02-18-2013 03:23 PM - edited 03-16-2019 03:47 PM
Hi All,
Does anyone know if the 7937 phone supports EAP-TLS 802.1x with MIC or LSC certs ?
I've found in CUCM there is no dot1x configuration options.
On the phone it seems to support EAP-MD5 only ?
This doco talks about firmware 8.5, 9 etc. http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/IP_Tele/IP_Telephony_DIG.html
However CCO download page lists only 1.x versions.
Thanks
Solved! Go to Solution.
04-26-2013 09:56 AM
Sadly it seems that 7937 doesn't support EAP-TLS see the datasheet:
This is really really bad cause Microsoft removed (for a good reason) the EAP-MD5 support since Server 2008 R2.
You can add the support back into the product but you have to edit the registry!
But EAP-MD5 is really old and has nothing to do with state of the art security.
But I think this doesn't change anything. I suggest the hardware does not have sufficient power to deal with eap-tls.
But on the other hand I found this:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-605524.pdf
Page 16:
2.3.1.1.1 Certificates
The following Cisco IP Phones support authentication via X.509 Certificates using the EAP-TLS or EAP-FAST methods of authentication:
<...>7931, 7937 8.5(2) 9.0(2)
<...>
So I don't know what is correct...
Kind Regards
René
04-23-2013 04:39 AM
I'd also like to know the answer to this. There is no 802.1x configuration option in CUCM for the 7937 phones. Through the settings menu you can enable 802.1x and not set an MD5 password (similar to 7971 etc) but it doesn't seem to supply a certificate and we're currently authenticating the 7937s via MAB.
Firmware versions in the TrustSec guide are clearly wrong for 7937 phones. We're running 1.4(2).
Interestingly I can't browse to https://phoneipaddress and the CUCM page for 7937 phones shows them as 'untrusted'. This all points to them not supporting TLS to me but it'd be good to get some official comment.
Dave
04-26-2013 09:56 AM
Sadly it seems that 7937 doesn't support EAP-TLS see the datasheet:
This is really really bad cause Microsoft removed (for a good reason) the EAP-MD5 support since Server 2008 R2.
You can add the support back into the product but you have to edit the registry!
But EAP-MD5 is really old and has nothing to do with state of the art security.
But I think this doesn't change anything. I suggest the hardware does not have sufficient power to deal with eap-tls.
But on the other hand I found this:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-605524.pdf
Page 16:
2.3.1.1.1 Certificates
The following Cisco IP Phones support authentication via X.509 Certificates using the EAP-TLS or EAP-FAST methods of authentication:
<...>7931, 7937 8.5(2) 9.0(2)
<...>
So I don't know what is correct...
Kind Regards
René
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide