cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

535
Views
15
Helpful
4
Replies
Highlighted
Cisco Employee

ISE and 802.1x IP phone

Hello everyone,

 

Could you give your comments regarding these questions:

 

1) have you successfully ran ISE with Avaya phones using 802.1x? Some Avaya IP phones support 802.1x (https://downloads.avaya.com/elmodocs2/one-X_Deskphone_Edition/R1.5/output/16_300698_4/admn0710.html)

2) have you tested ISE with other IP phones that support 802.1x?

3) how will Cisco ISE work with Cisco IP phones using 802.1x? Do we have any documents around this?

4) In general, we use MAB for IP phones, but have you seen customers running 802.1x on phones? 

Thank you in advance. 

3 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
VIP Collaborator

Hi,

 

   1. never implemented

   2. yes, with Cisco phones.

   3. https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html

https://community.cisco.com/t5/collaboration-voice-and-video/cisco-ip-phone-supports-matrix-for-802-1x/ta-p/3207690

https://www.cisco.com/security/pki/

   4. Rarely, but yes. In the end, it secures the wired network better; MAB brings many security challenges.

 

Regards,

Cristian Matei.

View solution in original post

Highlighted
VIP Collaborator

It doesn't necessarily matter who the vendor is or what type of device it is.  If they support 802.1x, then they should be able to authenticate with 802.1x.  Just make sure that the device supports the proper EAP types that you are looking for with ISE.

When considering authenticating non-workstation devices using 802.1x, the first question is whether or not the device supports 802.1x and the appropriate EAP type you want to use.  If it does, then the next question/consideration is whether or not there is a centralized way to manage those devices.  Because you don't want to have to physically visit every device to configure 802.1x, issue certificates to the device, or configure a username/password if not using certificates.  While authenticating with 802.1x is more secure than MAB, you have to also balance the administrative overhead and usability of the network as well.

I have helped customers authenticate Cisco IP Phones using both the MIC certs and LSC certs.  MIC's are easier but would allow any Cisco IP Phone to authenticate.  LSC's are issued by your CUCM server.  CUCM can use a self-signed CAPF certificate to issue certificates to the phones or you can have your CUCM server's certificate signed by your CA with the permissions to issue certificates.  Your CUCM essentially becomes an issuing CA server.  Here is a document describing the configuration:  https://www.cisco.com/c/en/us/support/docs/content-networking/certificates/213295-how-to-install-an-lsc-on-a-cisco-ip-phon.html

View solution in original post

Highlighted

4 REPLIES 4
Highlighted
VIP Collaborator

Hi,

 

   1. never implemented

   2. yes, with Cisco phones.

   3. https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html

https://community.cisco.com/t5/collaboration-voice-and-video/cisco-ip-phone-supports-matrix-for-802-1x/ta-p/3207690

https://www.cisco.com/security/pki/

   4. Rarely, but yes. In the end, it secures the wired network better; MAB brings many security challenges.

 

Regards,

Cristian Matei.

View solution in original post

Highlighted
VIP Collaborator

It doesn't necessarily matter who the vendor is or what type of device it is.  If they support 802.1x, then they should be able to authenticate with 802.1x.  Just make sure that the device supports the proper EAP types that you are looking for with ISE.

When considering authenticating non-workstation devices using 802.1x, the first question is whether or not the device supports 802.1x and the appropriate EAP type you want to use.  If it does, then the next question/consideration is whether or not there is a centralized way to manage those devices.  Because you don't want to have to physically visit every device to configure 802.1x, issue certificates to the device, or configure a username/password if not using certificates.  While authenticating with 802.1x is more secure than MAB, you have to also balance the administrative overhead and usability of the network as well.

I have helped customers authenticate Cisco IP Phones using both the MIC certs and LSC certs.  MIC's are easier but would allow any Cisco IP Phone to authenticate.  LSC's are issued by your CUCM server.  CUCM can use a self-signed CAPF certificate to issue certificates to the phones or you can have your CUCM server's certificate signed by your CA with the permissions to issue certificates.  Your CUCM essentially becomes an issuing CA server.  Here is a document describing the configuration:  https://www.cisco.com/c/en/us/support/docs/content-networking/certificates/213295-how-to-install-an-lsc-on-a-cisco-ip-phon.html

View solution in original post

Highlighted
Cisco Employee

Thanks a lot, guys. 
Any other comments or advice are highly appreciated. Feel free to share your experience. Thank you in advance.

Highlighted

Content for Community-Ad