I am going to implement Nortel IP Phones on Cisco 3560 switches configured with 802.1x port control. The Switches utilies Cisco ACS to authenticate clients. I have setup a certificate server and will be installing certificates on the phones and the ACS Server. The phones will be configured to use EAP-TLS. My questions are:
1. Do I have to manually create an ACS account for each phone or can this be automated?
2. Can i configure a single account for all phones?
3. Can Active directory be used in anyway to perform the back end authorisation?
If you are using ACS4 and below, then you need to manually create an ACS account for each phone. Alternatively, if this "account" already exists somewhere else (like LDAP) then it could be referenced.
Not sure if a single account could be used for all phones, though it's possible. For example, if the cert you put on all your phones has an identical CN. Revoking this at a later date might be challenging though.
If you defined the phone as an actual user in Active Directory, probably no reason that shouldn't work either.
ACS5 has a much richer policy model. You could use the cert itself as the identity source, for example and make an authorization decision based on a unique attribute of the cert (on the phone) to differentiate it as a phone if you need to.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...