hit counter script

Overview; Required Network Components; Best Practices—Requirements And Recommendations - Cisco 7965G Administration Manual

Hide thumbs Also See for 7965G:
Table of Contents

Advertisement

Chapter 1
An Overview of the Cisco Unified IP Phone

Overview

Cisco Unified IP phones and Cisco Catalyst switches have traditionally used Cisco Discovery Protocol
(CDP) to identify each other and to determine parameters such as VLAN allocation and inline power
requirements. However, CDP is not used to identify any locally attached PCs. Therefore, Cisco Unified
IP Phones provide an EAPOL pass-through mechanism, whereby a PC locally attached to the IP phone
may pass through EAPOL messages to the 802.1X authenticator in the LAN switch. This capability
prevents the IP phone from having to act as the authenticator, yet allows the LAN switch to authenticate
a data end point prior to accessing the network.
In conjunction with the EAPOL pass-through mechanism, Cisco Unified IP Phones provide a proxy
EAPOL-Logoff mechanism. If the locally attached PC is disconnected from the IP phone, the LAN
switch would not see the physical link fail, because the link between the LAN switch and the IP phone
is maintained. To avoid compromising network integrity, the IP phone sends an EAPOL-Logoff message
to the switch on behalf of the downstream PC, which triggers the LAN switch to clear the authentication
entry for the downstream PC.
The Cisco Unified IP phones contain an 802.1X supplicant in addition to the EAPOL pass-through
mechanism. This supplicant allows network administrators to control the connectivity of IP phones to
the LAN switch ports. The initial release of the IP phone 802.1X supplicant implements the EAP-MD5
option for 802.1X authentication.

Required Network Components

Support for 802.1X authentication on Cisco Unified IP Phones requires several components, including:
Best Practices—Requirements and Recommendations
OL-12650-01
Cisco Unified IP Phone—The phone acts as the 802.1X supplicant, which initiates the request to
access the network.
Cisco Secure Access Control Server (ACS) (or other third-party authentication server)—The
authentication server and the phone must both be configured with a shared secret that is used to
authenticate the phone.
Cisco Catalyst Switch (or other third-party switch)—The switch must support 802.1X so it can act
as the authenticator and pass the messages between the phone and the authentication server. When
the exchange is completed, the switch grants or denies the phone access to the network.
Enable 802.1X Authentication—If you want to use the 802.1X standard to authenticate Cisco
Unified IP Phones, make sure that you have properly configured the other components before
enabling it on the phone. See the
information.
Configure PC Port—The 802.1X standard does not take into account the use of VLANs and thus
recommends that only a single device be authenticated to a specific switch port. However, some
switches (including Cisco Catalyst switches) support multi-domain authentication. The switch
configuration determines whether you can connect a PC to the phone PC port.
Enabled—If you are using a switch that supports multi-domain authentication, you can enable
the PC port and connect a PC to it. In this case, Cisco Unified IP Phones support proxy
EAPOL-Logoff to monitor the authentication exchanges between the switch and the attached
PC. For more information about IEEE 802.1X support on the Cisco Catalyst switches, refer to
the Cisco Catalyst switch configuration guides at:
Cisco Unified IP Phone 7965G and 7945G Administration Guide for Cisco Unified Communications Manager 6.0
Understanding Security Features for Cisco Unified IP Phones
"802.1X Authentication and Status" section on page
4-36for more
1-17

Advertisement

Table of Contents
loading

This manual is also suitable for:

Cp-7965g7945g

Table of Contents