Cisco Systems 8.6 Best PracticesRequirements and Recommendations

1-20

Cisco Unified IP Phone Administration Guide for Cisco Unified Communications Manager 8.6 (SCCP and SIP)

OL-23091-01

Chapter 1 An Overview of the Cisco Unified IP Phones

Understanding Security Features for Cisco Unified IP Phones

• Cisco Catalyst Switch (or other third-party switch)—The switch must support 802.1X, so it can act

as the authenticator and pass the messages between the phone and the authentication server. When

the exchange completes, the switch grants or denies the phone access to the network.

Best Practices—Requirements and Recommendations

• Enable 802.1X Authentication—If you want to use the 802.1X standard to authenticate Cisco

Unified IP Phones, be sure that you have properly configured the other components before enabling

it on the phone. See 802.1X Authentication and Status, page 4-44 for more information.

• Configure PC Port—The 802.1X standard does not take into account the use of VLANs and thus

recommends that only a single device should authenticate to a specific switch port. However, some

switches (including Cisco Catalyst switches) support multi-domain authentication. The switch

configuration determines whether you can connect a PC to the phone’s PC port.

–

Enabled—If you are using a switch that supports multi-domain authentication, you can enable

the PC port and connect a PC to it. In this case, Cisco Unified IP Phones support proxy

EAPOL-Logoff to monitor the authentication exchanges between the switch and the attached

PC. For more information about IEEE 802.1X support on the Cisco Catalyst switches, see the

Cisco Catalyst switch configuration guides at:

http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.

html

–

Disabled—If the switch does not support multiple 802.1X-compliant devices on the same port,

you should disable the PC Port when 802.1X authentication is enabled. See Security

Configuration Menu, page 4-32 for more information. If you do not disable this port and

subsequently attempt to attach a PC to it, the switch will deny network access to both the phone

and the PC.

• Configure Voice VLAN—Because the 802.1X standard does not account for VLANs, you should

configure this setting based on the switch support.

–

Enabled—If you are using a switch that supports multi-domain authentication, you can continue

to use the voice VLAN.

–

Disabled—If the switch does not support multi-domain authentication, disable the Voice VLAN

and consider assigning the port to the native VLAN. See Security Configuration Menu,

page 4-32 for more information.

• Enter MD5 Shared Secret—If you disable 802.1X authentication or perform a factory reset on the

phone, the previously configured MD5 shared secret is deleted. See 802.1X Authentication and

Status, page 4-44 for more information.