Solved: Re: You are correct. I did not

RSundstrom · ‎04-21-2014

Hello,

I am installing Cisco ISE soon and have a question. Why can't I authenticate Cisco IP phone model 7942 using 802.1x? I see that the phone has this option (it is not enabled). I am told that Cisco IP Phones must be authenticated on ISE by using profiling or MAB. This uses a costly advanced license to accomplish this.

Has anybody had any luck in this area?

Thank you,

Bob

Philip Vilhelmsson · ‎04-22-2014

Hi,

Is your model 7942g? In that case those phones sould have a built in certificate from Cisco (Manufacturer Installed Certificate) that can be used for EAP-TLS. The common name begin ether with SEP och CP.

Regards,

Philip

View solution in original post

Philip Vilhelmsson · ‎04-22-2014

Check Tabe 2 here: http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html

View solution in original post

Venkatesh Attuluri · ‎04-21-2014

Profiling use advanced license but MAB uses base license. Administration > Identity Management > Identities and select Endpoints. Select Create and assign your IP phone’s MAC address to the Identity Group Cisco-IP-Phone:

RSundstrom · ‎04-22-2014

You are correct. I did not add all the info I should have in my first post. My apologies. I can't use MAB to authenticate IP Phones because we have over 1,200. The initial programming and ongoing maintenance would be huge.

What I am looking for is the ability to authenticate Cisco IP phones using 802.1x authentication. The model we have most of is the Cisco IP Phone 7942.

Thank you.

Stephen McBride · ‎04-27-2014

I have successfully deployed 802.1x for wireless IP phones using MIC. The only real problem I have with this approach is the inability of ISE to authenticate the username from certificate against anything but an external database. As a result I have been forced to use a static endpoint group for the MAC addresses of the allowed phones to meet the organisation's security stance. Just wish EAP-TLS could go against an internal database.

RSundstrom · ‎05-14-2014

thank you to everyone for helping out on this post! Wonderful!

Mohamed Amine Jaafar · ‎09-15-2017

I faced the same issue to bulk add IP phones MAC addresses to ISE.

As, rather, a voice guy I would like to add that the number of IP phones in the deployment is not really a problem.

In fact, if the IP phones have been already added to CUCM, the voice administrator can bulk export IP phone MAC addresses in CSV format. Afterwards, the ISE administrator can import them as identities to ISE in bulk in CSV format. Just some CSV formatting is needed.

Philip Vilhelmsson · ‎04-22-2014

Hi,

Is your model 7942g? In that case those phones sould have a built in certificate from Cisco (Manufacturer Installed Certificate) that can be used for EAP-TLS. The common name begin ether with SEP och CP.

Regards,

Philip

RSundstrom · ‎04-22-2014

Hello Philip,

The phone on my desk is a 7942G model. We have a variety of Cisco IP phones. Is there a way for me to find out which models have a built-in certificate?

Thank you for the reply,

Bob

Philip Vilhelmsson · ‎04-22-2014

Check Tabe 2 here: http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html

RSundstrom · ‎04-22-2014

Hello Philip,

Thank you for the link. It is very useful.

Bob

RSundstrom · ‎04-24-2014

Philip,

Thank you for your help. I have what I need to know.

Bob

Cisco ISE authenticating Ip Phone 7942