1-23
Cisco Unified IP Phone 7970G/7971G-GE Administration Guide for Cisco Unified Communications Manager 6.1
OL-14626-01
Chapter 1 An Overview of the Cisco Unified IP Phone
Understanding Security Features for Cisco Unified IP Phones
•
Overview, page 1-23
•
Required Network Components, page 1-23
•
Best Practices—Requirements and Recommendations, page 1-24
Overview
Cisco Unified IP phones and Cisco Catalyst switches have traditionally used
Cisco Discovery Protocol (CDP) to identify each other and to determine
parameters such as VLAN allocation and inline power requirements. However,
CDP is not used to identify any locally attached PCs. Therefore, Cisco Unified IP
Phones provide an EAPOL pass-through mechanism, whereby a PC locally
attached to the IP phone may pass through EAPOL messages to the 802.1X
authenticator in the LAN switch. This capability prevents the IP phone from
having to act as the authenticator, yet allows the LAN switch to authenticate a
data end point prior to accessing the network.
In conjunction with the EAPOL pass-through mechanism, Cisco Unified IP
Phones provide a proxy EAPOL-Logoff mechanism. If the locally attached PC is
disconnected from the IP phone, the LAN switch would not see the physical link
fail, because the link between the LAN switch and the IP phone is maintained. To
avoid compromising network integrity, the IP phone sends an EAPOL-Logoff
message to the switch on behalf of the downstream PC, which triggers the LAN
switch to clear the authentication entry for the downstream PC.
The Cisco Unified IP phones contain an 802.1X supplicant in addition to the
EAPOL pass-through mechanism. This supplicant allows network administrators
to control the connectivity of IP phones to the LAN switch ports. The IP phone
802.1X supplicant implements the EAP-MD5 option for 802.1X authentication.
Required Network Components
Support for 802.1X authentication on Cisco Unified IP Phones requires several
components, including:
•
Cisco Unified IP Phone—The phone acts as the 802.1X supplicant, which
initiates the request to access the network.
•
Cisco Secure Access Control Server (ACS) (or other third-party
authentication server)—The authentication server and the phone must both be
configured with a shared secret that is used to authenticate the phone.
Summary of Contents for 7970G - IP Phone VoIP
Page 4: ......