Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1027
Views
9
Helpful
6
Replies

IP Phone and 802.1x

markjiang
Level 1
Level 1

‎10-27-2009 05:59 AM - edited ‎03-15-2019 08:15 PM

We have implemented 802.1x in our company.There is a problem about inputting the 802.1x code.

Because we don't want end users to get the 802.1x code,so we have to input 802.1x for every phone.And inputting 802.1x code is a hard work.

Is there any way of inputting 802.1x code without operating on every phone?

Labels:
0 Helpful
6 Replies 6

Jonathan Schulenberg
Hall of Fame
Hall of Fame

‎10-27-2009 06:28 PM

No; however, if you use certificates instead of manual credentials you can trust the MIC to get the phone bootstrapped (firmware downloaded, registered, CAPF enrolled) by having ACS put it in a limited access VLAN. Once it has generated it's LSC you can then have ACS move it to "normal" voice VLAN.

markjiang
Level 1
Level 1
In response to Jonathan Schulenberg

‎10-27-2009 08:18 PM

Hi,j.schulenberg ,

Thanks for your reply.

Do you mean that We can not use BAT or any other method to config the 802.1x code for phones

0 Helpful

Jonathan Schulenberg
Hall of Fame
Hall of Fame
In response to markjiang

‎10-28-2009 07:03 PM

No for at least two reasons:

1) There is no where on the device configuration to enter 802.1x credentials, only to enable/disable it.

2) How would the phone get this information from the TFTP server if it can't get on the network in the first place?

jleon22
Level 1
Level 1
In response to Jonathan Schulenberg

‎05-13-2010 01:18 PM

Hi Jason,

This is exactly what we are trying to do as well. Would you happen to know of any documents that goes through that procedure that you mentioned? Basically, we want to use ACS 5.x to authenticate phone certs to allow it onto the voice vlan.

regards,

johnny

0 Helpful

greg.fuller
Level 5
Level 5
In response to jleon22

‎07-21-2010 12:52 PM

Anyone figure out how to do this?  I'd like to use the MIC on each phone to validate agains the CommonName field of the certificate (which should be CP-{model #}-{MAC address}) via EAP-TLS.  I'm using a 3rd party RADIUS server (radiator).  I have it setup but keep getting certificate errors.  Should RADIUS be sending back a certificate to the phone?  I thought I could just validate the CommonName field of the MIC cert that the phone sends to RADIUS but it looks like I have to have a server side certificate installed (I do have the Cisco crca2048.crt and cmca.crt CA's installed in radiator).

--greg

0 Helpful

jleon22
Level 1
Level 1
In response to greg.fuller

‎07-21-2010 01:41 PM

Hi Greg,

In my research, I came across this document that explains in pretty good detail the requirements for enabling 802.1x for phones using ACS.

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-605524.html

regards,

johnny

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents