cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6367
Views
20
Helpful
4
Replies

ISE and 802.1x IP phone

kkvitovs
Cisco Employee
Cisco Employee

Hello everyone,

 

Could you give your comments regarding these questions:

 

1) have you successfully ran ISE with Avaya phones using 802.1x? Some Avaya IP phones support 802.1x (https://downloads.avaya.com/elmodocs2/one-X_Deskphone_Edition/R1.5/output/16_300698_4/admn0710.html)

2) have you tested ISE with other IP phones that support 802.1x?

3) how will Cisco ISE work with Cisco IP phones using 802.1x? Do we have any documents around this?

4) In general, we use MAB for IP phones, but have you seen customers running 802.1x on phones? 

Thank you in advance. 

3 Accepted Solutions

Accepted Solutions

Cristian Matei
VIP Alumni
VIP Alumni

Hi,

 

   1. never implemented

   2. yes, with Cisco phones.

   3. https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html

https://community.cisco.com/t5/collaboration-voice-and-video/cisco-ip-phone-supports-matrix-for-802-1x/ta-p/3207690

https://www.cisco.com/security/pki/

   4. Rarely, but yes. In the end, it secures the wired network better; MAB brings many security challenges.

 

Regards,

Cristian Matei.

View solution in original post

Colby LeMaire
VIP Alumni
VIP Alumni

It doesn't necessarily matter who the vendor is or what type of device it is.  If they support 802.1x, then they should be able to authenticate with 802.1x.  Just make sure that the device supports the proper EAP types that you are looking for with ISE.

When considering authenticating non-workstation devices using 802.1x, the first question is whether or not the device supports 802.1x and the appropriate EAP type you want to use.  If it does, then the next question/consideration is whether or not there is a centralized way to manage those devices.  Because you don't want to have to physically visit every device to configure 802.1x, issue certificates to the device, or configure a username/password if not using certificates.  While authenticating with 802.1x is more secure than MAB, you have to also balance the administrative overhead and usability of the network as well.

I have helped customers authenticate Cisco IP Phones using both the MIC certs and LSC certs.  MIC's are easier but would allow any Cisco IP Phone to authenticate.  LSC's are issued by your CUCM server.  CUCM can use a self-signed CAPF certificate to issue certificates to the phones or you can have your CUCM server's certificate signed by your CA with the permissions to issue certificates.  Your CUCM essentially becomes an issuing CA server.  Here is a document describing the configuration:  https://www.cisco.com/c/en/us/support/docs/content-networking/certificates/213295-how-to-install-an-lsc-on-a-cisco-ip-phon.html

View solution in original post

4 Replies 4

Cristian Matei
VIP Alumni
VIP Alumni

Hi,

 

   1. never implemented

   2. yes, with Cisco phones.

   3. https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html

https://community.cisco.com/t5/collaboration-voice-and-video/cisco-ip-phone-supports-matrix-for-802-1x/ta-p/3207690

https://www.cisco.com/security/pki/

   4. Rarely, but yes. In the end, it secures the wired network better; MAB brings many security challenges.

 

Regards,

Cristian Matei.

Colby LeMaire
VIP Alumni
VIP Alumni

It doesn't necessarily matter who the vendor is or what type of device it is.  If they support 802.1x, then they should be able to authenticate with 802.1x.  Just make sure that the device supports the proper EAP types that you are looking for with ISE.

When considering authenticating non-workstation devices using 802.1x, the first question is whether or not the device supports 802.1x and the appropriate EAP type you want to use.  If it does, then the next question/consideration is whether or not there is a centralized way to manage those devices.  Because you don't want to have to physically visit every device to configure 802.1x, issue certificates to the device, or configure a username/password if not using certificates.  While authenticating with 802.1x is more secure than MAB, you have to also balance the administrative overhead and usability of the network as well.

I have helped customers authenticate Cisco IP Phones using both the MIC certs and LSC certs.  MIC's are easier but would allow any Cisco IP Phone to authenticate.  LSC's are issued by your CUCM server.  CUCM can use a self-signed CAPF certificate to issue certificates to the phones or you can have your CUCM server's certificate signed by your CA with the permissions to issue certificates.  Your CUCM essentially becomes an issuing CA server.  Here is a document describing the configuration:  https://www.cisco.com/c/en/us/support/docs/content-networking/certificates/213295-how-to-install-an-lsc-on-a-cisco-ip-phon.html

kkvitovs
Cisco Employee
Cisco Employee

Thanks a lot, guys. 
Any other comments or advice are highly appreciated. Feel free to share your experience. Thank you in advance.

Hi,

Here is a recent doc that covers 802.1X authentication for Cisco IP Phones with ISE:

https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515#toc-hId-1223259294

 

Regards,

Hari