Security

Reply
MVP
Posts: 371
Registered: ‎05-09-2013

CPPM & Cisco Call Manager Integration

Hi All,

 

Looking to do wired MAC authentication of Cisco IP phones. Customer has call manager with MAC addresses and want to do a query to validate the MAC address exists. If it does, put it on Voice VLAN, if not, dead end VLAN.

 

Anybody have a working example, or instructions on how to set this up. I am unfamiliar with Call Manager, but customer is familiar.

 

Thanks.


Michael Haring | Senior Network Engineer
Comm Solutions, an Optiv Security Company
www.commsolutions.com | www.optiv.com
Moderator
Posts: 479
Registered: ‎11-09-2012

Re: CPPM & Cisco Call Manager Integration

Michael,

 

Can you speak to the customer to find-out of they can expose the data from a SQL DB?


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Contributor II
Posts: 141
Registered: ‎05-12-2010

Re: CPPM & Cisco Call Manager Integration

[ Edited ]

We are using mac auth for older Cisco wired phones. We exported the mac addressed from Cal Manager and imported them as Known Endpoints in ClearPass. This list is rather static since we no longer purchase these older models.

For more recent wired phones, we use 802.1X EAP-TLS with the certificate already installed on the phone.

For wireless phones, we use 802.1X MSCHAPv2 with a service account. If you want ti use EAP-TLS with these phones, you must install the server certificate on the phone first.

 

Here is Cisco's 802.1X design guide for phones. 

http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html

Bruce Osborne - Wireless Engineer
ACCP
MVP
Posts: 371
Registered: ‎05-09-2013

Re: CPPM & Cisco Call Manager Integration

Great! Thanks for the information! 

 

We did some testing and the customer isn't concerned about authenticating the phones, just if a laptop or desktop PC is plugged into the same jack. 

 

We are using CDP with a voice VLAN configured to identify phones and place them right on that VLAN, we then have 802.1X configured on the same port. After testing, everything seemed to work the way we planned it.

 

Thanks!


Michael Haring | Senior Network Engineer
Comm Solutions, an Optiv Security Company
www.commsolutions.com | www.optiv.com
Contributor II
Posts: 141
Registered: ‎05-12-2010

Re: CPPM & Cisco Call Manager Integration

[ Edited ]

For wired phones, we have the switch port set for multi-domain authentication. We just use RADIUS to tell the switch the phone is a voice device and to disable RADIUS reauthentication for the phone.

 

Multi-domain authentication permits only 1 data device & 1 voice device on the port.

Bruce Osborne - Wireless Engineer
ACCP
Search Airheads
Showing results for 
Search instead for 
Did you mean: