• 802.3af, standard for Power-over-Ethernet (PoE) enables the switch to allocate up to 15.4 watts of power per port.
• Quality-of-Service (QoS) mechanisms enable the network to give voice flow—which is sensitive to delay, jitter and packet loss—priority over the data traffic, to guarantee that the communications will continue in case of congestion.
• 802.1X is the most recommended authentication method for access control on the network. It is recognized as a standard, and is implemented by most IP telephony constructors. Multiple 802.1X authentication enables authentication both of a phone plugged into a switch and of a user plugged into the dual port of the phone, while assigning them different profiles (VLAN, QoS, bandwidth).

» Return to top

The platform contains:

• One or more servers with the following services: Active Directory, DHCP, DNS, Certificate Authority, IAS.
• Latest versions of ProCurve Manager Plus (PCM+) and Identity-Driven Manager (IDM).
• Siemens optiPoint 420 advance IP phone.
• Siemens Deployment Service (DLS) software from Siemens for certificate management.
• A ProVision Switch 3500yl or 2610-PWR with the latest firmware version. A similar configuration can also be used with a ProCurve 5400zl series switch or a 8212zl series switch. The configuration commands are identical for these products and the 3500yl.
• A client laptop that can be plugged into the phone dual port for multiple authentication tests or used as a network analyzer (e.g., Wireshark).

Figure 1. Setup for ProCurve-Siemens interoperability

» Return to top

3.1 Log on to the Siemens phone
To log on and configure a Siemens optiPoint phone:

1. Go to the phone’s web interface, available at: https://<phone_ip_address>
   
2. To log on as administrator, use the password 123456.
3. To reset a phone to factory settings use the password 124816.
4. Then, to download 802.1X certificates to the phones, use the DLS (Deployment Service) software from Siemens. (See “5. Configuring 802.1X support” later in this document.)

» Return to top

3.2 Check PoE compatibility on ProCurve Switch 3500yl
ProVision switches support standard PoE (802.3af), and so do Siemens optiPoint phones. When the phone is plugged into a port on the ProCurve Switch 3500yl, the phone boots up.

To view the power consumption of the phone on , issue the following command on the switch:

Where X is the port into which the phone is plugged.

» Return to top

3.3 Check PoE compatibility on ProCurve Switch 2610
On a 2610 switch, the command to view power consumption is:

Where X is the port into which the phone is plugged.

For a Siemens optiPoint 420 IP phone, power consumption is around 2.7 watts:

» Return to top

This section explains how to configure Quality of Service parameters.

4.1 Configure QoS on the phone
QoS layer 2 or layer 3 settings can be configured from the phone web interface, from the Administrator menu:

You can set the 802.1p (Layer 2) and DSCP (Layer 3) values for Voice and Signaling. By default the values are:

• Priority 7 and DSCP EF for Voice
• Priority 3 and DSCP AF31 for Signaling
  

» Return to top

4.2 Configure QoS on the switches
The recommended method is to have a dedicated VLAN for voice and configure the QoS parameters for the VLAN. The L2 and DSCP policy advertised are based on the actual QoS configuration for the voice VLAN. By default these values are:

• L2 priority 6
• DSCP 46, which corresponds to the Expedited Forwarding (EF) class

To modify the 802.1p or DSCP values:

To view which DSCP and QoS values are configured:

For more information on QoS settings on ProCurve switches, please refer to the following documents:

• For switch 3500yl: http://cdn.procurve.com/training/Manuals/3500-5400-6200-8200-ATG-Jan08-6-Qos.pdf
• For switch 2610-POE: http://h40060.www4.hp.com/procurve/includes/manuals/index.php?cc=uk&lc=en&content=2610

» Return to top

This section explains how to configure 802.1X support.

5.1 Configure 802.1X EAP-TLS on the phone
This procedure explains how to load certificates into a Siemens phone for 802.1X authentication.

To import certificates into the phone:

1. Install the DLS software, that you can obtain from a Siemens reseller. For DLS installation and administration you can use the Administration manual that you can find at: http://wiki.siemens-enterprise.com/images/6/6e/Deployment-Service_V2_en.pdf
2. Launch the DLS software and log in as admin, with the password you have set during installation.
   
