Cisco Systems Comprehensive Guide to 802.1X Authentication for Cisco IP Phones
Page 28

Chapter

Understanding Security Features for Cisco Unified IP Phones

Supporting 802.1X Authentication on Cisco Unified IP Phones

These sections provide information about 802.1X support on the Cisco Unified IP Phones:

Overview, page 1-16

Required Network Components, page 1-16

Best Practices—Requirements and Recommendations, page 1-16

Overview

Cisco Unified IP phones and Cisco Catalyst switches have traditionally used Cisco Discovery Protocol (CDP) to identify each other and determine parameters such as VLAN allocation and inline power requirements. However, CDP is not used to identify any locally attached PCs; therefore, Cisco Unified IP Phones provide an EAPOL pass-through mechanism, whereby a PC locally attached to the IP phone, may pass through EAPOL messages to the 802.1X authenticator in the LAN switch. This prevents the IP phone from having to act as the authenticator, yet allows the LAN switch to authenticate a data end point prior to accessing the network.

In conjunction with the EAPOL pass-through mechanism, Cisco Unified IP Phones provide a proxy EAPOL-Logoff mechanism. In the event that the locally attached PC is disconnected from the IP phone, the LAN switch would not see the physical link fail, because the link between the LAN switch and the IP phone is maintained. To avoid compromising network integrity, the IP phone sends an EAPOL-Logoff message to the switch, on behalf of the downstream PC, which triggers the LAN switch to clear the authentication entry for the downstream PC.

The Cisco Unified IP phones also contain an 802.1X supplicant, in addition to the EAPOL pass-through mechanism. This supplicant allows network administrators to control the connectivity of IP phones to the LAN switch ports. The current release of the phone 802.1X supplicant uses the EAP-FAST, EAP-TLS, and EAP-MD5 options for network authentication.

Required Network Components

Support for 802.1X authentication on Cisco Unified IP Phones requires several components, including:

Cisco Unified IP Phone—The phone acts as the 802.1X supplicant, which initiates the request to access the network.

Cisco Secure Access Control Server (ACS) (or other third-party authentication server)—The authentication server and the phone must both be configured with a shared secret that is used to authenticate the phone.

Cisco Catalyst Switch (or other third-party switch)—The switch must support 802.1X, so it can act as the authenticator and pass the messages between the phone and the authentication server. When the exchange is completed, the switch then grants or denies the phone access to the network.

Best Practices—Requirements and Recommendations

Enable 802.1X Authentication—If you want to use the 802.1X standard to authenticate Cisco Unified IP Phones, be sure that you have properly configured the other components before enabling it on the phone. See the “802.1X Authentication and Status” section on page 4-8for more information.

 

Cisco Unified IP Phone 8941 and 8945 Administration Guide for Cisco Unified Communications Manager 8.5 (SCCP and SIP)

