02-13-2017 05:40 AM - edited 03-11-2019 12:27 AM
I will be setting up ISE 2.1 on network; however, I do not wish to add all the Cisco IP Phone MACs. What is best practice to allow IP Phones and a PC through the data port of phone into network?
TIA
Solved! Go to Solution.
02-13-2017 10:50 AM
Hi
You don't have to manually add all the Cisco phone macs when using ISE - ISE can automatically "profile" connected devices and identify them as Cisco phones, printers etc. see link below:
https://communities.cisco.com/docs/DOC-68156
Alternatively you can authenticate Cisco phones using 802.1x instead of MAB:
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html
hth
Andy
02-13-2017 10:50 AM
Hi
You don't have to manually add all the Cisco phone macs when using ISE - ISE can automatically "profile" connected devices and identify them as Cisco phones, printers etc. see link below:
https://communities.cisco.com/docs/DOC-68156
Alternatively you can authenticate Cisco phones using 802.1x instead of MAB:
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html
hth
Andy
02-13-2017 01:41 PM
I am with Andy here. I would 100% stay away from trying to manually manage MACs as that becomes a huge administrative overhead and a nightmare to manage. It is also not secure as anyone can walk up to a phone, look at the mac address and then spoof it.
Profiling is the easiest way to do it but it will be more expensive since Plus licenses will be consumed.
Using 802.1x with phones is cheaper and more secure but a bit more involved.
Thank you for rating helpful posts!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide