Solved: Re: mac auth

suthomas1 · ‎08-04-2021

Good day all,

To get an IP phone connected to network via mac auth, is there any setting to be done on the ip phone itself?

there appears to be an authentication/802.1x option in it...what state does it need to be in for successful mac-auth.

Thanks in advance.

Damien Miller · ‎08-04-2021

If you're OK with the phones doing mab then that's fine. They will work without issue.

Yes, you would enable the phones to do 802.1x and eap-tls if you wanted to use the mic cert.

View solution in original post

Damien Miller · ‎08-04-2021

Most rely on mac auth aka MAB to authorize phones to the network. Depending on the vendor, you certainly could leverage the phone supplicant to do 802.1x, I see a mix of companies that go that route vs not.

Cisco phones are fairly easy to configure from call manager to use the built in manufacture installed cert, but you could go further and issue your own certs to them.

More often we focus on authorizing phones to the voice vlan. If your phones are showing in the show auth sessions cli command as voice domain, then you already have that covered.

suthomas1 · ‎08-04-2021

Thnaks Damien.

if using MAB only, does the auth option inside the cisco phone needs to be enabled?

If using manufacturer cert, that will be eap-tls i believe ? & in that case auth on phone should be turned on?

Damien Miller · ‎08-04-2021

If you're OK with the phones doing mab then that's fine. They will work without issue.

Yes, you would enable the phones to do 802.1x and eap-tls if you wanted to use the mic cert.

suthomas1 · ‎08-04-2021

So being MAB, will the mac be learnt by ise if the auth is turned off on the phone itself? or does it need auth turned on for mac to be learnt by ise unless mac is manually entered into ise?