cucm and ip phones

Boris Lytochkin lytboris at yandex-team.ru
Mon Oct 2 16:51:06 CEST 2017


Add
  authentication port-control auto
  authentication violation protect

On 02.10.2017 17:01, Vacheslav wrote:
> Thanks for the reply, but I already figured it out.  But I'm stuck with a problem in the switch. I opened a thread at cisco forums, but they haven't solved it, perhaps you can help?
> https://supportforums.cisco.com/t5/ip-telephony/802-1x-port-security-violation-with-authentication-host-mode/m-p/3190881/highlight/false#M351340
>
> -----Original Message-----
> From: Boris Lytochkin [mailto:lytboris at yandex-team.ru]
> Sent: Friday, September 29, 2017 9:23 PM
> To: Vacheslav <m_zouhairy at skno.by>; 'FreeRadius users mailing list' <freeradius-users at lists.freeradius.org>
> Subject: Re: cucm and ip phones
>
>> Hi.
>> In this case you need to configure eap module to authenticate those phones using md5 and supply password (that is configured on the phone) in control:Cleartext-Password attribute in authorize section of radiusd.conf before calling eap module.
> On 28.09.2017 12:22, Vacheslav wrote:
>> Thanks for the valuable information,
>>    and  I have 3905, and it turns they use eap-md5 authentication. From the documentation, I understood that the shared secret is the one configured on the cisco nas, but it didn't work. Is it some other secret password and where is it configured?
>>
>> -----Original Message-----
>> From: Boris Lytochkin [mailto:lytboris at yandex-team.ru]
>> Sent: Monday, September 25, 2017 3:07 PM
>> To: FreeRadius users mailing list
>> <freeradius-users at lists.freeradius.org>; Vacheslav
>> <m_zouhairy at skno.by>
>> Subject: Re: cucm and ip phones
>>
>> Hi.
>>
>>> Cisco IP phones (all modern) have Manufacturer Installed Certificate (MIC) so you can authenticate them using EAP-TLS.
>> You need to import their crcam* cert chains into your FreeRADIUS
>> installation from https://www.cisco.com/security/pki/
>>
>> On 25.09.2017 14:52, Vacheslav wrote:
>>> Peace, I configured my ip phones to use mab, but I read that with Radius it is possible to authenticate capable ip phones with tls.
>>> I searched the internet on how to do it but found almost nothing.
>>> Should I import the created self signed certificates from the freeradius server to the cucm? Or is that I have to export the cucm certificates to the cert directory of the freeradius server?
>>> Anyone has experience in configuring cucm with dot1x?
>>>
>>>
>>>
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
> --
> Boris Lytochkin
> Yandex NOC
> +7 (495) 739 70 00 ext. 7671
>
>
>

-- 
Boris Lytochkin
Yandex NOC
+7 (495) 739 70 00 ext. 7671



More information about the Freeradius-Users mailing list