Most Cisco IP Phones support 802.1X authentication, they typically use pre-provisioned Manufacturer Installed Certificates (MIC) or customer deploy Locally Significant Certificates (LSC) for authentication. The MIC is pre-loaded on to each phone during manufacturing, whereas the LSC must be deployed by the customer from their Internal CA. Using a MIC only requires mutual trust between ISE and the Phone and is easier to implement.
However, the simplest method of authorising an IP Phone onto an 802.1X enabled network is using MAC Authentication Bypass (MAB), which merely relies on the Phone MAC address being permitted on the RADIUS server. MAB is inherently less secure that 802.1x, but simpler to deploy.
This post will cover deploying MAB and 802.1x using a MIC.
ISE Configuration
This section covers the steps to configure Cisco ISE to authenticate and authorise IP Phones.
Certificates
ISE already has the correct Root Certificate used by the Phones to sign the MIC installed in the Trusted Certificate store.
- Navigate to Administration > Certificates > Certificates Management > Trusted Certificates
- Ensure the Cisco Manufacturing CA SHA2 certificate is enabled.
Some older Cisco IP Phones may use the Cisco Root CA 2048 certificate, which is disabled as default. Just enable if required. Continue reading “ISE Phone Authentication” →