Solved: 7937G EAP MD5 ISE

Tejas Kunte · ‎09-06-2018

i have a few Cisco 7937G conference phones that i want to authenticate against ISE. the only option they support is EAP MD5 and i have configured the secret on the phone.

my question is where do i configure the secret for comparison ? do i configure it in ISE or on the call manager ?

or is my understanding incorrect ?

howon · ‎09-06-2018

Tejas, one way is to create user account for each of the phones on ISE internal user database by going to Administration > Identity Management > Identities > Users. You need to run the phone through authentication to see the actual username that gets logged, but if the 7937G phone follows the typical naming scheme, it should be something like 'CP-7937G-GE-SEP0000AABBCCDD' '0000AABBCCDD' part is the MAC address of the phone. For each phone also populate the password you have configure locally on the phone (I believe the default is 'cisco'). If ISE doesn't allow the password due to password complexity requirement, go to Administration > Identity Management > Identities > Settings > User Authentication Settings and adjust the requirement to match your needs.

Also, if you are running 2.4 and while testing authentication the Live log shows username as 'INVAILD' or 'UNKNOWN' then go to Administration > System > Settings > Protocols > RADIUS and check ' Disclose invalid usernames' checkbox and click Save. This will show real phone name in the Live Log for the next 30 minutes during testing even if the authentication fails. It will be useful for capturing the phone names.

View solution in original post

Rob Ingram · ‎09-06-2018

Hi,
You can configure a username and password in the ISE local database, then define a rule to authenticate

HTH

Tejas Kunte · ‎09-06-2018

on the phone there is no option to enter a username and password.

its just allows 1 entry for the secret

Rob Ingram · ‎09-06-2018

I think I previously encountered the same issue with this model of phone before, does it send a unique username for each phone to the radius server? If I remember correctly we didn't want to create 100s of unique local user accounts and just relied on MAB for those phones.

howon · ‎09-06-2018

Tejas, one way is to create user account for each of the phones on ISE internal user database by going to Administration > Identity Management > Identities > Users. You need to run the phone through authentication to see the actual username that gets logged, but if the 7937G phone follows the typical naming scheme, it should be something like 'CP-7937G-GE-SEP0000AABBCCDD' '0000AABBCCDD' part is the MAC address of the phone. For each phone also populate the password you have configure locally on the phone (I believe the default is 'cisco'). If ISE doesn't allow the password due to password complexity requirement, go to Administration > Identity Management > Identities > Settings > User Authentication Settings and adjust the requirement to match your needs.

Also, if you are running 2.4 and while testing authentication the Live log shows username as 'INVAILD' or 'UNKNOWN' then go to Administration > System > Settings > Protocols > RADIUS and check ' Disclose invalid usernames' checkbox and click Save. This will show real phone name in the Live Log for the next 30 minutes during testing even if the authentication fails. It will be useful for capturing the phone names.