3. On your Certification Authority, generate three certificates:
• rootCA.cer: The root authority certificate (.cer format)
• radius.cer: Certificate for the RADIUS server (.cer format)
• phone.pfx: Certificate for the phone, in .pfx format
4. Install the three certificates on the RADIUS server.
5. Then install the root CA and client certificates (radius.cer and phone.pfx) on the phone using the DLS software. To do so, connect the phone to an open port on the switch and note the IP address it obtains.
6. From the server desktop, open the Siemens Deployment Service (DLS), and go to the menu Workpoints | OptiPoint Configuration | IEEE 802.1X.
7. In the IP Address field, enter the IP address of your phone, and click Read to retrieve information from the phone.

» Return to top

5.1.1 Import the client certificate
To import the client certificate:

1. From the Phone tab, click on Import, browse for the user.pfx certificate, and import it.
2. After importing the certificate, click Activate. This causes the phone to reboot (after a few seconds), import its certificate and activate it.
3. Once the phone has rebooted, click Read again. You should see the certificate appear in Active Certificate and in Imported Certificate, and the Status Active/Import should be set to equal.

» Return to top

5.1.2 Import the root CA certificate
To import the root CA certificate:

1. From the Radius Server CA tab, click on Import and browse for the radiusCA.cer certificate.
2. Once imported, click Activate. This causes the phone to reboot (after a few seconds), import its certificate and activate it.
3. Once the phone has rebooted, click Read again. You should see the certificate appear in Active Certificate and in Imported Certificate, and the Status Active/Import should be set to equal. If the status is not equal, click Activate again.
4. Now plug the phone into a port-authenticator. You see its authentication in the RADIUS log (here IAS).

» Return to top

5.2 Configure 802.1 X on the switch
To configure 802.1X on the switch:

1. Enable 802.1X on the phone ports:

2. Enter the RADIUS information in the switch configuration:

» Return to top

5.3 Configure multiple 802.1X sessions
To configure multiple 802.1X sessions:

1. Modify the switch configuration for the port connected to the phone. Configure it so the voice VLAN is tagged and the data VLAN is untagged.
2. Set the client-limit parameter on the switch to 3 to enable both the PC and the phone to authenticate. For example:

The data VLAN can also be dynamically assigned using Identity Driven Manager:

» Return to top

To get the same results as in this application note, ensure you have at least the following firmware versions.

6.1 Switch firmware versions
Switch firmware versions used for this application note are as follows:

• K.13.09 for ProVision switches (5406zl, 3500yl, 8212zl)
• R.11.07 for 2610-PWR

» Return to top

6.2 Phone firmware version
Firmware version for the Siemens optiPoint 420 advance IP phone used for this application note is as follows:

• v6.0.54

» Return to top

6.3 Upgrade the phone firmware
The firmware is only provided by Siemens technicians or by official Siemens Partners. Customers with self-care contracts will have access to software within the SEBA Web portal (login required). The firmware of the optiPoint SIP phones comprises two software components:

• NetBoot Software: This component provides low level features (such as boot process, LAN connectivity) and is not changed once a phone has left the factory or is in operation. However, new features may be provided during the ongoing development and factory production process.
• Application Software: This component contains all features for Call Handling, Call Signaling , Audio Control, User Interface, Language Support.

» Return to top

For further information about how to configure ProCurve switches to support convergence, please refer to the following links:

• For PCM+ and IDM manuals:
  http://h40060.www4.hp.com/procurve/includes/manuals/index.php?cc=uk&lc=en&content=ProCurve-Manager
  http://h40060.www4.hp.com/procurve/includes/manuals/index.php?cc=uk&lc=en&content=IDM
• For user manuals for ProCurve 3500yl-5400zl-8212zl switches:
  http://h40060.www4.hp.com/procurve/includes/manuals/index.php?cc=uk&lc=en&content=3500-6200-5400-ChapterFiles
• For ProCurve Switch 2610 series manuals:
  http://h40060.www4.hp.com/procurve/includes/manuals/index.php?cc=uk&lc=en&content=2610
• For information on Siemens phones, please refer to the following site:
  http://www.enterprisecommunications. siemens.com/global/Products/Phones%20Clients/Desktop%20Phones/optiPoint%20410- 420%20SIP%20Families.aspx
• For information about 802.1X, look at the following file:
  http://wiki.siemens-enterprise.com/images/2/23/IEEE_802.1X_Configuration_Management.pdf

» Return to top