09-06-2018 11:53 AM
i have a few Cisco 7937G conference phones that i want to authenticate against ISE. the only option they support is EAP MD5 and i have configured the secret on the phone.
my question is where do i configure the secret for comparison ? do i configure it in ISE or on the call manager ?
or is my understanding incorrect ?
Solved! Go to Solution.
09-06-2018 09:15 PM
Tejas, one way is to create user account for each of the phones on ISE internal user database by going to Administration > Identity Management > Identities > Users. You need to run the phone through authentication to see the actual username that gets logged, but if the 7937G phone follows the typical naming scheme, it should be something like 'CP-7937G-GE-SEP0000AABBCCDD' '0000AABBCCDD' part is the MAC address of the phone. For each phone also populate the password you have configure locally on the phone (I believe the default is 'cisco'). If ISE doesn't allow the password due to password complexity requirement, go to Administration > Identity Management > Identities > Settings > User Authentication Settings and adjust the requirement to match your needs.
Also, if you are running 2.4 and while testing authentication the Live log shows username as 'INVAILD' or 'UNKNOWN' then go to Administration > System > Settings > Protocols > RADIUS and check ' Disclose invalid usernames' checkbox and click Save. This will show real phone name in the Live Log for the next 30 minutes during testing even if the authentication fails. It will be useful for capturing the phone names.
09-06-2018 12:19 PM
09-06-2018 12:21 PM
on the phone there is no option to enter a username and password.
its just allows 1 entry for the secret
09-06-2018 02:16 PM
09-06-2018 09:15 PM
Tejas, one way is to create user account for each of the phones on ISE internal user database by going to Administration > Identity Management > Identities > Users. You need to run the phone through authentication to see the actual username that gets logged, but if the 7937G phone follows the typical naming scheme, it should be something like 'CP-7937G-GE-SEP0000AABBCCDD' '0000AABBCCDD' part is the MAC address of the phone. For each phone also populate the password you have configure locally on the phone (I believe the default is 'cisco'). If ISE doesn't allow the password due to password complexity requirement, go to Administration > Identity Management > Identities > Settings > User Authentication Settings and adjust the requirement to match your needs.
Also, if you are running 2.4 and while testing authentication the Live log shows username as 'INVAILD' or 'UNKNOWN' then go to Administration > System > Settings > Protocols > RADIUS and check ' Disclose invalid usernames' checkbox and click Save. This will show real phone name in the Live Log for the next 30 minutes during testing even if the authentication fails. It will be useful for capturing the phone names.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide