Security

Reply

CPPM & Cisco Call Manager Integration

Hi All,

 

Looking to do wired MAC authentication of Cisco IP phones. Customer has call manager with MAC addresses and want to do a query to validate the MAC address exists. If it does, put it on Voice VLAN, if not, dead end VLAN.

 

Anybody have a working example, or instructions on how to set this up. I am unfamiliar with Call Manager, but customer is familiar.

 

Thanks.


Thank you.

Michael Haring | AIS Consultant
Architecture and Implementation Solutions
Optiv Security Inc. | www.optiv.com
Moderator

Re: CPPM & Cisco Call Manager Integration

Michael,

 

Can you speak to the customer to find-out of they can expose the data from a SQL DB?


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Frequent Contributor I

Re: CPPM & Cisco Call Manager Integration

We are using mac auth for older Cisco wired phones. We exported the mac addressed from Cal Manager and imported them as Known Endpoints in ClearPass. This list is rather static since we no longer purchase these older models.

For more recent wired phones, we use 802.1X EAP-TLS with the certificate already installed on the phone.

For wireless phones, we use 802.1X MSCHAPv2 with a service account. If you want ti use EAP-TLS with these phones, you must install the server certificate on the phone first.

 

Here is Cisco's 802.1X design guide for phones. 

http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html

Bruce Osborne - Wireless Engineer
ACCP, ACMP

Re: CPPM & Cisco Call Manager Integration

Great! Thanks for the information! 

 

We did some testing and the customer isn't concerned about authenticating the phones, just if a laptop or desktop PC is plugged into the same jack. 

 

We are using CDP with a voice VLAN configured to identify phones and place them right on that VLAN, we then have 802.1X configured on the same port. After testing, everything seemed to work the way we planned it.

 

Thanks!


Thank you.

Michael Haring | AIS Consultant
Architecture and Implementation Solutions
Optiv Security Inc. | www.optiv.com
Frequent Contributor I

Re: CPPM & Cisco Call Manager Integration

For wired phones, we have the switch port set for multi-domain authentication. We just use RADIUS to tell the switch the phone is a voice device and to disable RADIUS reauthentication for the phone.

 

Multi-domain authentication permits only 1 data device & 1 voice device on the port.

Bruce Osborne - Wireless Engineer
ACCP, ACMP
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: