Supporting 802.1X Authentication On Cisco Unified Ip Phones; Overview; Required Network Components - Cisco 6921 Administration Manual
Administration guide for cisco unified communications manager 8.0 (sccp)
Hide thumbs
Also See for 6921:
- Administration manual (210 pages) ,
- User manual (124 pages) ,
- Features (29 pages)
Table of Contents
Advertisement
Understanding Security Features for Cisco Unified IP Phones
Table 1-8
Initiator's Phone
Security Level
Non-secure
Secure
Supporting 802.1X Authentication on Cisco Unified IP Phones
These sections provide information about 802.1X support on the Cisco Unified IP Phones:
•
•
•
Overview
Cisco Unified IP phones and Cisco Catalyst switches have traditionally used Cisco Discovery Protocol
(CDP) to identify each other and determine parameters such as VLAN allocation and inline power
requirements. However, CDP is not used to identify any locally attached PCs; therefore, Cisco Unified
IP Phones provide an EAPOL pass-through mechanism, whereby a PC locally attached to the IP phone,
may pass through EAPOL messages to the 802.1X authenticator in the LAN switch. This prevents the
IP phone from having to act as the authenticator, yet allows the LAN switch to authenticate a data end
point prior to accessing the network.
In conjunction with the EAPOL pass-through mechanism, Cisco Unified IP Phones provide a proxy
EAPOL-Logoff mechanism. In the event that the locally attached PC is disconnected from the IP phone,
the LAN switch would not see the physical link fail, because the link between the LAN switch and the
IP phone is maintained. To avoid compromising network integrity, the IP phone sends an EAPOL-Logoff
message to the switch, on behalf of the downstream PC, which triggers the LAN switch to clear the
authentication entry for the downstream PC.
The Cisco Unified IP phones also contain an 802.1X supplicant, in addition to the EAPOL pass-through
mechanism. This supplicant allows network administrators to control the connectivity of IP phones to
the LAN switch ports. The current release of the phone 802.1X supplicant uses the EAP-FAST,
EAP-TLS, and EAP-MD5 options for network authentication.
Required Network Components
Support for 802.1X authentication on Cisco Unified IP Phones requires several components, including:
•
•
Cisco Unified IP Phone 6921, 6941, and 6961 Administration Guide for Cisco Unified Communications Manager 8.0 (SCCP)
1-20
Security Restrictions with Conference Calls (continued)
Feature Used
MeetMe
MeetMe
Overview, page 1-20
Required Network Components, page 1-20
Best Practices—Requirements and Recommendations, page 1-21
Cisco Unified IP Phone—The phone acts as the 802.1X supplicant, which initiates the request to
access the network.
Cisco Secure Access Control Server (ACS) (or other third-party authentication server)—The
authentication server and the phone must both be configured with a shared secret that is used to
authenticate the phone.
Chapter 1
Security Level of Participants
Minimum security level is
encrypted
Minimum security level is
nonsecure
An Overview of the Cisco Unified IP Phone
Results of Action
Initiator receives message "Does
not meet Security Level, call
rejected."
Only secure conference bridge
available and used
Conference accepts all calls
OL-20851-01
Advertisement
Table of Contents
Troubleshooting
