Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2913
Views
10
Helpful
2
Replies

7937 EAP-TLS 802.1x ?

Go to solution
petermitchell
Level 1
Level 1

‎02-18-2013 03:23 PM - edited ‎03-16-2019 03:47 PM

Hi All,

Does anyone know if the 7937 phone supports EAP-TLS 802.1x with MIC or LSC certs ?

I've found in CUCM there is no dot1x configuration options.

On the phone it seems to support EAP-MD5 only ?

This doco talks about firmware 8.5, 9 etc.  http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/IP_Tele/IP_Telephony_DIG.html

However CCO download page lists only 1.x versions.

Thanks

2 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rene Charbonneau
Level 1
Level 1
In response to Dave Lewis

‎04-26-2013 09:56 AM

Sadly it seems that 7937 doesn't support EAP-TLS see the datasheet:

http://www.cisco.com/en/US/prod/collateral/voicesw/ps6788/phones/ps379/ps8759/product_data_sheet0900aecd806e021a.html

This is really really bad cause Microsoft removed (for a good reason) the EAP-MD5 support since Server 2008 R2.

You can add the support back into the product but you have to edit the registry!

But EAP-MD5 is really old and has nothing to do with state of the art security.

But I think this doesn't change anything. I suggest the hardware does not have sufficient power to deal with eap-tls.

But on the other hand I found this:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-605524.pdf

Page 16:

2.3.1.1.1 Certificates 
The following Cisco IP Phones support authentication via X.509 Certificates using the EAP-TLS or EAP-FAST methods of authentication: 

<...>
7931, 7937 8.5(2)  9.0(2)
<...>

So I don't know what is correct...

Kind Regards

René

View solution in original post

2 Replies 2

Go to solution
Dave Lewis
Level 1
Level 1

‎04-23-2013 04:39 AM

I'd also like to know the answer to this. There is no 802.1x configuration option in CUCM for the 7937 phones. Through the settings menu you can enable 802.1x and not set an MD5 password (similar to 7971 etc) but it doesn't seem to supply a certificate and we're currently authenticating the 7937s via MAB.

Firmware versions in the TrustSec guide are clearly wrong for 7937 phones. We're running 1.4(2).

Interestingly I can't browse to https://phoneipaddress and the CUCM page for 7937 phones shows them as 'untrusted'. This all points to them not supporting TLS to me but it'd be good to get some official comment.

Dave

0 Helpful

Go to solution
Rene Charbonneau
Level 1
Level 1
In response to Dave Lewis

‎04-26-2013 09:56 AM

Sadly it seems that 7937 doesn't support EAP-TLS see the datasheet:

http://www.cisco.com/en/US/prod/collateral/voicesw/ps6788/phones/ps379/ps8759/product_data_sheet0900aecd806e021a.html

This is really really bad cause Microsoft removed (for a good reason) the EAP-MD5 support since Server 2008 R2.

You can add the support back into the product but you have to edit the registry!

But EAP-MD5 is really old and has nothing to do with state of the art security.

But I think this doesn't change anything. I suggest the hardware does not have sufficient power to deal with eap-tls.

But on the other hand I found this:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-605524.pdf

Page 16:

2.3.1.1.1 Certificates 
The following Cisco IP Phones support authentication via X.509 Certificates using the EAP-TLS or EAP-FAST methods of authentication: 

<...>
7931, 7937 8.5(2)  9.0(2)
<...>

So I don't know what is correct...

Kind Regards

René

Customers Also Viewed These Support Documents