Required Network Components; Best Practices—Requirements And Recommendations - Cisco 8961 Administration Manual

Chapter 1 An Overview of the Cisco Unified IP Phone

Required Network Components

Support for 802.1X authentication on Cisco Unified IP Phones requires several components, including:
•
•
•
Best Practices—Requirements and Recommendations
•
•
•
•
Cisco Unified IP Phone 8961, 9951, and 9971 Administration Guide for Cisco Unified Communications Manager 8.6 (SIP)
Cisco Unified IP Phone—The phone acts as the 802.1X supplicant, which initiates the request to
access the network.
Cisco Secure Access Control Server (ACS) (or other third-party authentication server)—The
authentication server and the phone must both be configured with a shared secret that is used to
authenticate the phone.
Cisco Catalyst Switch (or other third-party switch)—The switch must support 802.1X, so it can act
as the authenticator and pass the messages between the phone and the authentication server. After
the exchange is completed, the switch grants or denies the phone access to the network.
Enable 802.1X Authentication—If you want to use the 802.1X standard to authenticate Cisco
Unified IP Phones, be sure that you properly configure the other components before enabling it on
the phone. See the "802.1X Authentication and Transaction Status" section on page 7-15
information.
Configure PC Port—The 802.1X standard does not take into account the use of VLANs and thus
recommends that only a single device should be authenticated to a specific switch port. However,
some switches (including Cisco Catalyst switches) support multi-domain authentication. The switch
configuration determines whether you can connect a PC to the PC port of the phone.
Enabled—If you are using a switch that supports multi-domain authentication, you can enable
–
the PC port and connect a PC to it. In this case, Cisco Unified IP Phones support proxy
EAPOL-Logoff to monitor the authentication exchanges between the switch and the attached
PC. For more information about IEEE 802.1X support on the Cisco Catalyst switches, see the
Cisco Catalyst switch configuration guides at:
http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.
html
Disabled—If the switch does not support multiple 802.1X-compliant devices on the same port,
–
you should disable the PC Port when 802.1X authentication is enabled. See the
Menu" section on page 7-4
subsequently attempt to attach a PC to it, the switch denies network access to both the phone
and the PC.
Configure Voice VLAN—Because the 802.1X standard does not account for VLANs, you should
configure this setting based on the switch support.
Enabled—If you are using a switch that supports multi-domain authentication, you can continue
–
to use the voice VLAN.
Disabled—If the switch does not support multi-domain authentication, disable the Voice VLAN
–
and consider assigning the port to the native VLAN. See the
page 7-4 for more information.
Enter MD5 Shared Secret—If you disable 802.1X authentication or perform a factory reset on the
phone, the previously configured MD5 shared secret is deleted. See the
Transaction Status" section on page 7-15
Understanding Security Features for Cisco Unified IP Phones
for more information. If you do not disable this port and
for more information.
for more
"Ethernet Setup
"Ethernet Setup Menu" section on
"802.1X Authentication and
1-23