Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6366
Views
20
Helpful
4
Replies

ISE and 802.1x IP phone

Go to solution
kkvitovs
Cisco Employee
Cisco Employee

‎03-03-2020 12:45 PM

Hello everyone,

 

Could you give your comments regarding these questions:

 

1) have you successfully ran ISE with Avaya phones using 802.1x? Some Avaya IP phones support 802.1x (https://downloads.avaya.com/elmodocs2/one-X_Deskphone_Edition/R1.5/output/16_300698_4/admn0710.html)

2) have you tested ISE with other IP phones that support 802.1x?

3) how will Cisco ISE work with Cisco IP phones using 802.1x? Do we have any documents around this?

4) In general, we use MAB for IP phones, but have you seen customers running 802.1x on phones? 

Thank you in advance. 

1 person had this problem
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni

‎03-03-2020 02:51 PM

Hi,

 

   1. never implemented

   2. yes, with Cisco phones.

   3. https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html

https://community.cisco.com/t5/collaboration-voice-and-video/cisco-ip-phone-supports-matrix-for-802-1x/ta-p/3207690

https://www.cisco.com/security/pki/

   4. Rarely, but yes. In the end, it secures the wired network better; MAB brings many security challenges.

 

Regards,

Cristian Matei.

View solution in original post

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎03-03-2020 05:54 PM

It doesn't necessarily matter who the vendor is or what type of device it is.  If they support 802.1x, then they should be able to authenticate with 802.1x.  Just make sure that the device supports the proper EAP types that you are looking for with ISE.

When considering authenticating non-workstation devices using 802.1x, the first question is whether or not the device supports 802.1x and the appropriate EAP type you want to use.  If it does, then the next question/consideration is whether or not there is a centralized way to manage those devices.  Because you don't want to have to physically visit every device to configure 802.1x, issue certificates to the device, or configure a username/password if not using certificates.  While authenticating with 802.1x is more secure than MAB, you have to also balance the administrative overhead and usability of the network as well.

I have helped customers authenticate Cisco IP Phones using both the MIC certs and LSC certs.  MIC's are easier but would allow any Cisco IP Phone to authenticate.  LSC's are issued by your CUCM server.  CUCM can use a self-signed CAPF certificate to issue certificates to the phones or you can have your CUCM server's certificate signed by your CA with the permissions to issue certificates.  Your CUCM essentially becomes an issuing CA server.  Here is a document describing the configuration:  https://www.cisco.com/c/en/us/support/docs/content-networking/certificates/213295-how-to-install-an-lsc-on-a-cisco-ip-phon.html

View solution in original post

4 Replies 4

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni

‎03-03-2020 02:51 PM

Hi,

 

   1. never implemented

   2. yes, with Cisco phones.

   3. https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html

https://community.cisco.com/t5/collaboration-voice-and-video/cisco-ip-phone-supports-matrix-for-802-1x/ta-p/3207690

https://www.cisco.com/security/pki/

   4. Rarely, but yes. In the end, it secures the wired network better; MAB brings many security challenges.

 

Regards,

Cristian Matei.

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎03-03-2020 05:54 PM

It doesn't necessarily matter who the vendor is or what type of device it is.  If they support 802.1x, then they should be able to authenticate with 802.1x.  Just make sure that the device supports the proper EAP types that you are looking for with ISE.

When considering authenticating non-workstation devices using 802.1x, the first question is whether or not the device supports 802.1x and the appropriate EAP type you want to use.  If it does, then the next question/consideration is whether or not there is a centralized way to manage those devices.  Because you don't want to have to physically visit every device to configure 802.1x, issue certificates to the device, or configure a username/password if not using certificates.  While authenticating with 802.1x is more secure than MAB, you have to also balance the administrative overhead and usability of the network as well.

I have helped customers authenticate Cisco IP Phones using both the MIC certs and LSC certs.  MIC's are easier but would allow any Cisco IP Phone to authenticate.  LSC's are issued by your CUCM server.  CUCM can use a self-signed CAPF certificate to issue certificates to the phones or you can have your CUCM server's certificate signed by your CA with the permissions to issue certificates.  Your CUCM essentially becomes an issuing CA server.  Here is a document describing the configuration:  https://www.cisco.com/c/en/us/support/docs/content-networking/certificates/213295-how-to-install-an-lsc-on-a-cisco-ip-phon.html

Go to solution
kkvitovs
Cisco Employee
Cisco Employee

‎03-05-2020 01:35 AM

Thanks a lot, guys. 
Any other comments or advice are highly appreciated. Feel free to share your experience. Thank you in advance.

0 Helpful

Go to solution
hariholla
Cisco Employee
Cisco Employee
In response to kkvitovs

‎03-07-2020 08:07 PM

Hi,

Here is a recent doc that covers 802.1X authentication for Cisco IP Phones with ISE:

https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515#toc-hId-1223259294

 

Regards,

Hari

Customers Also Viewed These Support Documents