documentation mentioned above.

The required configuration files are provided via HTTP server for downloading by the mobile devices. Make sure that the corresponding server URL is made known to the end devices via DHCP option 43.

The URL for root and client certificate is noted in the configuration file, see also Changing the certificate URL.

Company network with 802.1X authentication

After the configuration files have been downloaded to the end devices and the certificates installed, the end devices are ready for authentication in the 802.1X-protected network. After 802.1X network authentication, endpoints are automatically configured via DCF provisioning service to SwyxWare.

Changing the certificate URL

In some cases, e.g. in case of changes in the network infrastructure, it may be necessary to change the certificate URL afterwards.

While the configuration is being updated, the telephony function on the corresponding Desk Phones is not available for some time.

To change the certificate URL via Swyx PowerShell module

The connection to SwyxServer must be established.

1 Start the Swyx PowerShell module.

2 Extract the existing configuration from the SwyxWare database in a local folder with the following command:

Export-IpPbxYealinkConfigFile -Path <your local path>

for example

Export-IpPbxYealinkConfigFile -Path C:\

3 Open the configuration file "common.cfg" in a text editor.

4 Add the following lines to the end of the file:

static.network.802_1x.root_cert_url = <URL for the server certificate>

static.network.802_1x.client_cert_url = <URL for the client certificate>

for example

static.network.802_1x.root_cert_url = http://192.168.2.51/ca_cert.pem

static.network.802_1x.client_cert_url = http://192.168.2.51/client_cert.pem

5 Save the file.

6 Import the file via Swyx PowerShell module with the following command:

Import-IpPbxYealinkConfigFile -FilePath <full path of the modified configuration file>

for example

Import-IpPbxYealinkConfigFile -FilePath C:\common.cfg

7 Confirm the execution of the command.

According to the autoprovisioning schedule, the new configuration file is uploaded to the end devices.

After the certificates have been downloaded, the end devices are restarted and re-registered.

Last modified date: 02/04/2022