03-03-2021 11:29 AM
Customer is using 802.1x authentication for ip phones on current CUCM Cluster (version 9.x). We will migrate the phones to a new CUCM cluster (version 12.x)
What is the best approach to deal with 802.1x authentication
03-03-2021 12:11 PM - edited 03-03-2021 01:12 PM
So think it would depend on how 802.1X was deployed. Are you using LSC signed by CAPF or Manufacturing certs which are signed by the Manufacturing CA. CAPF is typically self signed in CUCM.
I would first start by truly understanding how 802.1X was deployed look at the certs used for trust and see if you can't just add the new addition trust from the new cluster and then do a test migration via 802.1X.
I think another method would be to set up a temp policy to failover to MAB in the event 802.1X fails but that is more an ISE topic.
Here are some docs on related items.
CAPF/Manufacturing CA certs are uploaded to Authentication servers like Cisco Secure Access Control Server (ACS) or Identity Services Engine (ISE). Authentication server uses the uploaded certificates to authenticate the Phone when it present its certificate (LSC or MIC).
This might help you for the migration as well.
03-03-2021 01:04 PM
03-03-2021 01:13 PM
Yes you will force a restart of phones doing that. Be careful of course.
03-03-2021 05:29 PM
Below documents explain regrading moving phone from one cluster to another.
Since its a ISE topic, better to open a discussion in ISE community.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: