How to deploy shared secret through CUCM to IP-Phones

m.sidorchuk · ‎08-18-2014

Hi,

I use 802.1x Authentication for IP-Phones, EAP-MD5 method.

If there is an opportunity to deploy shared secret via CUCM to all IP-Phones?

Manually configuration is not the best way to do it because there are hundreds IP-Phones in the company

George Thomas · ‎08-18-2014

Take a look at this, should be similar for other phones:

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cuipph/8941_8945/9_0/english/admin_guide/P415_BK_C1A45FBB_00_admin-guide-8941-8945/P415_BK_C1A45FBB_00_admin-guide-8941-8945_chapter_0100.html#P415_RF_8DB7CE9E_00

Please rate useful posts.

maksim.sidorchuk · ‎08-19-2014

Thanks for your reply.

But this manual is about changing settings manually on every IP-Phone

Could CUCM (version: 8.5.1.10000-26) deploy shared secret to IP-Phones?

Jonathan Schulenberg · ‎08-25-2014

No, mostly because the shared secret would be available in the clear from the CUCM TFTP server making it trivial to defeat the 802.1x authentication. The way this is done at scale is to put CUCM in mixed mode and have CAPF issue the phones X.509 certificates. The phone can then use this for 802.1x authentication. Optionally, you can issue CAPF a subordinate CA certificate from your existing root CA for trust chain continuity. The other way people do this is to use MAC Bypass Authentication but spoofing a MAC address isn't that hard.

This topic is explained in the Security Guide; however, it should not be undertaken lightly. I strongly suggest you work with someone who has done this before or setup a lab to work through this without touching production first. If you do this wrong, you could cause a serious and prolonged outage!