1-16
Cisco Unified IP Phone 6901 and 6911 Administration Guide for Cisco Unified Communications Manager 8.6 (SCCP and SIP)
OL-24582-01
Chapter 1 An Overview of the Cisco Unified IP Phone
Understanding Security Features for Cisco Unified IP Phones
Supporting 802.1X Authentication on Cisco Unified IP Phones
These sections provide information about 802.1X support on the Cisco Unified IP Phones:
•
Overview, page 1-16
•
Required Network Components, page 1-17
•
Best Practices—Requirements and Recommendations, page 1-17
Overview
Cisco Unified IP Phones and Cisco Catalyst switches have traditionally used Cisco Discovery Protocol
(CDP) to identify each other and determine parameters such as VLAN allocation and inline power
requirements. However, CDP is not used to identify any locally attached PCs; therefore, Cisco Unified
IP Phones provide an EAPOL pass-through mechanism, where a PC locally attached to the IP Phone,
may pass through EAPOL messages to the 802.1X authenticator in the LAN switch. This prevents the
IP Phone from having to act as the authenticator, yet allows the LAN switch to authenticate a data end
point prior to accessing the network.
In conjunction with the EAPOL pass-through mechanism, Cisco Unified IP Phones provide a proxy
EAPOL-Logoff mechanism. In the event that the locally attached PC disconnects from the IP Phone, the
LAN switch does not see the physical link fail, because the link between the LAN switch and the IP
Phone is maintained. To avoid compromising network integrity, the IP Phone sends an EAPOL-Logoff
message to the switch, on behalf of the downstream PC, which triggers the LAN switch to clear the
authentication entry for the downstream PC.
The Cisco Unified IP Phones also contain an 802.1X supplicant, in addition to the EAPOL pass-through
mechanism. This supplicant allows network administrators to control the connectivity of IP Phones to
the LAN switch ports. The current release of the phone 802.1X supplicant uses the EAP-FAST and
EAP-TLS options for network authentication.
Table 1-7
Security Restrictions with Conference Calls
Initiator’s Phone
Security Level
Feature Used
Security Level of Participants
Results of Action
Nonsecure
Conference
Encrypted or authenticated
Nonsecure conference bridge
Nonsecure conference
Secure (encrypted
or authenticated)
Conference
At least one member is
nonsecure
Nonsecure conference
Secure (encrypted) Conference
All participants are encrypted
Secure encrypted level conference
Secure
(authenticated)
Conference
All participants are encrypted or
authenticated
Secure authenticated level conference
Nonsecure
cBarge
All participants are encrypted
Conference changes to nonsecure
Nonsecure
Meet Me
Minimum security level is
encrypted
Initiator receives message “Does not meet Security
Level”, call rejected.
Secure (encrypted) Meet Me
Minimum security level is
authenticated
Conference accepts encrypted and authenticated
calls
Secure (encrypted) Meet Me
Minimum security level is
nonsecure
Only secure conference bridge available and used
Conference accepts all calls