Cisco Systems 8.6 Supporting 802.1X Authentication on Cisco Unified IP Phones

1-19

Cisco Unified IP Phone Administration Guide for Cisco Unified Communications Manager 8.6 (SCCP and SIP)

OL-23091-01

Chapter 1 An Overview of the Cisco Unified IP Phones

Understanding Security Features for Cisco Unified IP Phones

Supporting 802.1X Authentication on Cisco Unified IP Phones

These sections provide information about 802.1X support on the Cisco Unified IP Phones:

• Overview, page 1-19

• Required Network Components, page 1-19

• Best Practices—Requirements and Recommendations, page 1-20

Cisco Unified IP Phones and Cisco Catalyst switches have traditionally used Cisco Discovery Protocol

(CDP) to identify each other and determine parameters such as VLAN allocation and inline power

requirements. However, CDP is not used to identify any locally attached PCs. Therefore, Cisco Unified

IP Phones provide an EAPOL pass-through mechanism. With this mechanism, a PC locally attached to

the Cisco Unified IP Phone may pass EAPOL messages to the 802.1X authenticator in the LAN switch.

This prevents the Cisco Unified IP Phone from having to act as the authenticator, yet allows the LAN

switch to authenticate a data end point prior to accessing the network.

In conjunction with the EAPOL pass-through mechanism, Cisco Unified IP Phones provide a proxy

EAPOL-Logoff mechanism. In the event that the locally attached PC disconnects from the Cisco Unified

IP Phone, the LAN switch does see the physical link fail, because the link between the LAN switch and

the Cisco Unified IP Phone is maintained. To avoid compromising network integrity, the IP Phone sends

an EAPOL-Logoff message to the switch on behalf of the downstream PC, which triggers the LAN

switch to clear the authentication entry for the downstream PC.

The Cisco Unified IP Phones also contain an 802.1X supplicant, in addition to the EAPOL pass-through

mechanism. This supplicant allows network administrators to control the connectivity of Cisco Unified

IP Phones to the LAN switch ports. The phone 802.1X supplicant uses the EAP-FAST, EAP-TLS, and

EAP-MD5 options for network authentication.

Support for 802.1X authentication on Cisco Unified IP Phones requires several components, including:

• Cisco Unified IP Phones—The phone acts as the 802.1X supplicant, which initiates the request to

access the network.

• Cisco Secure Access Control Server (ACS) (or other third-party authentication server)—The

authentication server and the phone must both be configured with a shared secret that is used to

authenticate the phone.

Secure (encrypted) MeetMe Minimum security level is

authenticated

Secure conference bridge

Conference accepts encrypted and authenticated

calls

Secure (encrypted) MeetMe Minimum security level is

non-secure

Only secure conference bridge available and used

Conference accepts all calls

Table 1-6 Security Restrictions with Conference Calls (continued)

Initiator’s Phone

Security Level Feature Used Security Level of Participants Results of Action