Provide Encryption For Barge; 802.1X Authentication - Cisco Unified IP Phone 8941 Administration Manual

Supported Security Features

Provide Encryption for Barge

Cisco Unified Communications Manager checks the phone security status when conferences are established
and changes the security indication for the conference or blocks the completion of the call to maintain integrity
and security in the system.
A user cannot barge into an encrypted call if the phone that is used to barge is not configured for encryption.
When barge fails in this case, a reorder (fast busy) tone plays on the phone that the barge was initiated.
If the initiator phone is configured for encryption, the barge initiator can barge into a nonsecure call from the
encrypted phone. After the barge occurs, Cisco Unified Communications Manager classifies the call as
nonsecure.
If the initiator phone is configured for encryption, the barge initiator can barge into an encrypted call, and the
phone indicates that the call is encrypted.

802.1X Authentication

The Cisco IP Phones support 802.1X Authentication.
Cisco IP Phones and Cisco Catalyst switches traditionally use Cisco Discovery Protocol (CDP) to identify
each other and determine parameters such as VLAN allocation and inline power requirements. CDP does not
identify locally attached workstations. Cisco IP Phones provide an EAPOL pass-through mechanism. This
mechanism allows a workstation attached to the Cisco IP Phone to pass EAPOL messages to the 802.1X
authenticator at the LAN switch. The pass-through mechanism ensures that the IP phone does not act as the
LAN switch to authenticate a data endpoint before accessing the network.
Cisco IP Phones also provide a proxy EAPOL Logoff mechanism. In the event that the locally attached PC
disconnects from the IP phone, the LAN switch does not see the physical link fail, because the link between
the LAN switch and the IP phone is maintained. To avoid compromising network integrity, the IP phone sends
an EAPOL-Logoff message to the switch on behalf of the downstream PC, which triggers the LAN switch to
clear the authentication entry for the downstream PC.
Support for 802.1X authentication requires several components:
• Cisco IP Phone: The phone initiates the request to access the network. Cisco IP Phones contain an 802.1X
supplicant. This supplicant allows network administrators to control the connectivity of IP phones to
the LAN switch ports. The current release of the phone 802.1X supplicant uses the EAP-FAST and
EAP-TLS options for network authentication.
• Cisco Secure Access Control Server (ACS) (or other third-party authentication server): The authentication
server and the phone must both be configured with a shared secret that authenticates the phone.
• Cisco Catalyst Switch (or other third-party switch): The switch must support 802.1X, so it can act as
the authenticator and pass the messages between the phone and the authentication server. After the
exchange completes, the switch grants or denies the phone access to the network.
You must perform the following actions to configure 802.1X.
• Configure the other components before you enable 802.1X Authentication on the phone.
• Configure PC Port: The 802.1X standard does not consider VLANs and thus recommends that only a
single device should be authenticated to a specific switch port. However, some switches (including Cisco
Catalyst switches) support multidomain authentication. The switch configuration determines whether
you can connect a PC to the PC port of the phone.
Cisco Unified IP Phone 8941 and 8945 Administration Guide for Cisco Unified Communications Manager 10.0
(SCCP and SIP)
76