Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3249
Views
3
Helpful
3
Replies

ISE and Cisco IP phones.

Go to solution
Dustin Anderson
VIP
VIP

‎10-03-2017 02:45 PM

Greetings,

Just wanted to see if people have ideas or best practices. We are moving from an Avaya system using 802.1x username to log onto the network. We just got a dev system up yesterday for Cisco and they only do cert based 802.1x.

Right now I have ISE checking a field in the cert and letting them on, but auth fails since the cert is not from our domain.

So, here is my questions.

1: What is the best secure way to handle the phones?

2: If 802.1x cert, hat is the best way to issue/authz them?

     (I'm not sure if UCS can be a CA, or ISE can do it)

We are on ISE 2.3

Thanks,

1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10

‎10-03-2017 08:13 PM

I have only played around with certs on the Cisco phones briefly, but you have two options:

  1. You can use the Manufacturer Installed Cert (MIC) that is installed on all Cisco phones.  The CA trust certs for the Cisco manufacturing CA come with ISE and all you need to do is enable them to trust for client authentication.  This will tell you the phone is a Cisco phone, but not necessarily that it is the customer's Cisco phone.  It is by far the easiest authentication to enable on the phones.
  2. You can install an Locally Significate Cert (LSC) onto the phones from the customer's CA environment and configure the phones to use that cert to identify the fact that this is the customer's phone.  Definitely more work and something I haven't played around with.

Check out the 802.1x IP Telephony Design guide for more information:

https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html

View solution in original post

3 Replies 3

Go to solution
paul
Level 10
Level 10

‎10-03-2017 08:13 PM

I have only played around with certs on the Cisco phones briefly, but you have two options:

  1. You can use the Manufacturer Installed Cert (MIC) that is installed on all Cisco phones.  The CA trust certs for the Cisco manufacturing CA come with ISE and all you need to do is enable them to trust for client authentication.  This will tell you the phone is a Cisco phone, but not necessarily that it is the customer's Cisco phone.  It is by far the easiest authentication to enable on the phones.
  2. You can install an Locally Significate Cert (LSC) onto the phones from the customer's CA environment and configure the phones to use that cert to identify the fact that this is the customer's phone.  Definitely more work and something I haven't played around with.

Check out the 802.1x IP Telephony Design guide for more information:

https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html

Go to solution
Dustin Anderson
VIP
VIP
In response to paul

‎10-04-2017 09:26 AM

Thanks,

I didn't remember the cert being on ISE.I like the idea of a domain LSC,

This is also the fun of someone spending money and expecting you to implement after the fact with no prior info.

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Dustin Anderson

‎10-04-2017 10:21 AM

These are the certs in the trusted cert section I am talking about:

Capture.JPG

0 Helpful
Customers Also Viewed These Support Documents