1-16

OL-20851-01

Page 27 Page 29
Image 28
Page 27 Page 29
Contents Americas Headquarters Text Part Number OL-20851-01Page N T E N T S Power Outage 802.1X Authentication and Status Troubleshooting and Maintenance Cable Specifications C-2 Network and Access Port Pinouts C-2 Viii Overview AudienceOrganization Chapter DescriptionCisco Unified Communications Manager Administration Related DocumentationCisco Unified IP Phone 8900 Series Cisco Unified Communications Manager Business EditionDocument Conventions Cisco Product Security OverviewConvention Description Boldface fontImportant Safety Instructions An Overview of the Cisco Unified IP Phone Understanding the Cisco Unified IP Phones 8941 Features on the Cisco Unified IP Phone 8941 What Networking Protocols are Used? Networking Protocol Purpose Usage NotesDynamic Host Configuration Protocol chapter Authentication on Cisco Unified IP Phones sectionCDP DhcpNologieswhitepaper0900aecd804cd46d.shtml See the LLDP-MED and Cisco Discovery ProtocolSIP Communications Manager Security Guide Chapter in the Cisco Unified CommunicationsManager System Guide Related TopicsConfiguring Telephony Features Feature OverviewRelated Topic Understanding Security Features for Cisco Unified IP Phones Providing Users with Feature InformationTopic Reference Refer to the Troubleshooting Guide for Cisco UnifiedCommunications Manager Overview of Supported Security Features Feature DescriptionAccess section on Security Profiles section on page 1-13for more informationConfiguration Menu section on Understanding Security ProfilesIdentifying Encrypted Phone Calls Unified IP Phones section on page 1-16for more informationEstablishing and Identifying Secure Audio Conference Calls Initiator’s Phone Feature UsedResults of Action Supporting 802.1X Authentication on Cisco Unified IP Phones OverviewSecurity Restrictions Configuring Cisco Unified IP Phones in Cisco Unified CM Purpose For More Information Communications Manager Administration Guide, Cisco Communications Manager Administration GuideCisco Communications Manager Task Purpose For More Information Communications Manager Administration Guide, EndUnified Communications Manager Installing Cisco Unified IP Phones See the Providing Power to the Cisco Unified IP PhoneSee the Installing the Cisco Unified IP Phone section See the Footstand section onRefer to Cisco Unified IP Phone 8941 and 8945 User Guide for Cisco Unified Communications ManagerUser Guide Administration and System Guides Terminology DifferencesA P T E R Related Topic Providing Power to the Cisco Unified IP Phone Understanding the Phone Startup Process, Network Setup Menu,Power Outage Power GuidelinesPower Type Guidelines Understanding Phone Configuration Files Obtaining Additional Information about PowerResolving Startup Problems, Understanding the Phone Startup ProcessPurpose Related Topics Adding Phones to the Cisco Unified CM DatabaseRefer to the Cisco Unified Communications Manager Adding Phones to the Cisco Unified CM Database Adding Phones with Auto-RegistrationRequires MAC Method Address? TapsAdding Phones with Auto-Registration and Taps Adding Phones with Cisco Unified CM Administration Adding Phones with BATDetermining the MAC Address for a Cisco Unified IP Phone OL-20851-01 Before You Begin Network RequirementsNetwork and Access Ports Cisco Unified Communications Manager ConfigurationNetwork and Access Ports, Handset, Speakerphone, Headset, Speakerphone HandsetHeadset Audio Quality Subjective to the User Installing the Cisco Unified IP Phone See the Network and Access Ports section onSee the Headset section on page 3-3for supported See the Adding Phones to the Cisco Unified CMCisco Unified IP Phone 8941 and 8945 Cable Connections Reducing Power Consumption on the Phone FootstandChapter Footstand Higher Viewing Angle Lower Viewing Angle Verifying the Phone Startup ProcessHold Mute Speaker Configuring Security on the Cisco Unified IP Phone Configuring Startup Network SettingsBefore You Begin Procedure Configuring Settings on the Cisco Unified IP Phone Configuration Menus on the Cisco Unified IP PhoneSelect Administrator Settings Displaying a Configuration MenuUnlocking and Locking Options, Editing Values, Unlocking and Locking Options Network Setup Menu, IPv4 Setup Menu Options,Editing Values Option Description To Change Network Setup MenuSelect PC Vlan ConfigurationDevice Phone Phone IPv4 Setup Menu Options Related Topics Security Configuration Menu 802.1X Authentication and StatusDevice Phone Phone Configuration Trust List MenuChoose Applications Administrator Settings Security ConfigAuthentication Device Authentication Settings Security SetupOL-20851-01 Configuring Features, Templates, Services, and Users Choose System Service Parameter and select Feature Description Configuration ReferenceSet Builtin Bridge Enable to On Configuration Device Device Settings Configuration System Enterprise PhoneCommon Phone Profile Features and Services Guide, Cisco Call Features and Services Guide, Call DisplayAdministration Guide, Directory Number Forward Maximum Hop Count service parameterServices Guide, Call Park and Directed Call Services Guide, Monitoring and RecordingUnderstanding Directory Numbers ParkSystem Guide, Understanding Directory NumbersUnified Communications Manager Features Services GuideServices Guide, Cisco Web Dialer CMCServices Guide, Immediate Divert Services Guide, Do Not DisturbManager Features and Services Guide, Hold Feature, see the Cisco Unified CommunicationsAdministration Guide, Hunt Group Communications Manager Feature Services Guide, IntercomRefer to Cisco Unified Communications Manager System Guide, Cisco Unified IPAdministration Guide, Message Waiting Features and Services Guide, MaliciousServices Guide, Music On Hold Features and Services Guide Barge Administration Guide, Phone ButtonFeatures and Services Guide, Quality Unified IP Phone 8941 and 8945 User GuideOverview of Supported Security Features Administration Guide, ConferenceBridge Configuration Creating Custom Phone Rings sectionServices Administration Guide, Time Period Bridge Configuration chapter Administration Guide, Cisco Voice-MailPort Configuration Join and Direct Transfer PolicyConfiguring Corporate Directories Configuring Corporate and Personal DirectoriesConfiguring Personal Directory Modifying Phone Button Templates SynchronizerFor PAB, enter the following URL Supported as a Configuring Softkey TemplatesDND Setting Up Services Adding Users to Cisco Unified Communications Manager Managing the User Options Web Pages Giving Users Access to the User Options Web PagesClick Add Selected Enter the appropriate search criteria and click Find Click Device AssociationClick Save Selected/Changes Chapter Managing the User Options Web Pages Chapter Managing the User Options Web Pages Customizing and Modifying Configuration Files Customizing the Cisco Unified IP PhoneCreating Custom Phone Rings DistinctiveRingList File Format RequirementsConfiguring a Custom Phone Ring PCM File Requirements for Custom Ring TypesConfiguring the Idle Display Field Description OL-20851-01 Model Information Screen Model Information Screen, Status Menu,Status Messages Screen Status MenuSelect Status Messages Phones with Cisco Unified CM Administration Network Setup Menu section on page 4-4forAddress. See the Network Setup Menu section Message Description Possible Explanation and ActionNetwork Setup Menu section on Menu section on page 4-4for detailsSetup Menu section on page 4-4for details on Network Statistics Screen Select Status Network StatisticsDhcp Disabled Dhcp RebootDhcp Waiting Coldboot Timeout SET Dhcp ColdbootCall Statistics Screen Select Call StatisticsVoice Quality Metrics MOS LQKSecurity Configuration Select Administrator Settings Select Security SetupMonitoring the Cisco Unified IP Phone Remotely Accessing the Web Page for a Phone Http//IPaddressDevice Information Disabling and Enabling Web Page AccessChoose Device Phone Network Setup UDIDescription Description Network Statistics Lldp Device Logs Streaming StatisticsStream Streaming Statistics Configuring Settings on the Cisco Unified IP Phone chapter Troubleshooting and Maintenance Resolving Startup ProblemsChapter Resolving Startup Problems Identifying Error Messages Verifying DNS Settings Choose Tools Control Center Feature ServicesSymptom Cisco Unified IP Phone Unable to Obtain IP Address Cisco Unified IP Phone Resets Unexpectedly Verifying Dhcp SettingsVerifying the Physical Connection Identifying Intermittent Network OutagesChecking Static IP Address Settings Verifying the Voice Vlan ConfigurationVerifying that the Phones Have Not Been Intentionally Reset Eliminating DNS or Other Connectivity ErrorsChecking Power Connection Troubleshooting Cisco Unified IP Phone SecurityProblem Possible Cause General Troubleshooting Tips Summary Explanation Locking Options section on page 4-3 for detailsHalfduxcollisionexceedthreshold Resetting or Restoring the Cisco Unified IP Phone Performing a Basic ResetPerforming a Factory Reset Operation Performing ExplanationMonitoring the Voice Quality of Calls Troubleshooting Tips Metric Change ConditionWhere to Go for More Troubleshooting Information Cleaning the Cisco Unified IP PhoneChapter Cleaning the Cisco Unified IP Phone Providing Information to Users Via a Website How Users Access a Voice Messaging System How Users Configure Personal Directory Entries Installing the SynchronizerConfiguring the Synchronizer Programs Cisco Systems TabSyncInstalling the Cisco Unified CM Locale Installer Support for International Call LoggingOL-20851-01 Physical and Operating Environment Specifications Specification Value or RangeCable Specifications Network and Access Port PinoutsNetwork Port Connector Pin Number FunctionAccess Port Connector OL-20851-01 Basic Phone Administration Steps Example User Information for these ProceduresAdding a User to Cisco Unified CM Adding a User From an External Ldap DirectoryChoose System Ldap Ldap Directory Click Perform Full Sync NowProceed to the section Configuring the Phone, page D-3 Configuring the PhoneExample doe Appendix Configuring the Phone Appendix Configuring the Phone Choose User Management End User Performing Final End User Configuration StepsClick Device Associations Protocol Features Sccp SIPAppendix EFT Draft Cisco Confidential Tool Numerics IN-2 IN-3 IN-4 LLDP-MED IN-5MIC Cast CDP Dhcp Http Rtcp RTP Sccp SIP Srtp TCP Tftp TLS UDPIN-7 Srst Srtp IN-8IN-9 Vlan
Related manuals
Manual 42 pages 53.39 Kb
Top Page Image Contents