Home » Cisco Manuals » Telephony » Cisco 6941 » Manual Viewer

Cisco 6941 Administration Guide - Page 33

Supporting 802.1X Authentication on Cisco Unified IP Phones, Overview, Required Network Components

UPC - 882658277801

Add to My Manuals
Save this manual to your list of manuals

Page 33 highlights

Chapter Understanding Security Features for Cisco Unified IP Phones Supporting 802.1X Authentication on Cisco Unified IP Phones These sections provide information about 802.1X support on the Cisco Unified IP Phones: • Overview, page 1-21 • Required Network Components, page 1-21 • Best Practices-Requirements and Recommendations, page 1-21 Overview Cisco Unified IP phones and Cisco Catalyst switches have traditionally used Cisco Discovery Protocol (CDP) to identify each other and determine parameters such as VLAN allocation and inline power requirements. However, CDP is not used to identify any locally attached PCs; therefore, Cisco Unified IP Phones provide an EAPOL pass-through mechanism, whereby a PC locally attached to the IP phone, may pass through EAPOL messages to the 802.1X authenticator in the LAN switch. This prevents the IP phone from having to act as the authenticator, yet allows the LAN switch to authenticate a data end point prior to accessing the network. In conjunction with the EAPOL pass-through mechanism, Cisco Unified IP Phones provide a proxy EAPOL-Logoff mechanism. In the event that the locally attached PC is disconnected from the IP phone, the LAN switch would not see the physical link fail, because the link between the LAN switch and the IP phone is maintained. To avoid compromising network integrity, the IP phone sends an EAPOL-Logoff message to the switch, on behalf of the downstream PC, which triggers the LAN switch to clear the authentication entry for the downstream PC. The Cisco Unified IP phones also contain an 802.1X supplicant, in addition to the EAPOL pass-through mechanism. This supplicant allows network administrators to control the connectivity of IP phones to the LAN switch ports. The current release of the phone 802.1X supplicant uses the EAP-FAST, EAP-TLS, and EAP-MD5 options for network authentication. Required Network Components Support for 802.1X authentication on Cisco Unified IP Phones requires several components, including: • Cisco Unified IP Phone-The phone acts as the 802.1X supplicant, which initiates the request to access the network. • Cisco Secure Access Control Server (ACS) (or other third-party authentication server)-The authentication server and the phone must both be configured with a shared secret that is used to authenticate the phone. • Cisco Catalyst Switch (or other third-party switch)-The switch must support 802.1X, so it can act as the authenticator and pass the messages between the phone and the authentication server. When the exchange is completed, the switch then grants or denies the phone access to the network. Best Practices-Requirements and Recommendations • Enable 802.1X Authentication-If you want to use the 802.1X standard to authenticate Cisco Unified IP Phones, be sure that you have properly configured the other components before enabling it on the phone. See the "802.1X Authentication and Status" section on page 4-9 for more information. Cisco Unified IP Phone 6921, 6941, 6945, and 6961 Administration Guide for Cisco Unified Communications Manager 8.5 (SCCP and SIP) OL-23769-01 1-21

