1-20
Cisco Unified IP Phone Administration Guide for Cisco Unified Communications Manager 7.1
OL-18913-01
Chapter 1 An Overview of the Cisco Unified IP Phone
Understanding Security Features for Cisco Unified IP Phones
• Cisco Catalyst Switch (or other third-party switch)—The switch must support 802.1X, so it can act
as the authenticator and pass the messages between the phone and the authentication server. When
the exchange is completed, the switch then grants or denies the phone access to the network.
Best Practices—Requirements and Recommendations
• Enable 802.1X Authentication—If you want to use the 802.1X standard to authenticate Cisco
Unified IP Phones, be sure that you have properly configured the other components before enabling
it on the phone. See the “802.1X Authentication and Status” section on page 4-40 for more
information.
• Configure PC Port—The 802.1X standard does not take into account the use of VLANs and thus
recommends that only a single device should be authenticated to a specific switch port. However,
some switches (including Cisco Catalyst switches) support multi-domain authentication. The switch
configuration determines whether you can connect a PC to the phone’s PC port.
–
Enabled—If you are using a switch that supports multi-domain authentication, you can enable
the PC port and connect a PC to it. In this case, Cisco Unified IP Phones support proxy
EAPOL-Logoff to monitor the authentication exchanges between the switch and the attached
PC. For more information about IEEE 802.1X support on the Cisco Catalyst switches, refer to
the Cisco Catalyst switch configuration guides at:
http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.
html
–
Disabled—If the switch does not support multiple 802.1X-compliant devices on the same port,
you should disable the PC Port when 802.1X authentication is enabled. See the “Security
Configuration Menu” section on page 4-29 for more information. If you do not disable this port
and subsequently attempt to attach a PC to it, the switch will deny network access to both the
phone and the PC.
• Configure Voice VLAN—Because the 802.1X standard does not account for VLANs, you should
configure this setting based on the switch support.
–
Enabled—If you are using a switch that supports multi-domain authentication, you can continue
to use the voice VLAN.
–
Disabled—If the switch does not support multi-domain authentication, disable the Voice VLAN
and consider assigning the port to the native VLAN. See the “Security Configuration Menu”
section on page 4-29 for more information.
• Enter MD5 Shared Secret—If you disable 802.1X authentication or perform a factory reset on the
phone, the previously configured MD5 shared secret is deleted. See the “802.1X Authentication and
Status” section on page 4-40 for more information.
Security Restrictions
A user cannot barge into an encrypted call if the phone that is used to barge is not configured for
encryption. When barge fails in this case, a reorder tone (fast busy tone) plays on the phone on which
the user initiated the barge.
If the initiator phone is configured for encryption, the barge initiator can barge into an authenticated or
nonsecure call from the encrypted phone. After the barge occurs, Cisco Unified Communications
Manager classifies the call as nonsecure.
If the initiator phone is configured for encryption, the barge initiator can barge into an encrypted call,
and the phone indicates that the call is encrypted.
To Next Page
Loading...
Need help?
General
Weight and Dimensions
