Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Cisco ISE authenticating Ip Phone 7942

Hello,

I am installing Cisco ISE soon and have a question. Why can't I authenticate Cisco IP phone model 7942 using 802.1x? I see that the phone has this option (it is not enabled). I am told that Cisco IP Phones must be authenticated on ISE by using profiling or MAB. This uses a costly advanced license to accomplish this.

Has anybody had any luck in this area?

Thank you,

Bob

 

2 ACCEPTED SOLUTIONS

Accepted Solutions

Hi, Is your model 7942g? In

Hi,

 

Is your model 7942g? In that case those phones sould have a built in certificate from Cisco (Manufacturer Installed Certificate) that can be used for EAP-TLS. The common name begin ether with SEP och CP.

 

Regards,

Philip

Check Tabe 2 here: http://www

10 REPLIES
Cisco Employee

Profiling use advanced

Profiling use advanced license but MAB uses base license. Administration > Identity Management > Identities and select Endpoints. Select Create and assign your IP phone’s MAC address to the Identity Group Cisco-IP-Phone:

New Member

You are correct. I did not

You are correct. I did not add all the info I should have in my first post. My apologies. I can't use MAB to authenticate IP Phones because we have over 1,200. The initial programming and ongoing maintenance would be huge.

What I am looking for is the ability to authenticate Cisco IP phones using 802.1x authentication. The model we have most of is the Cisco IP Phone 7942.

Thank you.

New Member

I have successfully deployed

I have successfully deployed 802.1x for wireless IP phones using MIC. The only real problem I have with this approach is the inability of ISE to authenticate the username from certificate against anything but an external database. As a result I have been forced to use a static endpoint group for the MAC addresses of the allowed phones to meet the organisation's security stance. Just wish EAP-TLS could go against an internal database.

New Member

thank you to everyone for

thank you to everyone for helping out on this post! Wonderful!

Re: You are correct. I did not

I faced the same issue to bulk add IP phones MAC addresses to ISE.

As, rather, a voice guy I would like to add that the number of IP phones in the deployment is not really a problem.

In fact, if the IP phones have been already added to CUCM, the voice administrator can bulk export IP phone MAC addresses in CSV format. Afterwards, the ISE administrator can import them as identities to ISE in bulk in CSV format. Just some CSV formatting is needed.

Hi, Is your model 7942g? In

Hi,

 

Is your model 7942g? In that case those phones sould have a built in certificate from Cisco (Manufacturer Installed Certificate) that can be used for EAP-TLS. The common name begin ether with SEP och CP.

 

Regards,

Philip

New Member

Hello Philip,The phone on my

Hello Philip,

The phone on my desk is a 7942G model. We have a variety of Cisco IP phones. Is there a way for me to find out which models have a built-in certificate?

Thank you for the reply,

Bob

Check Tabe 2 here: http://www

New Member

Hello Philip,Thank you for

Hello Philip,

Thank you for the link. It is very useful.

Bob

New Member

Philip,Thank you for your

Philip,

Thank you for your help. I have what I need to know.

Bob

2035
Views
10
Helpful
10
Replies
CreatePlease to create content