cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Walkthrough Wednesdays
183
Views
10
Helpful
4
Replies
ajber
Beginner

Migrate IP Phones to new cluster . Using 802.1x on current cluster

Customer is using 802.1x authentication for ip phones on current CUCM Cluster (version 9.x). We will migrate the phones to a new CUCM cluster (version 12.x)

What is the best approach to deal with 802.1x authentication

4 REPLIES 4
Gregory Brunn
Collaborator

So think it would depend on how 802.1X was deployed. Are you using LSC signed by CAPF or Manufacturing certs which are signed by the Manufacturing CA.  CAPF is typically self signed in CUCM.

 

I would first start by truly understanding how 802.1X was deployed look at the certs used for trust and see if you can't just add the new addition trust from the new cluster and then do a test migration via 802.1X.

 

I think another method would be to set up a temp policy to failover to MAB in the event 802.1X fails but that is more an ISE topic.

 

Here are some docs on related items.

 

https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/200860-Q-A-for-CUCM-PHONE-CERTIFICATES-LSC-MIC.html#anc4

Between Phone and Authentication server for 802.1x Authentication

CAPF/Manufacturing CA certs are uploaded to Authentication servers like Cisco Secure Access Control Server (ACS) or Identity Services Engine (ISE). Authentication server uses the uploaded certificates to authenticate the Phone when it present its certificate (LSC or MIC).

 

This might help you for the migration as well.

https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/213407-migrate-phones-between-secure-clusters.html

Thank you Gregory.

The current cluster is using LSC signed by CAPF. I will take a look at your documentation url. The new cluster is not in use yet so I can make some tests, but importing any new cluster certs in the current cluster may be difficult during business hours. Thanks for your reply

Yes you will force a restart of phones doing that. Be careful of course.

Nithin Eluvathingal
VIP Advocate

Below documents explain regrading moving phone from one cluster to another.

 

https://community.cisco.com/t5/collaboration-voice-and-video/migrating-ip-phones-between-clusters-with-cucm-8-and-itl-files/ta-p/3108501

 

https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/213407-migrate-phones-between-secure-clusters.html

 

Since its a ISE topic, better to open a discussion in ISE community.

 

 

 

 

 

=>>>If this answered your question, please click "ACCEPT AS SOLUTION"<<<=
=>>>If you find this response useful, please mark it as "HELPFUL"<<<=
Content for Community-Ad

Spotlight Awards 2021