IP Phone and 802.1x

Unanswered Question
Oct 27th, 2009

We have implemented 802.1x in our company.There is a problem about inputting the 802.1x code.

Because we don't want end users to get the 802.1x code,so we have to input 802.1x for every phone.And inputting 802.1x code is a hard work.

Is there any way of inputting 802.1x code without operating on every phone?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Jonathan Schulenberg Tue, 10/27/2009 - 18:28

No; however, if you use certificates instead of manual credentials you can trust the MIC to get the phone bootstrapped (firmware downloaded, registered, CAPF enrolled) by having ACS put it in a limited access VLAN. Once it has generated it's LSC you can then have ACS move it to "normal" voice VLAN.

markjiang Tue, 10/27/2009 - 20:18

Hi,j.schulenberg ,

Thanks for your reply.

Do you mean that We can not use BAT or any other method to config the 802.1x code for phones

Jonathan Schulenberg Wed, 10/28/2009 - 19:03

No for at least two reasons:

1) There is no where on the device configuration to enter 802.1x credentials, only to enable/disable it.

2) How would the phone get this information from the TFTP server if it can't get on the network in the first place?

jleon22 Thu, 05/13/2010 - 13:18

Hi Jason,

This is exactly what we are trying to do as well. Would you happen to know of any documents that goes through that procedure that you mentioned? Basically, we want to use ACS 5.x to authenticate phone certs to allow it onto the voice vlan.



greg.fuller Wed, 07/21/2010 - 12:52

Anyone figure out how to do this?  I'd like to use the MIC on each phone to validate agains the CommonName field of the certificate (which should be CP-{model #}-{MAC address}) via EAP-TLS.  I'm using a 3rd party RADIUS server (radiator).  I have it setup but keep getting certificate errors.  Should RADIUS be sending back a certificate to the phone?  I thought I could just validate the CommonName field of the MIC cert that the phone sends to RADIUS but it looks like I have to have a server side certificate installed (I do have the Cisco crca2048.crt and cmca.crt CA's installed in radiator).



This Discussion