cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1374
Views
5
Helpful
2
Replies

ISE - Allow IP Phones without MAB

jenny conlan
Level 1
Level 1

I will be setting up ISE 2.1 on network; however, I do not wish to add all the Cisco IP Phone MACs. What is best practice to allow IP Phones and a PC through the data port of phone into network?

TIA

1 Accepted Solution

Accepted Solutions

andrewswanson
Level 7
Level 7

Hi
You don't have to manually add all the Cisco phone macs when using ISE - ISE can automatically "profile" connected devices and identify them as Cisco phones, printers etc. see link below:

https://communities.cisco.com/docs/DOC-68156

Alternatively you can authenticate Cisco phones using 802.1x instead of MAB:

http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html

hth
Andy

View solution in original post

2 Replies 2

andrewswanson
Level 7
Level 7

Hi
You don't have to manually add all the Cisco phone macs when using ISE - ISE can automatically "profile" connected devices and identify them as Cisco phones, printers etc. see link below:

https://communities.cisco.com/docs/DOC-68156

Alternatively you can authenticate Cisco phones using 802.1x instead of MAB:

http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html

hth
Andy

nspasov
Cisco Employee
Cisco Employee

I am with Andy here. I would 100% stay away from trying to manually manage MACs as that becomes a huge administrative overhead and a nightmare to manage. It is also not secure as anyone can walk up to a phone, look at the mac address and then spoof it. 

Profiling is the easiest way to do it but it will be more expensive since Plus licenses will be consumed. 

Using 802.1x with phones is cheaper and more secure but a bit more involved.

Thank you for rating helpful posts!