Best Practices; Security Restrictions - Cisco 8961 Administration Manual

Security Restrictions

• Cisco Secure Access Control Server (ACS) (or other third-party authentication server): The authentication
• Cisco Catalyst Switch (or other third-party switch): The switch must support 802.1X, so it can act as

Best Practices

The following list describes requirements and recommendations for 802.1X configuration.
• Enable 802.1X Authentication: If you want to use the 802.1X standard to authenticate Cisco Unified IP
• Configure PC Port: The 802.1X standard does not take into account the use of VLANs and thus
• Configure Voice VLAN: Because the 802.1X standard does not account for VLANs, you should configure
• Enter MD5 Shared Secret: If you disable 802.1X authentication or perform a factory reset on the phone,
Related Topics
Ethernet Setup menu, on page 104
802.1X Authentication and Transaction Status, on page 125
Security Restrictions
A user cannot barge into an encrypted call if the phone that is used to barge is not configured for encryption.
When barge fails in this case, a reorder (fast busy) tone plays on the phone that the barge was initiated.
Cisco Unified IP Phone 8961, 9951, and 9971 Administration Guide for Cisco Unified Communications Manager
10.0 (SIP)
34
REVIEW DRAFT - CISCO CONFIDENTIAL
server and the phone must both be configured with a shared secret that authenticates the phone.
the authenticator and pass the messages between the phone and the authentication server. After the
exchange completes, the switch grants or denies the phone access to the network.
Phones, be sure that you properly configure the other components before enabling it on the phone.
recommends that only a single device should be authenticated to a specific switch port. However, some
switches (including Cisco Catalyst switches) support multidomain authentication. The switch configuration
determines whether you can connect a PC to the PC port of the phone.
◦ Enabled: If you are using a switch that supports multidomain authentication, you can enable the
PC port and connect a PC to it. In this case, Cisco Unified IP Phones support proxy EAPOL-Logoff
to monitor the authentication exchanges between the switch and the attached PC. For more
information about IEEE 802.1X support on the Cisco Catalyst switches, see the Cisco Catalyst
switch configuration guides at:
http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html
◦ Disabled: If the switch does not support multiple 802.1X-compliant devices on the same port, you
should disable the PC Port when 802.1X authentication is enabled. If you do not disable this port
and subsequently attempt to attach a PC to it, the switch denies network access to both the phone
and the PC.
this setting based on the switch support.
◦ Enabled: If you are using a switch that supports multidomain authentication, you can continue to
use the voice VLAN.
◦ Disabled: If the switch does not support multidomain authentication, disable the Voice VLAN and
consider assigning the port to the native VLAN.
the previously configured MD5 shared secret is deleted.
Cisco Unified IP Phone