Cisco CP-7961G-GE Administration Guide - Page 33

Chapter 1 An Overview of the Cisco Unified IP Phone Understanding Security Features for Cisco Unified IP Phones IP phone is maintained. To avoid compromising network integrity, the IP phone sends an EAPOL-Logoff message to the switch, on behalf of the downstream PC, which triggers the LAN switch to clear the authentication entry for the downstream PC. The Cisco Unified IP phones also contain an 802.1X supplicant, in addition to the EAPOL pass-through mechanism. This supplicant allows network administrators to control the connectivity of IP phones to the LAN switch ports. The current release of the phone 802.1X supplicant uses the EAP-FAST, EAP-TLS, and EAP-MD5 options for network authentication. Required Network Components Support for 802.1X authentication on Cisco Unified IP Phones requires several components, including: • Cisco Unified IP Phone-The phone acts as the 802.1X supplicant, which initiates the request to access the network. • Cisco Secure Access Control Server (ACS) (or other third-party authentication server)-The authentication server and the phone must both be configured with a shared secret that is used to authenticate the phone. • Cisco Catalyst Switch (or other third-party switch)-The switch must support 802.1X, so it can act as the authenticator and pass the messages between the phone and the authentication server. When the exchange is completed, the switch then grants or denies the phone access to the network. Best Practices-Requirements and Recommendations • Enable 802.1X Authentication-If you want to use the 802.1X standard to authenticate Cisco Unified IP Phones, be sure that you have properly configured the other components before enabling it on the phone. See 802.1X Authentication and Status, page 4-43 for more information. • Configure PC Port-The 802.1X standard does not take into account the use of VLANs and thus recommends that only a single device should be authenticated to a specific switch port. However, some switches (including Cisco Catalyst switches) support multi-domain authentication. The switch configuration determines whether you can connect a PC to the phone's PC port. - Enabled-If you are using a switch that supports multi-domain authentication, you can enable the PC port and connect a PC to it. In this case, Cisco Unified IP Phones support proxy EAPOL-Logoff to monitor the authentication exchanges between the switch and the attached PC. For more information about IEEE 802.1X support on the Cisco Catalyst switches, refer to the Cisco Catalyst switch configuration guides at: http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home. html - Disabled-If the switch does not support multiple 802.1X-compliant devices on the same port, you should disable the PC Port when 802.1X authentication is enabled. See Security Configuration Menu, page 4-30 for more information. If you do not disable this port and subsequently attempt to attach a PC to it, the switch will deny network access to both the phone and the PC. • Configure Voice VLAN-Because the 802.1X standard does not account for VLANs, you should configure this setting based on the switch support. - Enabled-If you are using a switch that supports multi-domain authentication, you can continue to use the voice VLAN. OL-21011-01 Cisco Unified IP Phone Administration Guide for Cisco Unified Communications Manager 8.0 (SCCP and SIP) 1-19