Section	Page
Cisco Unified IP Phone 6921, 6941, 6945, and 6961 Administration Guide for Cisco Unified Communications Manager 8.5 (SCCP and SIP)	1
Contents	3
Preface	9
An Overview of the Cisco Unified IP Phone	13
Understanding the Cisco Unified IP Phones 6921, 6941, 6945, and 6961	14
What Networking Protocols are Used?	21
What Features are Supported on the Cisco Unified IP Phone 6921, 6941, and 6961?	24
Feature Overview	25
Configuring Telephony Features	25
Configuring Network Parameters Using the Cisco Unified IP Phone	26
Providing Users with Feature Information	26
Understanding Security Features for Cisco Unified IP Phones	26
Overview of Supported Security Features	28
Understanding Security Profiles	30
Identifying Encrypted Phone Calls	30
Establishing and Identifying Secure Conference Calls	31
Establishing and Identifying Protected Calls	31
Call Security Interactions and Restrictions	32
Supporting 802.1X Authentication on Cisco Unified IP Phones	33
Overview	33
Required Network Components	33
Best Practices-Requirements and Recommendations	33
Security Restrictions	34
Overview of Configuring and Installing Cisco Unified IP Phones	34
Configuring Cisco Unified IP Phones in Cisco Unified CM	35
Checklist for Configuring the Cisco Unified IP Phones 6921, 6941, 6945, and 6961 in Cisco Unified CM	36
Installing Cisco Unified IP Phones	39
Checklist for Installing the Cisco Unified IP Phone 6921, 6941, and 6961	39
Terminology Differences	41
Preparing to Install the Cisco Unified IP Phone on Your Network	43
Understanding Interactions with Other Cisco Unified IP Telephony Products	43
Understanding How the Cisco Unified IP Phone Interacts with Cisco Unified CM	44
Understanding How the Cisco Unified IP Phone Interacts with the VLAN	44
Providing Power to the Cisco Unified IP Phone	45
Power Guidelines	46
Power Outage	46
Obtaining Additional Information about Power	47
Understanding Phone Configuration Files	47
Understanding the Phone Startup Process	49
Adding Phones to the Cisco Unified CM Database	50
Adding Phones with Auto-Registration	51
Adding Phones with Auto-Registration and TAPS	52
Adding Phones with Cisco Unified CM Administration	52
Adding Phones with BAT	53
Using Cisco Unified IP Phones with Different Protocols	53
Converting a New Phone from SCCP to SIP	53
Converting an In-Use Phone from One Protocol to the Other Protocol	54
Deploying a Phone in an SCCP and SIP Environment	54
Determining the MAC Address for a Cisco Unified IP Phone	55
Setting Up the Cisco Unified IP Phone	57
Before You Begin	57
Network Requirements	57
Cisco Unified Communications Manager Configuration	58
Understanding the Cisco Unified IP Phones 6921, 6941, 6945, and 6961 Components	58
Network and Access Ports	58
Handset	59
Speakerphone	59
Headset	59
Audio Quality Subjective to the User	60
Connecting a Headset	60
Disabling a Headset	60
Using External Devices	60
Installing the Cisco Unified IP Phone	61
Reducing Power Consumption on the Phone	66
Footstand	66
Higher Viewing Angle	70
Lower Viewing Angle	71
Mounting the Phone to the Wall	71
Verifying the Phone Startup Process	71
Configuring Startup Network Settings	72
Configuring Security on the Cisco Unified IP Phone	72
Configuring Settings on the Cisco Unified IP Phone	75
Configuration Menus on the Cisco Unified IP Phone	75
Displaying a Configuration Menu	76
Unlocking and Locking Options	77
Editing Values	77
Network Setup Menu	78
IPv4 Setup Menu Options	80
Security Configuration Menu	83
Trust List Menu	83
802.1X Authentication and Status	83
Configuring Features, Templates, Services, and Users	85
Telephony Features Available for the Cisco Unified IP Phone	85
Join and Direct Transfer Policy	99
Configuring Corporate and Personal Directories	100
Configuring Corporate Directories	100
Configuring Personal Directory	100
Modifying Phone Button Templates	101
Modifying a Phone Button Template for Personal Address Book or Speed Dials	102
Configuring Softkey Templates	103
Setting Up Services	105
Adding Users to Cisco Unified Communications Manager	106
Managing the User Options Web Pages	106
Giving Users Access to the User Options Web Pages	106
Specifying Options that Appear on the User Options Web Pages	108
Configuring the Phone to Support Call Waiting	109
Customizing the Cisco Unified IP Phone	111
Customizing and Modifying Configuration Files	111
Creating Custom Phone Rings	112
DistinctiveRingList File Format Requirements	112
PCM File Requirements for Custom Ring Types	113
Configuring a Custom Phone Ring	113
Configuring the Idle Display	114
Automatically Disabling the Cisco Unified IP Phone Backlight	114
Viewing Model Information, Status, and Statistics on the Cisco Unified IP Phone	117
Model Information Screen	117
Status Menu	118
Status Messages Screen	118
Network Statistics Screen	122
Call Statistics Screen	124
Security Configuration	126
Monitoring the Cisco Unified IP Phone Remotely	129
Accessing the Web Page for a Phone	130
Disabling and Enabling Web Page Access	131
Device Information	131
Network Setup	132
Network Statistics	135
Device Logs	137
Streaming Statistics	137
Troubleshooting and Maintenance	141
Resolving Startup Problems	141
Symptom: The Cisco Unified IP Phone Does Not Go Through its Normal Startup Process	142
Symptom: The Cisco Unified IP Phone Does Not Register with Cisco Unified Communications Manager	142
Identifying Error Messages	143
Checking Network Connectivity	143
Verifying TFTP Server Settings	143
Verifying IP Addressing and Routing	143
Verifying DNS Settings	144
Cisco CallManager and TFTP Services Are Not Running	144
Creating a New Configuration File	144
Registering the Phone with Cisco Unified Communications Manager	145
Symptom: Cisco Unified IP Phone Unable to Obtain IP Address	145
Cisco Unified IP Phone Resets Unexpectedly	146
Verifying the Physical Connection	146
Identifying Intermittent Network Outages	146
Verifying DHCP Settings	146
Checking Static IP Address Settings	147
Verifying the Voice VLAN Configuration	147
Verifying that the Phones Have Not Been Intentionally Reset	147
Eliminating DNS or Other Connectivity Errors	147
Checking Power Connection	148
Troubleshooting Cisco Unified IP Phone Security	148
General Troubleshooting Tips	149
Resetting or Restoring the Cisco Unified IP Phone	152
Performing a Basic Reset	152
Performing a Factory Reset	152
Monitoring the Voice Quality of Calls	153
Troubleshooting Tips	154
Using Voice-Quality Metrics	154
Where to Go for More Troubleshooting Information	155
Cleaning the Cisco Unified IP Phone	155
Providing Information to Users Via a Website	157
How Users Obtain Support for the Cisco Unified IP Phone	157
Giving Users Access to the User Options Web Pages	157
How Users Subscribe to Services and Configure Phone Features	158
How Users Access a Voice Messaging System	158
How Users Configure Personal Directory Entries	159
Installing and Configuring the Cisco Unified IP Phone Address Book Synchronizer	159
Supporting International Users	161
Installing the Cisco Unified CM Locale Installer	161
Support for International Call Logging	161
Technical Specifications	163
Physical and Operating Environment Specifications	163
Cable Specifications	164
Network and Access Port Pinouts	164
Basic Phone Administration Steps	167
Example User Information for these Procedures	167
Adding a User to Cisco Unified CM	168
Adding a User From an External LDAP Directory	168
Adding a User Directly to Cisco Unified Communications Manager	168
Configuring the Phone	169
Performing Final End User Configuration Steps	172
Installing the Wall Mount Kit for the Cisco Unified IP Phones 6921, 6941, 6945, and 6961	173
Before You Begin	174
Installing the Bracket	174
Feature Support by Protocol for the Cisco Unified IP Phone 6921, 6941, 6945, and 6961	181

Match case Limit results 1 per page

1-21

Cisco Unified IP Phone 6921, 6941, 6945, and 6961 Administration Guide for Cisco Unified Communications Manager 8.5 (SCCP and SIP)

OL-23769-01

Chapter

Understanding Security Features for Cisco Unified IP Phones

Supporting 802.1X Authentication on Cisco Unified IP Phones

These sections provide information about 802.1X support on the Cisco Unified IP Phones:

•

Overview, page 1-21

•

Required Network Components, page 1-21

•

Best Practices—Requirements and Recommendations, page 1-21

Overview

Cisco Unified IP phones and Cisco Catalyst switches have traditionally used Cisco Discovery Protocol

(CDP) to identify each other and determine parameters such as VLAN allocation and inline power

requirements. However, CDP is not used to identify any locally attached PCs; therefore, Cisco Unified

IP Phones provide an EAPOL pass-through mechanism, whereby a PC locally attached to the IP phone,

may pass through EAPOL messages to the 802.1X authenticator in the LAN switch. This prevents the

IP phone from having to act as the authenticator, yet allows the LAN switch to authenticate a data end

point prior to accessing the network.

In conjunction with the EAPOL pass-through mechanism, Cisco Unified IP Phones provide a proxy

EAPOL-Logoff mechanism. In the event that the locally attached PC is disconnected from the IP phone,

the LAN switch would not see the physical link fail, because the link between the LAN switch and the

IP phone is maintained. To avoid compromising network integrity, the IP phone sends an EAPOL-Logoff

message to the switch, on behalf of the downstream PC, which triggers the LAN switch to clear the

authentication entry for the downstream PC.

The Cisco Unified IP phones also contain an 802.1X supplicant, in addition to the EAPOL pass-through

mechanism. This supplicant allows network administrators to control the connectivity of IP phones to

the LAN switch ports. The current release of the phone 802.1X supplicant uses the EAP-FAST,

EAP-TLS, and EAP-MD5 options for network authentication.

Required Network Components

Support for 802.1X authentication on Cisco Unified IP Phones requires several components, including:

•

Cisco Unified IP Phone—The phone acts as the 802.1X

supplicant

, which initiates the request to

access the network.

•

Cisco Secure Access Control Server (ACS) (or other third-party authentication server)—The

authentication server and the phone must both be configured with a shared secret that is used to

authenticate the phone.

•

Cisco Catalyst Switch (or other third-party switch)—The switch must support 802.1X, so it can act

as the

authenticator

and pass the messages between the phone and the authentication server. When

the exchange is completed, the switch then grants or denies the phone access to the network.

Best Practices—Requirements and Recommendations

•

Enable 802.1X Authentication—If you want to use the 802.1X standard to authenticate Cisco

Unified IP Phones, be sure that you have properly configured the other components before enabling

it on the phone. See the

“802.1X Authentication and Status” section on page 4-9

for more

information.