Understanding Security Features for Cisco Unified IP Phones
Best Practices—Requirements and Recommendations
Cisco Unified IP Phone 7906G and 7911G for Cisco Unified Communications Manager 6.1
1-24
Cisco Unified IP Phone—The phone acts as the 802.1X supplicant, which
•
initiates the request to access the network.
Cisco Secure Access Control Server (ACS) (or other third-party
•
authentication server)—The authentication server and the phone must both be
configured with a shared secret that is used to authenticate the phone.
Cisco Catalyst Switch (or other third-party switch)—The switch must support
•
802.1X so it can act as the authenticator and pass the messages between the
phone and the authentication server. When the exchange is completed, the
switch grants or denies the phone access to the network.
Enable 802.1X Authentication—If you want to use the 802.1X standard to
•
authenticate Cisco Unified IP Phones, make sure that you have properly
configured the other components before enabling it on the phone. See the
"802.1X Authentication and Status" section on page 4-43
information.
Configure PC Port—The 802.1X standard does not take into account the use
•
of VLANs and thus recommends that only a single device be authenticated to
a specific switch port. However, some switches (including Cisco Catalyst
switches) support multi-domain authentication. The switch configuration
determines whether you can connect a PC to the phone PC port.
Enabled—If you are using a switch that supports multi-domain
–
authentication, you can enable the PC port and connect a PC to it. In this
case, Cisco Unified IP Phones support proxy EAPOL-Logoff to monitor
the authentication exchanges between the switch and the attached PC.
For more information about IEEE 802.1X support on the Cisco Catalyst
switches, refer to the Cisco Catalyst switch configuration guides at:
http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products
_support_series_home.htmll
Disabled—If the switch does not support multiple 802.1X-compliant
–
devices on the same port, you should disable the PC Port when 802.1X
authentication is enabled. See the
on page 4-30
for more information. If you do not disable this port and
subsequently attempt to attach a PC to it, the switch will deny network
access to both the phone and the PC.
Chapter 1
An Overview of the Cisco Unified IP Phone
"Security Configuration Menu" section
for more
OL-14585-01