04-21-2014 10:38 AM - edited 03-10-2019 09:39 PM
Hello,
I am installing Cisco ISE soon and have a question. Why can't I authenticate Cisco IP phone model 7942 using 802.1x? I see that the phone has this option (it is not enabled). I am told that Cisco IP Phones must be authenticated on ISE by using profiling or MAB. This uses a costly advanced license to accomplish this.
Has anybody had any luck in this area?
Thank you,
Bob
Solved! Go to Solution.
04-22-2014 05:48 AM
Hi,
Is your model 7942g? In that case those phones sould have a built in certificate from Cisco (Manufacturer Installed Certificate) that can be used for EAP-TLS. The common name begin ether with SEP och CP.
Regards,
Philip
04-22-2014 06:34 AM
04-21-2014 09:07 PM
Profiling use advanced license but MAB uses base license. Administration > Identity Management > Identities and select Endpoints. Select Create and assign your IP phone’s MAC address to the Identity Group Cisco-IP-Phone:
04-22-2014 05:49 AM
You are correct. I did not add all the info I should have in my first post. My apologies. I can't use MAB to authenticate IP Phones because we have over 1,200. The initial programming and ongoing maintenance would be huge.
What I am looking for is the ability to authenticate Cisco IP phones using 802.1x authentication. The model we have most of is the Cisco IP Phone 7942.
Thank you.
04-27-2014 03:29 PM
I have successfully deployed 802.1x for wireless IP phones using MIC. The only real problem I have with this approach is the inability of ISE to authenticate the username from certificate against anything but an external database. As a result I have been forced to use a static endpoint group for the MAC addresses of the allowed phones to meet the organisation's security stance. Just wish EAP-TLS could go against an internal database.
05-14-2014 12:48 PM
thank you to everyone for helping out on this post! Wonderful!
09-15-2017 03:22 AM
I faced the same issue to bulk add IP phones MAC addresses to ISE.
As, rather, a voice guy I would like to add that the number of IP phones in the deployment is not really a problem.
In fact, if the IP phones have been already added to CUCM, the voice administrator can bulk export IP phone MAC addresses in CSV format. Afterwards, the ISE administrator can import them as identities to ISE in bulk in CSV format. Just some CSV formatting is needed.
04-22-2014 05:48 AM
Hi,
Is your model 7942g? In that case those phones sould have a built in certificate from Cisco (Manufacturer Installed Certificate) that can be used for EAP-TLS. The common name begin ether with SEP och CP.
Regards,
Philip
04-22-2014 05:57 AM
Hello Philip,
The phone on my desk is a 7942G model. We have a variety of Cisco IP phones. Is there a way for me to find out which models have a built-in certificate?
Thank you for the reply,
Bob
04-22-2014 06:34 AM
04-22-2014 08:53 AM
Hello Philip,
Thank you for the link. It is very useful.
Bob
04-24-2014 08:25 AM
Philip,
Thank you for your help. I have what I need to know.
Bob
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide