ACS Accounts for EAP-TLS IP Phones

Unanswered Question
Apr 1st, 2009

I am going to implement Nortel IP Phones on Cisco 3560 switches configured with 802.1x port control. The Switches utilies Cisco ACS to authenticate clients. I have setup a certificate server and will be installing certificates on the phones and the ACS Server. The phones will be configured to use EAP-TLS. My questions are:

1. Do I have to manually create an ACS account for each phone or can this be automated?

2. Can i configure a single account for all phones?

3. Can Active directory be used in anyway to perform the back end authorisation?

Many thanks for your help,


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
vmoopeung Tue, 04/07/2009 - 07:44

You may configuring the MAB option in the switch. MAC Auth Bypass (MAB) for voice allows third-party IP phones without an 802.1x supplicant to get authenticated using their MAC address.

paul.l.kyte Thu, 04/09/2009 - 05:22

It doesn't look like you have read my question.


Do you know if I have to manually create accounts on the ACS Server etc. etc.

Please read the questions and reply to them.


jafrazie Thu, 04/09/2009 - 05:34

If you are using ACS4 and below, then you need to manually create an ACS account for each phone. Alternatively, if this "account" already exists somewhere else (like LDAP) then it could be referenced.

Not sure if a single account could be used for all phones, though it's possible. For example, if the cert you put on all your phones has an identical CN. Revoking this at a later date might be challenging though.

If you defined the phone as an actual user in Active Directory, probably no reason that shouldn't work either.


jafrazie Thu, 04/09/2009 - 05:45

ACS5 has a much richer policy model. You could use the cert itself as the identity source, for example and make an authorization decision based on a unique attribute of the cert (on the phone) to differentiate it as a phone if you need to.


paul.l.kyte Tue, 04/14/2009 - 03:12

Do you haev an example of this feature on ACS5 or can you suggest any reference reading?




This Discussion