Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
695
Views
0
Helpful
6
Replies

ACS Accounts for EAP-TLS IP Phones

paul.l.kyte
Level 1
Level 1

‎04-01-2009 10:09 AM - edited ‎03-10-2019 04:24 PM

I am going to implement Nortel IP Phones on Cisco 3560 switches configured with 802.1x port control. The Switches utilies Cisco ACS to authenticate clients. I have setup a certificate server and will be installing certificates on the phones and the ACS Server. The phones will be configured to use EAP-TLS. My questions are:

1. Do I have to manually create an ACS account for each phone or can this be automated?

2. Can i configure a single account for all phones?

3. Can Active directory be used in anyway to perform the back end authorisation?

Many thanks for your help,

Paul

Labels:
0 Helpful
6 Replies 6

vmoopeung
Level 5
Level 5

‎04-07-2009 07:44 AM

You may configuring the MAB option in the switch. MAC Auth Bypass (MAB) for voice allows third-party IP phones without an 802.1x supplicant to get authenticated using their MAC address.

0 Helpful

paul.l.kyte
Level 1
Level 1
In response to vmoopeung

‎04-09-2009 05:22 AM

It doesn't look like you have read my question.

I WANT TO USE 802.1x AND CERTIFICATES.

Do you know if I have to manually create accounts on the ACS Server etc. etc.

Please read the questions and reply to them.

Thanks.

0 Helpful

jafrazie
Cisco Employee
Cisco Employee
In response to paul.l.kyte

‎04-09-2009 05:34 AM

If you are using ACS4 and below, then you need to manually create an ACS account for each phone. Alternatively, if this "account" already exists somewhere else (like LDAP) then it could be referenced.

Not sure if a single account could be used for all phones, though it's possible. For example, if the cert you put on all your phones has an identical CN. Revoking this at a later date might be challenging though.

If you defined the phone as an actual user in Active Directory, probably no reason that shouldn't work either.

HTH,

0 Helpful

paul.l.kyte
Level 1
Level 1
In response to jafrazie

‎04-09-2009 05:41 AM

Thanks for this reply.

Is the process any different in ACS5?

0 Helpful

jafrazie
Cisco Employee
Cisco Employee
In response to paul.l.kyte

‎04-09-2009 05:45 AM

ACS5 has a much richer policy model. You could use the cert itself as the identity source, for example and make an authorization decision based on a unique attribute of the cert (on the phone) to differentiate it as a phone if you need to.

HTH,

0 Helpful

paul.l.kyte
Level 1
Level 1
In response to jafrazie

‎04-14-2009 03:12 AM

Do you haev an example of this feature on ACS5 or can you suggest any reference reading?

Thanks,

Paul

0 Helpful
Customers Also Viewed These Support Documents