- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-14-2011 12:11 PM - edited 03-16-2019 05:27 AM
- Labels:
-
Other IP Telephony
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-15-2011 01:45 PM
There is a model-specific configuration parameter that allows you to enable/disable 802.1x support on the Device Configuration page.
What do you want the phone to use to authenticate itself? Unless you want users to be authenticating the phone with their user credentials the document I referenced is your place to start. You'll need to get certificates deployed to the phones so they can provide that to the switch for authentication.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-15-2011 06:28 AM
Yes. You can place the cluster in mixed mode, have CAPF generate LSC certificates to the phones as a subordinate CA to your internal root CA, and then have the phones perform 802.1x authentication. This is not a trivial task though. Here's the document to get you started: Cisco Unified Communications Manager Security Guide, Release 7.1(2)
Note that you can also use the MIC (that term will make sense after reading the security guide) to provide limited network access for a phone without an LSC. The intention here is to provide the phone enough access to enroll in an LSC through CUCM CAPF and then re-authenticate to the switch for full network access with it's LSC.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-15-2011 01:36 PM
Hi Jonathan
In my case i need to phones authentication via 802.1x with ACS. Where i can do this in the CCM?
thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-15-2011 01:45 PM
There is a model-specific configuration parameter that allows you to enable/disable 802.1x support on the Device Configuration page.
What do you want the phone to use to authenticate itself? Unless you want users to be authenticating the phone with their user credentials the document I referenced is your place to start. You'll need to get certificates deployed to the phones so they can provide that to the switch for authentication.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-17-2011 09:01 AM
ok, and how to get certificates deployed to the phones so they can provide that to the switch for authentication?
+5 thanks a lot, keep in contact,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-29-2011 10:02 AM
Getting certificates on the phone is no small task. The security guide is your best reference. Here are the high-level steps from memory:
- Order a pair of hardware tokens (part KEY-CCM-ADMIN-K9=). You must have at least two! These are the private keys that you will use for signing the Certificate Trust List (CTL).
- Activate the server-side services (CAPF and CTL).
- Configure the CTL Client
- Instruct phones to install an LSC.
Table 7-2 outlines the steps/order for you in far greater detail. Again, I recommend doing this in a lab and reading the entire security guide first. This is easy to mess up.