X Authentication - Cisco 9971 Administration Manual

Cisco AP Configuration
WPA2-PSK
For additional information about Cisco WLAN Security, see
wireless/ps430/prod_brochure09186a00801f7d0b.html.
For more information about configuring authentication and encryption schemes on APs, see the Cisco Aironet
Configuration Guide for your model and release under the following URL:
http://www.cisco.com/cisco/web/psa/configure.html?mode=prod&level0=278875243

802.1X Authentication

The Cisco IP Phones support 802.1X Authentication.
Cisco IP Phones and Cisco Catalyst switches traditionally use Cisco Discovery Protocol (CDP) to identify
each other and determine parameters such as VLAN allocation and inline power requirements. CDP does not
identify locally attached workstations. Cisco IP Phones provide an EAPOL pass-through mechanism. This
mechanism allows a workstation attached to the Cisco IP Phone to pass EAPOL messages to the 802.1X
authenticator at the LAN switch. The pass-through mechanism ensures that the IP phone does not act as the
LAN switch to authenticate a data endpoint before accessing the network.
Cisco IP Phones also provide a proxy EAPOL Logoff mechanism. In the event that the locally attached PC
disconnects from the IP phone, the LAN switch does not see the physical link fail, because the link between
the LAN switch and the IP phone is maintained. To avoid compromising network integrity, the IP phone sends
an EAPOL-Logoff message to the switch on behalf of the downstream PC, which triggers the LAN switch to
clear the authentication entry for the downstream PC.
Support for 802.1X authentication requires several components:
• Cisco IP Phone: The phone initiates the request to access the network. Cisco IP Phones contain an 802.1X
supplicant. This supplicant allows network administrators to control the connectivity of IP phones to
the LAN switch ports. The current release of the phone 802.1X supplicant uses the EAP-FAST and
EAP-TLS options for network authentication.
• Cisco Secure Access Control Server (ACS) (or other third-party authentication server): The authentication
server and the phone must both be configured with a shared secret that authenticates the phone.
• Cisco Catalyst Switch (or other third-party switch): The switch must support 802.1X, so it can act as
the authenticator and pass the messages between the phone and the authentication server. After the
exchange completes, the switch grants or denies the phone access to the network.
You must perform the following actions to configure 802.1X.
• Configure the other components before you enable 802.1X Authentication on the phone.
• Configure PC Port: The 802.1X standard does not consider VLANs and thus recommends that only a
single device should be authenticated to a specific switch port. However, some switches (including Cisco
Catalyst switches) support multidomain authentication. The switch configuration determines whether
you can connect a PC to the PC port of the phone.
◦ Enabled: If you are using a switch that supports multidomain authentication, you can enable the
Cisco Unified IP Phone 8961, 9951, and 9971 Administration Guide for Cisco Unified Communications Manager 10.0
WAP2-PSK
PC port and connect a PC to it. In this case, Cisco IP Phones support proxy EAPOL-Logoff to
Supported Security Features
Cisco Unified IP Phone
Configuration
AES Auto (AKM)
http://www.cisco.com/en/US/products/hw/
171