cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

585
Views
3
Helpful
3
Replies
Highlighted

802.1x Phone Deployment

Good afternoon!

We are wanting to deploy 802.1x throughout all of our phones company wide rather than using MAB authentication. Is there any information in regards to ISE deployments that utilize 802.1x authentication?   All documentation I have found points towards ACS and while that helps I much rather have documentation that pertains to ISE. 

Thanks,

-Robert

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: 802.1x Phone Deployment

You can look at Phone & Collaboration Authentication Capabilities for what devices do what.

Other than that, you will need to provision the phones for 802.1X with Username & Passwords or Certificates.

You typically do this via the Call Manager.

Just be sure that the phones will trust the ISE certificate (dont use self-signed certs!!!) and that ISE will trust the certificate used to sign the phone certificates.

Other than that, follow How To: Universal IOS Switch Config for ISE for switchport configuration.

View solution in original post

3 REPLIES 3
Highlighted
Cisco Employee

Re: 802.1x Phone Deployment

You can look at Phone & Collaboration Authentication Capabilities for what devices do what.

Other than that, you will need to provision the phones for 802.1X with Username & Passwords or Certificates.

You typically do this via the Call Manager.

Just be sure that the phones will trust the ISE certificate (dont use self-signed certs!!!) and that ISE will trust the certificate used to sign the phone certificates.

Other than that, follow How To: Universal IOS Switch Config for ISE for switchport configuration.

View solution in original post

Highlighted

Re: 802.1x Phone Deployment

Thank you Thomas!

I'm beginning to realize a lot of this is on the call manger side so I think I'm good with ISE.

Man, I really wish I had the Universal ISE Switch Config Document 5 months ago...would have saved me soooooooo much time. 

Nevertheless, thanks for replying in a timely manner. 

-Robert

Re: 802.1x Phone Deployment

 

Thanks Guys. 

 

 

So we are really starting to ramp this project up and I'm having some issues.

 

 

Before we start I want to say we are going with LSC's rather than MIC's  so what that being said here we go...

 

 

So in regards to the CM Cert.  We were able to export a Root CA CAPF from Call Manage with no issues. I have since uploaded the PEM as a trusted ISE cert.  My problem starts with Authentication.  As of this moment we are utilizing machine certs on our desktops but use an Identify Source Sequence that points to AD for further authentication.

 

 

In my test environment it seems I can only get one of them to work at the same time.  I'm sure I’m missing something from the equation but for the life of me can't think what it is.  I have even attempted to change the Authentication policy but i'm having no luck. 

 

 

Does anyone have any suggestions? 

 

 

You would deff be a life saver!

 

 

Thanks in advance,

 

-Robert