Cisco Systems 7970G

Chapter1 An Overview of the Cisco Unified IP Phone

Understanding Security Features for Cisco Unified IP Phones

1-20

Cisco Unified IP Phone Administration Guide for Cisco Unified CallManager 5.1 (SIP), Cisco Unified IP Phones

OL-11524-01

•Configure PC Port—The 802.1X standard does not take into account the use

of VLANs and thus recommends that only a single device should be

authenticated to a specific switch port. However, some switches (including

Cisco Catalyst switches) support multi-domain authentication. The switch

configuration determines whether you can connect a PC to the phone’s PC

port.

–

Enabled—If you are using a switch that supports multi-domain

authentication, you can enable the PC port and connect a PC to it. In this

case, Cisco Unified IP Phones support proxy EAPOL-Logoff to monitor

the authentication exchanges between the switch and the attached PC.

For more information about IEEE 802.1X support on the Cisco Catalyst

switches, refer to the Cisco Catalyst switch configuration guides at:

http://www.cisco.com/en/US/products/hw/switches/tsd_products_suppo

rt_category_home.html

–

Disabled—If the switch does not support multiple 802.1X-compliant

devices on the same port, you should disable the PC Port when 802.1X

authentication is enabled. See the “Security Configuration Menu”

section on page4-33 for more information. If you do not disable this port

and subsequently attempt to attach a PC to it, the switch will deny

network access to both the phone and the PC.

•Configure Voice VLAN—Because the 802.1X standard does not account for

VLANs, you should configure this setting based on the switch support:

–

Enabled—If you are using a switch that supports multi-domain

authentication, you can continue to use the voice VLAN.

–

Disabled—If the switch does not support multi-domain authentication,

disable the Voice VLAN and consider assigning the port to the native

VLAN. See the “Security Configuration Menu” section on page4-33 for

more information.

•Enter MD5 Shared Secret—If you disable 802.1X authentication or perform

a factory reset on the phone, the previously configured MD5 shared secret is

deleted. See the “802.1X Authentication and Status” section on page 4-42 for

more information.