Security

Hi All,

Looking to do wired MAC authentication of Cisco IP phones. Customer has call manager with MAC addresses and want to do a query to validate the MAC address exists. If it does, put it on Voice VLAN, if not, dead end VLAN.

Anybody have a working example, or instructions on how to set this up. I am unfamiliar with Call Manager, but customer is familiar.

Thanks.

Michael,

Can you speak to the customer to find-out of they can expose the data from a SQL DB?

We are using mac auth for older Cisco wired phones. We exported the mac addressed from Cal Manager and imported them as Known Endpoints in ClearPass. This list is rather static since we no longer purchase these older models.

For more recent wired phones, we use 802.1X EAP-TLS with the certificate already installed on the phone.

For wireless phones, we use 802.1X MSCHAPv2 with a service account. If you want ti use EAP-TLS with these phones, you must install the server certificate on the phone first.

Here is Cisco's 802.1X design guide for phones. 

http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html

Great! Thanks for the information! 

We did some testing and the customer isn't concerned about authenticating the phones, just if a laptop or desktop PC is plugged into the same jack. 

We are using CDP with a voice VLAN configured to identify phones and place them right on that VLAN, we then have 802.1X configured on the same port. After testing, everything seemed to work the way we planned it.

Thanks!

For wired phones, we have the switch port set for multi-domain authentication. We just use RADIUS to tell the switch the phone is a voice device and to disable RADIUS reauthentication for the phone.

Multi-domain authentication permits only 1 data device & 1 voice device on the port.