Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1201
Views
0
Helpful
1
Replies

VoIP Vlans & NAC

news2010a
Level 3
Level 3

‎05-02-2012 05:09 PM - edited ‎03-10-2019 07:03 PM

Let's say VoIP network is going to be deployed in my organization.

GIven this is a FIPS-140-2 environment, we will have a separate MPLS network from data only dedicated for VoIP traffic.

If we also have NAC deployed, how is the best practice for NAC handling VoIP vlans and IP Phones?

From the reading the documentation I see that people exclude the VoIP VLAN from NAC. Is this right?

Question:

If it is true people should exclude VoIP VLAN traffic from getting to the NAC system, what happens if someone users a machine that fakes an IP Phone, but in reality it is a malicious PC in the network? How NAC is going to protect against that?

Labels:
0 Helpful
1 Reply 1

Eduardo Aliaga
Level 4
Level 4

‎05-12-2012 08:10 PM

IP Phones are excluded because NAC can't authenticate them. NAC uses "NAC agents" to authenticate and there are no "NAC agents" for IP phones.

I would recommend to use ISE instead of NAC appliances. Cisco ISE uses 802.1x and the newer families of Cisco IP Phones do support 802.1x authentication.

Please rate if it helps.

0 Helpful
Customers Also Viewed These Support Documents