cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
659
Views
10
Helpful
4
Replies

Migrate IP Phones to new cluster . Using 802.1x on current cluster

ajber
Level 1
Level 1

Customer is using 802.1x authentication for ip phones on current CUCM Cluster (version 9.x). We will migrate the phones to a new CUCM cluster (version 12.x)

What is the best approach to deal with 802.1x authentication

4 Replies 4

Gregory Brunn
Spotlight
Spotlight

So think it would depend on how 802.1X was deployed. Are you using LSC signed by CAPF or Manufacturing certs which are signed by the Manufacturing CA.  CAPF is typically self signed in CUCM.

 

I would first start by truly understanding how 802.1X was deployed look at the certs used for trust and see if you can't just add the new addition trust from the new cluster and then do a test migration via 802.1X.

 

I think another method would be to set up a temp policy to failover to MAB in the event 802.1X fails but that is more an ISE topic.

 

Here are some docs on related items.

 

https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/200860-Q-A-for-CUCM-PHONE-CERTIFICATES-LSC-MIC.html#anc4

Between Phone and Authentication server for 802.1x Authentication

CAPF/Manufacturing CA certs are uploaded to Authentication servers like Cisco Secure Access Control Server (ACS) or Identity Services Engine (ISE). Authentication server uses the uploaded certificates to authenticate the Phone when it present its certificate (LSC or MIC).

 

This might help you for the migration as well.

https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/213407-migrate-phones-between-secure-clusters.html

Thank you Gregory.

The current cluster is using LSC signed by CAPF. I will take a look at your documentation url. The new cluster is not in use yet so I can make some tests, but importing any new cluster certs in the current cluster may be difficult during business hours. Thanks for your reply

Yes you will force a restart of phones doing that. Be careful of course.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: