Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How to deploy shared secret through CUCM to IP-Phones


I use 802.1x Authentication for IP-Phones, EAP-MD5 method.

If there is an opportunity to deploy shared secret via CUCM to all IP-Phones?

Manually configuration is not the best way to do it because there are hundreds IP-Phones in the company

Everyone's tags (1)

Take a look at this, should

Take a look at this, should be similar for other phones:

Please rate useful posts.
New Member

Thanks for your reply.But

Thanks for your reply.

But this manual is about changing settings manually on every IP-Phone

Could CUCM (version: deploy shared secret to IP-Phones?

VIP Super Bronze

No, mostly because the shared

No, mostly because the shared secret would be available in the clear from the CUCM TFTP server making it trivial to defeat the 802.1x authentication. The way this is done at scale is to put CUCM in mixed mode and have CAPF issue the phones X.509 certificates. The phone can then use this for 802.1x authentication. Optionally, you can issue CAPF a subordinate CA certificate from your existing root CA for trust chain continuity. The other way people do this is to use MAC Bypass Authentication but spoofing a MAC address isn't that hard.

This topic is explained in the Security Guide; however, it should not be undertaken lightly. I strongly suggest you work with someone who has done this before or setup a lab to work through this without touching production first. If you do this wrong, you could cause a serious and prolonged outage!

CreatePlease login to create content