I am installing Cisco ISE soon and have a question. Why can't I authenticate Cisco IP phone model 7942 using 802.1x? I see that the phone has this option (it is not enabled). I am told that Cisco IP Phones must be authenticated on ISE by using profiling or MAB. This uses a costly advanced license to accomplish this.
Has anybody had any luck in this area?
Solved! Go to Solution.
Profiling use advanced license but MAB uses base license. Administration > Identity Management > Identities and select Endpoints. Select Create and assign your IP phone’s MAC address to the Identity Group Cisco-IP-Phone:
You are correct. I did not add all the info I should have in my first post. My apologies. I can't use MAB to authenticate IP Phones because we have over 1,200. The initial programming and ongoing maintenance would be huge.
What I am looking for is the ability to authenticate Cisco IP phones using 802.1x authentication. The model we have most of is the Cisco IP Phone 7942.
I have successfully deployed 802.1x for wireless IP phones using MIC. The only real problem I have with this approach is the inability of ISE to authenticate the username from certificate against anything but an external database. As a result I have been forced to use a static endpoint group for the MAC addresses of the allowed phones to meet the organisation's security stance. Just wish EAP-TLS could go against an internal database.
I faced the same issue to bulk add IP phones MAC addresses to ISE.
As, rather, a voice guy I would like to add that the number of IP phones in the deployment is not really a problem.
In fact, if the IP phones have been already added to CUCM, the voice administrator can bulk export IP phone MAC addresses in CSV format. Afterwards, the ISE administrator can import them as identities to ISE in bulk in CSV format. Just some CSV formatting is needed.
The phone on my desk is a 7942G model. We have a variety of Cisco IP phones. Is there a way for me to find out which models have a built-in certificate?
Thank you for the reply,