Cisco 802.1X Authentication
This section provides
information about 802.1X support on the Cisco Unified IP Phones.
Overview
Cisco Unified IP Phones and
Cisco Catalyst switches traditionally use Cisco Discovery Protocol (CDP) to identify each other and determine parameters
such as VLAN allocation and inline power requirements. CDP does not identify locally attached
workstations. Cisco Unified IP Phones provide an EAPOL pass-through mechanism. This mechanism allows a
workstation attached to the Cisco Unified IP Phone to pass EAPOL messages to the 802.1X authenticator at the
LAN switch. The pass-through mechanism ensures that the IP phone does not act as the LAN switch to
authenticate a data endpoint before accessing the network.
Cisco Unified IP Phones also
provide a proxy EAPOL Logoff mechanism. In the event that the locally attached PC disconnects from the IP phone, the LAN
switch does not see the physical link fail, because the link between the LAN switch and the IP phone is
maintained. To avoid compromising network integrity, the IP phone sends an EAPOL-Logoff message to the switch on
behalf of the downstream PC, which triggers the LAN switch to clear the authentication entry for the
downstream PC.
Cisco Unified IP Phones
also contain an 802.1X supplicant. This supplicant allows network
administrators to control the
connectivity of IP phones to the LAN switch ports. The current release of the
phone 802.1X supplicant uses the
EAP-FAST, EAP-TLS, and EAP-MD5 options for network authentication.
Required Network
Components
Support for 802.1X
authentication on Cisco Unified IP Phones requires several components,
including:
-
Cisco Unified IP Phone: The
phone acts as the 802.1X supplicant, which
initiates the request to access the
network.
-
Cisco Secure Access Control Server (ACS) (or
other third-party authentication server): The authentication server and the phone must both be configured
with a shared secret that authenticates the phone.
-
Cisco Catalyst Switch (or
other third-party switch): The switch must support 802.1X, so it can act as the authenticator and pass
the messages between the phone and the authentication server. After the exchange completes, the switch grants or
denies the phone access to the network.
Best
Practices-Requirements and Recommendations
-
Enable 802.1X
Authentication—If you want to use the
802.1X standard to authenticate Cisco Unified
IP Phones, be sure that you have properly configured the other
components before enabling it on the phone.
-
Configure PC Port—The 802.1X standard does not take into account
the use of VLANs and thus recommends
that only a single device should authenticate to a specific switch port.
However, some switches (including Cisco
Catalyst switches) support multi-domain authentication. The switch configuration determines if you can connect a
PC to the phone’s PC port.
-
Enabled—If you use a switch that supports multidomain
authentication, you can enable the PC port
and connect a PC to it. In this case, Cisco Unified IP Phones support proxy
EAPOL-Logoff to monitor the
authentication exchanges between the switch and the attached PC. For more information about IEEE 802.1X support on the
Cisco Catalyst switches, see the Cisco Catalyst
switch configuration guides at: http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html
-
Disabled—If the switch does not support multiple
802.1X-compliant devices on the same port,
you should disable the PC Port when 802.1X authentication is enabled. If
you do not disable this port and
subsequently attempt to attach a PC to it, the switch will deny network access
to both the phone and the PC.
-
Configure Voice VLAN—Because the 802.1X standard does not account for
VLANs, you should configure this setting
based on the switch support.
-
Enabled—If you use a switch that supports multidomain
authentication, you can continue to use the
voice VLAN.
-
Disabled—If the switch does not support multidomain
authentication, disable the Voice VLAN and
consider assigning the port to the native VLAN.
-
Enter MD5 Shared Secret—If you disable 802.1X authentication or perform
a factory reset on the phone, the
previously configured MD5 shared secret is deleted.
Related Topics
Security Configuration Menu
802.1X Authentication and Status
Related Articles
Cisco Unified IP Phone
Cisco Unified IP Phone Phone Overview Cisco Unified IP Phone 77941G, 7941G-GE, 7942G, 7961G, 7961G-GE and 7962G Components Network Protocols Cisco Unified IP Phone Supported Features Cisco Unified IP Phone Security Features Phone Power ...
Cisco Unified IP Phone Supported Features
Cisco Unified IP Phone Supported Features Cisco Unified IP Phones function much like a digital business phone, allowing you to place and receive phone calls. In addition to traditional telephony features, the Cisco Unified IP Phones include features ...
Cisco Unified IP Phone Security Features
Cisco Unified IP Phone Security Features Implementing security in the Cisco Unified Communications Manager system prevents identity theft of the phone and Cisco Unified Communications Manager server, prevents data tampering, and prevents call ...
Cisco Unified IP Phone Security
Cisco Unified IP Phone Security The security features protect against several threats, including threats to the identity of the phone and to data. These features establish and maintain authenticated communication streams between the phone and the ...
What Network Protocols are supported by Cisco Unified IP Phones?
Cisco Network Protocols Cisco Unified IP Phones support several industry-standard and Cisco network protocols required for voice communication. The following table provides an overview of the network protocols that the Cisco Unified IP Phones ...