11-13-2017 03:54 AM
Hi All,
I would think that this question has been asked many times and I have had a quick search and cannot find the answer. I have a customer that has an estate of 3750V2 and 2960X switches that they would like to use in conjunction with ISE 2.3 using 802.1x device/user based authentication with vlan swapping. They do not want or have the need to authenticate Cisco IP Phones and as 50% of the corporate end-user devices are connected via IP phones I was wondering if there is anything that can be done to exempt them from authentication and also using up a license?
Cheers
Stuart
Solved! Go to Solution.
11-13-2017 08:46 AM
As Hsing-Tsu mentioined, CDP-Bypass is what you are looking for to exempt Cisco Phones from being authenticated. It means Cisco Phones will bypass authentication based on the fact that they are seen as IP phone via CDP and allowed access to voice VLAN. Best to confirm with the Catalyst switching team, but I don't believe the 2960X supports CDP bypass, and for 3750, it was supported on 12.2X & 15.0X, but not with newer IOS. While it is understandable why customer would want to bypass the IP phones for licensing and cost reasons, it would be more secure to authenticate every end point including the IP phones. Note that unless profiling is utilized, authenticating the phones via EAP-TLS or MAB would consume base license.
11-13-2017 04:08 AM
I think the answer is no ,connected device with port config for MAB or DOT1X always will count license and always attempt to authenticate .
11-13-2017 05:17 AM
If you are in Open mode on the switchport you may be able to write a rule to deny access for Cisco IP Phones, because the port is in Open mode the deny message is ignored by the switch. The deny should shouldn't count against licensing, but never tested it as you are using profiling to identify the phones.
The real question is why would the customer want to put in a security solution then leave a whole in the network for anything that can present itself as a phone? Normally, we apply DACLs to all wired authorization profiles with the goal of locking down the access to the network required by the specific device class.
11-13-2017 06:33 AM
For "CDP bypass", please seek support from Cisco switch and IOS platform teams.
11-13-2017 07:25 AM
Hi there, thank you for all of the answers and they really are a mixed bag so still confused if my customer could/should try and exempt Cisco IP phones from ISE? I have seen this on another post: -
11-13-2017 08:45 AM
I do not think it actually working that way. As long as an interface configured for MAB/DOT1X enforcement, it will send authentication requests to ISE and consume licenses, unless CDP bypass or similar. Like Paul said, Access-Reject will not create an active session in ISE so would not consume licenses. However, it might trigger port bouncing periodically.
11-13-2017 08:46 AM
As Hsing-Tsu mentioined, CDP-Bypass is what you are looking for to exempt Cisco Phones from being authenticated. It means Cisco Phones will bypass authentication based on the fact that they are seen as IP phone via CDP and allowed access to voice VLAN. Best to confirm with the Catalyst switching team, but I don't believe the 2960X supports CDP bypass, and for 3750, it was supported on 12.2X & 15.0X, but not with newer IOS. While it is understandable why customer would want to bypass the IP phones for licensing and cost reasons, it would be more secure to authenticate every end point including the IP phones. Note that unless profiling is utilized, authenticating the phones via EAP-TLS or MAB would consume base license.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide