Chapter 1 An Overview of the Cisco Unified IP Phones

Understanding Security Features for Cisco Unified IP Phones

Table 1-6

Security Restrictions with Conference Calls (continued)

 

 

 

 

 

Initiator’s Phone

 

 

 

 

Security Level

 

Feature Used

Security Level of Participants

Results of Action

 

 

 

 

Secure (encrypted)

MeetMe

Minimum security level is

Secure conference bridge

 

 

 

authenticated

Conference accepts encrypted and authenticated

 

 

 

 

 

 

 

 

calls

 

 

 

 

Secure (encrypted)

MeetMe

Minimum security level is

Only secure conference bridge available and used

 

 

 

non-secure

Conference accepts all calls

 

 

 

 

 

 

 

 

 

Supporting 802.1X Authentication on Cisco Unified IP Phones

These sections provide information about 802.1X support on the Cisco Unified IP Phones:

Overview, page 1-19

Required Network Components, page 1-19

Best Practices—Requirements and Recommendations, page 1-20

Overview

Cisco Unified IP Phones and Cisco Catalyst switches have traditionally used Cisco Discovery Protocol (CDP) to identify each other and determine parameters such as VLAN allocation and inline power requirements. However, CDP is not used to identify any locally attached PCs. Therefore, Cisco Unified IP Phones provide an EAPOL pass-through mechanism. With this mechanism, a PC locally attached to the Cisco Unified IP Phone may pass EAPOL messages to the 802.1X authenticator in the LAN switch. This prevents the Cisco Unified IP Phone from having to act as the authenticator, yet allows the LAN switch to authenticate a data end point prior to accessing the network.

In conjunction with the EAPOL pass-through mechanism, Cisco Unified IP Phones provide a proxy EAPOL-Logoff mechanism. In the event that the locally attached PC disconnects from the Cisco Unified IP Phone, the LAN switch does see the physical link fail, because the link between the LAN switch and the Cisco Unified IP Phone is maintained. To avoid compromising network integrity, the IP Phone sends an EAPOL-Logoff message to the switch on behalf of the downstream PC, which triggers the LAN switch to clear the authentication entry for the downstream PC.

The Cisco Unified IP Phones also contain an 802.1X supplicant, in addition to the EAPOL pass-through mechanism. This supplicant allows network administrators to control the connectivity of Cisco Unified IP Phones to the LAN switch ports. The phone 802.1X supplicant uses the EAP-FAST, EAP-TLS, and EAP-MD5 options for network authentication.

Required Network Components

Support for 802.1X authentication on Cisco Unified IP Phones requires several components, including:

Cisco Unified IP Phones—The phone acts as the 802.1X supplicant, which initiates the request to access the network.

Cisco Secure Access Control Server (ACS) (or other third-party authentication server)—The authentication server and the phone must both be configured with a shared secret that is used to authenticate the phone.

 

 

Cisco Unified IP Phone Administration Guide for Cisco Unified Communications Manager 8.6 (SCCP and SIP)

 

 

 

 

 

 

OL-23091-01

 

 

1-19

 

 

 

 

 

Page 32 Page 34
Page 33
Image 33
Cisco Systems 8.6 manual Supporting 802.1X Authentication on Cisco Unified IP Phones, Overview, Required Network Components
Page 32 Page 34
Top Page Image Contents