Cisco 802.1X Authentication 


This section provides information about 802.1X support on the Cisco Unified IP Phones. 


Overview 

Cisco Unified IP Phones and Cisco Catalyst switches traditionally use Cisco Discovery Protocol (CDP) to  identify each other and determine parameters such as VLAN allocation and inline power requirements. CDP  does not identify locally attached workstations. Cisco Unified IP Phones provide an EAPOL pass-through  mechanism. This mechanism allows a workstation attached to the Cisco Unified IP Phone to pass EAPOL  messages to the 802.1X authenticator at the LAN switch. The pass-through mechanism ensures that the IP  phone does not act as the LAN switch to authenticate a data endpoint before accessing the network. 


Cisco Unified IP Phones also provide a proxy EAPOL Logoff mechanism. In the event that the locally attached  PC disconnects from the IP phone, the LAN switch does not see the physical link fail, because the link between  the LAN switch and the IP phone is maintained. To avoid compromising network integrity, the IP phone sends  an EAPOL-Logoff message to the switch on behalf of the downstream PC, which triggers the LAN switch to  clear the authentication entry for the downstream PC. 


Cisco Unified IP Phones also contain an 802.1X supplicant. This supplicant allows network administrators  to control the connectivity of IP phones to the LAN switch ports. The current release of the phone 802.1X  supplicant uses the EAP-FAST, EAP-TLS, and EAP-MD5 options for network authentication. 


Required Network Components 

Support for 802.1X authentication on Cisco Unified IP Phones requires several components, including: 

  • Cisco Unified IP Phone: The phone acts as the 802.1X supplicant, which initiates the request to access the network.
  • Cisco Secure Access Control Server (ACS) (or other third-party authentication server): The authentication  server and the phone must both be configured with a shared secret that authenticates the phone. 
  • Cisco Catalyst Switch (or other third-party switch): The switch must support 802.1X, so it can act as the authenticator and pass the messages between the phone and the authentication server. After the  exchange completes, the switch grants or denies the phone access to the network. 


Best Practices-Requirements and Recommendations 

  • Enable 802.1X AuthenticationIf you want to use the 802.1X standard to authenticate Cisco Unified  IP Phones, be sure that you have properly configured the other components before enabling it on the  phone.
  • Configure PC PortThe 802.1X standard does not take into account the use of VLANs and thus  recommends that only a single device should authenticate to a specific switch port. However, some  switches (including Cisco Catalyst switches) support multi-domain authentication. The switch  configuration determines if you can connect a PC to the phones PC port. 
    • EnabledIf you use a switch that supports multidomain authentication, you can enable the PC  port and connect a PC to it. In this case, Cisco Unified IP Phones support proxy EAPOL-Logoff  to monitor the authentication exchanges between the switch and the attached PC. For more  information about IEEE 802.1X support on the Cisco Catalyst switches, see the Cisco Catalyst  switch configuration guides at:  http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html 
    • DisabledIf the switch does not support multiple 802.1X-compliant devices on the same port,  you should disable the PC Port when 802.1X authentication is enabled. If you do not disable this  port and subsequently attempt to attach a PC to it, the switch will deny network access to both the  phone and the PC. 


  • Configure Voice VLANBecause the 802.1X standard does not account for VLANs, you should  configure this setting based on the switch support. 
    • EnabledIf you use a switch that supports multidomain authentication, you can continue to use  the voice VLAN. 
    • DisabledIf the switch does not support multidomain authentication, disable the Voice VLAN and consider assigning the port to the native VLAN.


  • Enter MD5 Shared SecretIf you disable 802.1X authentication or perform a factory reset on the phone,  the previously configured MD5 shared secret is deleted. 

Related Topics 

Security Configuration Menu

802.1X Authentication and Status