Security Restrictions; Overview Of Configuring And Installing Cisco Unified Ip Phones - Cisco 7931G Administration Manual

Chapter 1 An Overview of the Cisco Unified IP Phone
•
•
•

Security Restrictions

A user cannot barge into an encrypted call if the phone that is used to barge is not configured for
encryption. When barge fails in this case, a reorder tone (fast busy tone) plays on the phone on which
the user initiated the barge.
If the initiator phone is configured for encryption, the barge initiator can barge into an authenticated or
nonsecure call from the encrypted phone. After the barge occurs, Cisco Unified CM classifies the call
as nonsecure.
If the initiator phone is configured for encryption, the barge initiator can barge into an encrypted call,
and the phone indicates that the call is encrypted.
A user can barge into an authenticated call, even if the phone that is used to barge is nonsecure. The
authentication icon continues to appear on the authenticated devices in the call, even if the initiator
phone does not support security.

Overview of Configuring and Installing Cisco Unified IP Phones

When deploying a new IP telephony system, system administrators and network administrators must
complete several initial configuration tasks to prepare the network for IP telephony service. For
information and a checklist for setting up and configuring a complete Cisco IP telephony network, see
the Cisco Unified Communications Manager System Guide,
Cisco Unified IP Phone 7931G Administration Guide for Cisco Unified Communications Manager 8.0 (SCCP and SIP)
OL-20798-01
Configure PC Port—The 802.1X standard does not take into account the use of VLANs and thus
recommends that only a single device be authenticated to a specific switch port. However, some
switches (including Cisco Catalyst switches) support multi-domain authentication. The switch
configuration determines whether you can connect a PC to the phone PC port.
Enabled—If you are using a switch that supports multi-domain authentication, you can enable
–
the PC port and connect a PC to it. In this case, Cisco Unified IP Phones support proxy
EAPOL-Logoff to monitor the authentication exchanges between the switch and the attached
PC. For more information about IEEE 802.1X support on the Cisco Catalyst switches, refer to
the Cisco Catalyst switch configuration guides at:
http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.
html
Disabled—If the switch does not support multiple 802.1X-compliant devices on the same port,
–
you should disable the PC Port when 802.1X authentication is enabled. For more information,
see Security Configuration Menu, page
attempt to attach a PC to it, the switch will deny network access to both the phone and the PC.
Configure Voice VLAN—Because the 802.1X standard does not account for VLANs, you should
configure this setting based on the switch support.
Enabled—If you are using a switch that supports multi-domain authentication, you can continue
–
to use the voice VLAN.
Disabled—If the switch does not support multi-domain authentication, disable the Voice VLAN
–
and consider assigning the port to the native VLAN. For more information, see
Configuration Menu, page
Enter MD5 Shared Secret—If you disable 802.1X authentication or perform a factory reset on the
phone, the previously configured MD5 shared secret is deleted. For more information, see
Authentication and Status, page
Overview of Configuring and Installing Cisco Unified IP Phones
4-30. If you do not disable this port and subsequently
4-30.
4-40.
System Configuration
Security
802.1X
Overview.
1-19