802.1x Authentication for Physical Phones

SilentDogood · ‎2024-01-10

Before I try to reinvent the wheel on our network; Curious if anyone has experience with doing 802.1x authentication for physical phones on their network.

We currently use ClearPass with device profiling, and are looking to implement 802.1x on the physical phones in the environment. Our legacy Cisco phone system utilizes CAPF certificates, which ClearPass keys-in on... However, Zoom does not offer any similar type of method.

Beyond that, the only 'certificate' based option would be to use the device MIC, but that's not particularly secure.

Anyone have a solution here? We would like to avoid doing manual entry of MAC addresses, and make this a seamless Plug-n-Play solution.

Thanks in advance.

Eliot · ‎2024-01-11

hi silentdogood,

many poly phones support 802.1x.

Enable and Configure 802.1X Security (poly.com)

thanks, eliot

SilentDogood · ‎2024-01-11

Hi Eliot -- Thanks for the reply. However this doesn't address the question.
(Yealink's offer the exact same support as listed in the Poly document)

We're looking for suggestions on how to easily "profile" these Yealink phones for Clearpass 802.1x auth. We want this to be plug-n-play, and not have to csv upload mac addresses.

Thanks!

sparrow · ‎2024-01-23

Hello, our security team created a firewall profile based on the first 6 digits of the manufacturers MAC address scheme. Poly has (3-4) I believe. When a Poly phone connects to our network, it see's the devices MAC address that matches the firewall profile/s, MAB's it for network access, then phone provisions with Zoom. In the phone template, we set the dot1x credentials which it does hand to the phone. Phone upgrades in most cases, then reboots, then authenticates dot1x. Pretty simple in terms of process and its worked so far for us over 2 years now.

SilentDogood · ‎2024-01-23

Great reply and possible solution here. I explored this as well, though we have different VLANs setup for different types of devices. For example, a data network for machines, phone network for phones, room network for rooms, etc... Each with their own access policies.

The concern with white listing the first 4 of a MAC address from the same vendor, runs the risk of devices being profiled incorrectly -- and dropped into the wrong VLAN / access policy.

Ideally, Zoom would implement their own certificate authority. Whereby we whitelist a phone onto the network for 5 minutes... Long enough for it to Zero-Touch-Provision up to Zoom. Grab the firmware and certificate (pushed from Zoom) -- then we dot1x authenticate based on that Zoom cert being a "known" and "trusted" certificate. Unfortunately, our reps have indicated that Zoom isn't interested in doing this.

sparrow · ‎2024-01-24

I went to Poly with that same idea and they came back with a common cert that is shipped with all Poly phones, but given our solution is working, I lost interest. We also migrated from Cisco VOIP with the same certificate authentication setup. It work out pretty easily given we have Cisco ISE and are a pure Cisco routing and switching infrastructure.

fnbo_amdin · ‎2024-02-08

sparrow, would you have any interest in sharing you configuration around Cisco ISE. We are attempting to use Poly phones and the manufacture installed certificate. Are phones are failing authentication as ISE is sending a cert back to the phone and it is being denied.

Communication

Productivity

Apps & Integration

Spaces

Employee Engagement