Overview
Cisco Desktop Collaboration Experience devices and Cisco Catalyst switches traditionally use Cisco Discovery
Protocol (CDP) to identify each other and determine parameters such as VLAN allocation and inline power
requirements. CDP does not identify locally attached workstations. Cisco Desktop Collaboration Experience
devices provide an EAPOL pass-through mechanism. This mechanism allows a workstation attached to the
Cisco Desktop Collaboration Experience to pass EAPOL messages to the 802.1X authenticator at the LAN
switch. The pass-through mechanism ensures that the Cisco Desktop Collaboration Experience device does
not act as the LAN switch to authenticate a data endpoint before accessing the network.
Cisco Desktop Collaboration Experience devices also provide a proxy EAPOL Logoff mechanism. In the
event that the locally attached PC disconnects from the IP phone, the LAN switch does not see the physical
link fail, because the link between the LAN switch and the IP phone is maintained. To avoid compromising
network integrity, the device sends an EAPOL-Logoff message to the switch on behalf of the downstream
PC, which triggers the LAN switch to clear the authentication entry for the downstream PC.
Cisco Desktop Collaboration Experience devices also contain an 802.1X supplicant. This supplicant allows
network administrators to control the connectivity of IP phones to the LAN switch ports. The current release
of the phone 802.1X supplicant uses the EAP-FAST and EAP-TLS options for network authentication.
Required Network Components
Support for 802.1X authentication on Cisco Desktop Collaboration Experience devices requires several
components, including:
•
Cisco Desktop Collaboration Experience device: The phone acts as the 802.1X supplicant, which initiates
the request to access the network.
•
Cisco Secure Access Control Server (ACS) (or other third-party authentication server): The authentication
server and the phone must both be configured with a shared secret that authenticates the phone.
•
Cisco Catalyst Switch (or other third-party switch): The switch must support 802.1X, so it can act as
the authenticator and pass the messages between the phone and the authentication server. After the
exchange completes, the switch grants or denies the phone access to the network.
Best Practices
The following list describes requirements and recommendations for 802.1X configuration.
•
Enable 802.1X Authentication: If you want to use the 802.1X standard to authenticate Cisco Desktop
Collaboration Experience DX600 Series phones, be sure that you properly configure the other components
before you enable it on the phone.
•
Configure PC Port: The 802.1X standard does not take into account the use of VLANs and thus
recommends that only a single device should be authenticated to a specific switch port. However, some
switches (including Cisco Catalyst switches) support multidomain authentication. The switch configuration
determines whether you can connect a PC to the PC port of the phone.
◦
Enabled: If you are using a switch that supports multidomain authentication, you can enable the
PC port and connect a PC to it. In this case, Cisco Desktop Collaboration Experience DX600 Series
phones support proxy EAPOL-Logoff to monitor the authentication exchanges between the switch
and the attached PC. For more information about IEEE 802.1X support on the Cisco Catalyst
switches, see the Cisco Catalyst switch configuration guides at:
Cisco Desktop Collaboration Experience DX650 Administration Guide, Release 10.1(1)
25
Security Features