Cisco CP-7962G Administration Guide - Page 32

Understanding Security Features for Cisco Unified IP Phones Chapter 1 An Overview of the Cisco Unified IP Phone Table 1-6 Security Restrictions with Conference Calls (continued) Initiator's Phone Security Level Feature Used Secure (encrypted Conference or authenticated) Secure (encrypted) Join Non-secure cBarge Non-secure MeetMe Secure (encrypted) MeetMe Secure (encrypted) MeetMe Security Level of Participants For Cisco Unified IP Phones 7962G and 7942G: Encrypted or secure For Cisco Unified IP Phones 7961G and 7941G: Member puts call on Hold with MOH Encrypted or authenticated All participants are encrypted Minimum security level is encrypted Minimum security level is authenticated Minimum security level is non-secure Results of Action For Cisco Unified IP Phones 7962G and 7942G: Conference remains secure. When one participant tries to hold the call with MOH, the MOH does not play. For Cisco Unified IP Phones 7961G and 7941G: No music on hold is played Conference remains secure. Secure conference bridge Conference remains secure (encrypted or authenticated) Secure conference bridge Conference changes to non-secure Initiator receives message "Does not meet Security Level", call rejected. Secure conference bridge Conference accepts encrypted and authenticated calls Only secure conference bridge available and used Conference accepts all calls Supporting 802.1X Authentication on Cisco Unified IP Phones These sections provide information about 802.1X support on the Cisco Unified IP Phones: • Overview, page 1-18 • Required Network Components, page 1-19 • Best Practices-Requirements and Recommendations, page 1-19 Overview Cisco Unified IP phones and Cisco Catalyst switches have traditionally used Cisco Discovery Protocol (CDP) to identify each other and determine parameters such as VLAN allocation and inline power requirements. However, CDP is not used to identify any locally attached PCs; therefore, Cisco Unified IP Phones provide an EAPOL pass-through mechanism, whereby a PC locally attached to the IP phone, may pass through EAPOL messages to the 802.1X authenticator in the LAN switch. This prevents the IP phone from having to act as the authenticator, yet allows the LAN switch to authenticate a data end point prior to accessing the network. In conjunction with the EAPOL pass-through mechanism, Cisco Unified IP Phones provide a proxy EAPOL-Logoff mechanism. In the event that the locally attached PC is disconnected from the IP phone, the LAN switch would not see the physical link fail, because the link between the LAN switch and the 1-18 Cisco Unified IP Phone Administration Guide for Cisco Unified Communications Manager 8.0 (SCCP and SIP) OL-21011-01