topic thank you to everyone for in Network Access Control

Cisco ISE authenticating Ip Phone 7942

RSundstrom — Mon, 11 Mar 2019 04:39:20 GMT

Hello,

I am installing Cisco ISE soon and have a question. Why can't I authenticate Cisco IP phone model 7942 using 802.1x? I see that the phone has this option (it is not enabled). I am told that Cisco IP Phones must be authenticated on ISE by using profiling or MAB. This uses a costly advanced license to accomplish this.

Has anybody had any luck in this area?

Thank you,

Bob

Profiling use advanced

Venkatesh Attuluri — Tue, 22 Apr 2014 04:07:51 GMT

Profiling use advanced license but MAB uses base license. Administration > Identity Management > Identities and select Endpoints. Select Create and assign your IP phone’s MAC address to the Identity Group Cisco-IP-Phone:

Hi, Is your model 7942g? In

Philip Vilhelmsson — Tue, 22 Apr 2014 12:48:48 GMT

Hi,

Is your model 7942g? In that case those phones sould have a built in certificate from Cisco (Manufacturer Installed Certificate) that can be used for EAP-TLS. The common name begin ether with SEP och CP.

Regards,

Philip

You are correct. I did not

RSundstrom — Tue, 22 Apr 2014 12:49:44 GMT

You are correct. I did not add all the info I should have in my first post. My apologies. I can't use MAB to authenticate IP Phones because we have over 1,200. The initial programming and ongoing maintenance would be huge.

What I am looking for is the ability to authenticate Cisco IP phones using 802.1x authentication. The model we have most of is the Cisco IP Phone 7942.

Thank you.

Hello Philip,The phone on my

RSundstrom — Tue, 22 Apr 2014 12:57:25 GMT

Hello Philip,

The phone on my desk is a 7942G model. We have a variety of Cisco IP phones. Is there a way for me to find out which models have a built-in certificate?

Thank you for the reply,

Bob

Check Tabe 2 here: http://www

Philip Vilhelmsson — Tue, 22 Apr 2014 13:34:37 GMT

Check Tabe 2 here: http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html

Hello Philip,Thank you for

RSundstrom — Tue, 22 Apr 2014 15:53:15 GMT

Hello Philip,

Thank you for the link. It is very useful.

Bob

Philip,Thank you for your

RSundstrom — Thu, 24 Apr 2014 15:25:03 GMT

Philip,

Thank you for your help. I have what I need to know.

Bob

I have successfully deployed

Stephen McBride — Sun, 27 Apr 2014 22:29:31 GMT

I have successfully deployed 802.1x for wireless IP phones using MIC. The only real problem I have with this approach is the inability of ISE to authenticate the username from certificate against anything but an external database. As a result I have been forced to use a static endpoint group for the MAC addresses of the allowed phones to meet the organisation's security stance. Just wish EAP-TLS could go against an internal database.

thank you to everyone for

RSundstrom — Wed, 14 May 2014 19:48:11 GMT

thank you to everyone for helping out on this post! Wonderful!

Re: You are correct. I did not

ucanduc — Fri, 15 Sep 2017 10:22:48 GMT

I faced the same issue to bulk add IP phones MAC addresses to ISE.

As, rather, a voice guy I would like to add that the number of IP phones in the deployment is not really a problem.

In fact, if the IP phones have been already added to CUCM, the voice administrator can bulk export IP phone MAC addresses in CSV format. Afterwards, the ISE administrator can import them as identities to ISE in bulk in CSV format. Just some CSV formatting is needed.