Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3308
Views
3
Helpful
6
Replies

Bypass Cisco IP Phones 802.1x to ISE authentication

Go to solution
stuart.pannell
Level 1
Level 1

‎11-13-2017 03:54 AM

Hi All,

I would think that this question has been asked many times and I have had a quick search and cannot find the answer. I have a customer that has an estate of 3750V2 and 2960X switches that they would like to use in conjunction with ISE 2.3 using 802.1x device/user based authentication with vlan swapping. They do not want or have the need to authenticate Cisco IP Phones and as 50% of the corporate end-user devices are connected via IP phones I was wondering if there is anything that can be done to exempt them from authentication and also using up a license?

Cheers

Stuart

1 Accepted Solution

Accepted Solutions

Go to solution
howon
Cisco Employee
Cisco Employee
In response to stuart.pannell

‎11-13-2017 08:46 AM

As Hsing-Tsu mentioined, CDP-Bypass is what you are looking for to exempt Cisco Phones from being authenticated. It means Cisco Phones will bypass authentication based on the fact that they are seen as IP phone via CDP and allowed access to voice VLAN. Best to confirm with the Catalyst switching team, but I don't believe the 2960X supports CDP bypass, and for 3750, it was supported on 12.2X & 15.0X, but not with newer IOS. While it is understandable why customer would want to bypass the IP phones for licensing and cost reasons, it would be more secure to authenticate every end point including the IP phones. Note that unless profiling is utilized, authenticating the phones via EAP-TLS or MAB would consume base license.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
ognyan.totev
Level 5
Level 5

‎11-13-2017 04:08 AM

I think the answer is no ,connected device with port config for MAB or DOT1X always will count license and always attempt to authenticate .

0 Helpful

Go to solution
paul
Level 10
Level 10

‎11-13-2017 05:17 AM

If you are in Open mode on the switchport you may be able to write a rule to deny access for Cisco IP Phones, because the port is in Open mode the deny message is ignored by the switch.  The deny should shouldn't count against licensing, but never tested it as you are using profiling to identify the phones.

The real question is why would the customer want to put in a security solution then leave a whole in the network for anything that can present itself as a phone?  Normally, we apply DACLs to all wired authorization profiles with the goal of locking down the access to the network required by the specific device class. 

Go to solution
hslai
Cisco Employee
Cisco Employee

‎11-13-2017 06:33 AM

For "CDP bypass", please seek support from Cisco switch and IOS platform teams.

0 Helpful

Go to solution
stuart.pannell
Level 1
Level 1

‎11-13-2017 07:25 AM

Hi there, thank you for all of the answers and they really are a mixed bag so still confused if my customer could/should try and exempt Cisco IP phones from ISE?  I have seen this on another post: -

If you are using Cisco IP

  

If you are using Cisco IP phones you can get away with single-host mode on the port which in effect ignores the phone. If the phone is a third party device you will most likely need to use multi-domain authentication and actually use ISE to allow the phone on the network.
In summary - CIsco phone means potentially no license, if Avaya or other third party you will need to auth and use a license
I presume that the Single-host mode will not check a device in the voice vlan?
A further bit of background information why they are wanting to do this is that they have 6,500 desktops and similar numbers in phones so adding phones to the number of devices would double the number of servers and licenses and therefore doubling the cost.
0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to stuart.pannell

‎11-13-2017 08:45 AM

I do not think it actually working that way. As long as an interface configured for MAB/DOT1X enforcement, it will send authentication requests to ISE and consume licenses, unless CDP bypass or similar. Like Paul said, Access-Reject will not create an active session in ISE so would not consume licenses. However, it might trigger port bouncing periodically.

0 Helpful

Go to solution
howon
Cisco Employee
Cisco Employee
In response to stuart.pannell

‎11-13-2017 08:46 AM

As Hsing-Tsu mentioined, CDP-Bypass is what you are looking for to exempt Cisco Phones from being authenticated. It means Cisco Phones will bypass authentication based on the fact that they are seen as IP phone via CDP and allowed access to voice VLAN. Best to confirm with the Catalyst switching team, but I don't believe the 2960X supports CDP bypass, and for 3750, it was supported on 12.2X & 15.0X, but not with newer IOS. While it is understandable why customer would want to bypass the IP phones for licensing and cost reasons, it would be more secure to authenticate every end point including the IP phones. Note that unless profiling is utilized, authenticating the phones via EAP-TLS or MAB would consume base license.

0 Helpful
Customers Also Viewed These Support Documents