Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

ACS Accounts for EAP-TLS IP Phones

I am going to implement Nortel IP Phones on Cisco 3560 switches configured with 802.1x port control. The Switches utilies Cisco ACS to authenticate clients. I have setup a certificate server and will be installing certificates on the phones and the ACS Server. The phones will be configured to use EAP-TLS. My questions are:

1. Do I have to manually create an ACS account for each phone or can this be automated?

2. Can i configure a single account for all phones?

3. Can Active directory be used in anyway to perform the back end authorisation?

Many thanks for your help,

Paul

6 REPLIES
Bronze

Re: ACS Accounts for EAP-TLS IP Phones

You may configuring the MAB option in the switch. MAC Auth Bypass (MAB) for voice allows third-party IP phones without an 802.1x supplicant to get authenticated using their MAC address.

Community Member

Re: ACS Accounts for EAP-TLS IP Phones

It doesn't look like you have read my question.

I WANT TO USE 802.1x AND CERTIFICATES.

Do you know if I have to manually create accounts on the ACS Server etc. etc.

Please read the questions and reply to them.

Thanks.

Cisco Employee

Re: ACS Accounts for EAP-TLS IP Phones

If you are using ACS4 and below, then you need to manually create an ACS account for each phone. Alternatively, if this "account" already exists somewhere else (like LDAP) then it could be referenced.

Not sure if a single account could be used for all phones, though it's possible. For example, if the cert you put on all your phones has an identical CN. Revoking this at a later date might be challenging though.

If you defined the phone as an actual user in Active Directory, probably no reason that shouldn't work either.

HTH,

Community Member

Re: ACS Accounts for EAP-TLS IP Phones

Thanks for this reply.

Is the process any different in ACS5?

Cisco Employee

Re: ACS Accounts for EAP-TLS IP Phones

ACS5 has a much richer policy model. You could use the cert itself as the identity source, for example and make an authorization decision based on a unique attribute of the cert (on the phone) to differentiate it as a phone if you need to.

HTH,

Community Member

Re: ACS Accounts for EAP-TLS IP Phones

Do you haev an example of this feature on ACS5 or can you suggest any reference reading?

Thanks,

Paul

404
Views
0
Helpful
6
Replies
CreatePlease to create content