1-16
Cisco Unified IP Phone 7970G/7971G-GE Administration Guide for Cisco Unified Communications Manager 7.0
OL-15299-01
Chapter 1 An Overview of the Cisco Unified IP Phone
Understanding Security Features for Cisco Unified IP Phones
Supporting 802.1X Authentication on Cisco Unified IP PhonesThese sections provide information about 802.1X support on the Cisco Unified IP Phones:
• Overview, page 1-16
• Required Network Components, page 1-16
• Best Practices—Requirements and Recommendations, page 1-17
Overview
Cisco Unified IP phones and Cisco Catalyst switches have traditionally used Cisco Discovery Protocol
(CDP) to identify each other and to determine parameters such as VLAN allocation and inline power
requirements. However, CDP is not used to identify any locally attached PCs. Therefore, Cisco Unified
IP Phones provide an EAPOL pass-through mechanism, whereby a PC locally attached to the IP phone
may pass through EAPOL messages to the 802.1X authenticator in the LAN switch. This capability
prevents the IP phone from having to act as the authenticator, yet allows the LAN switch to authenticate
a data end point prior to accessing the network.
In conjunction with the EAPOL pass-through mechanism, Cisco Unified IP Phones provide a proxy
EAPOL-Logoff mechanism. If the locally attached PC is disconnected from the IP phone, the LAN
switch would not see the physical link fail, because the link between the LAN switch and the IP phone
is maintained. To avoid compromising network integrity, the IP phone sends an EAPOL-Logoff message
to the switch on behalf of the downstream PC, which triggers the LAN switch to clear the authentication
entry for the downstream PC.
The Cisco Unified IP phones contain an 802.1X supplicant in addition to the EAPOL pass-through
mechanism. This supplicant allows network administrators to control the connectivity of IP phones to
the LAN switch ports. The IP phone 802.1X supplicant implements the EAP-MD5 option for 802.1X
authentication.
Required Network Components
Support for 802.1X authentication on Cisco Unified IP Phones requires several components, including:
Non-secure cBarge All participants are encrypted Secure conference bridge
Conference changes to non-secure
Non-secure MeetMe Minimum security level is
encrypted
Initiator receives message “Does not meet
Security Level”, call rejected.
Secure (encrypted) MeetMe Minimum security level is
authenticated
Secure conference bridge
Conference accepts encrypted and
authenticated calls
Secure (encrypted) MeetMe Minimum security level is
non-secure
Only secure conference bridge available and
used
Conference accepts all calls
Table 1-5 Security Restrictions with Conference Calls (continued)
Initiator’s Phone
Security Level Feature Used Security Level of Participants Results of Action