Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
732
Views
0
Helpful
2
Replies

ISE integration with IP Phone over VPN

Go to solution
mronan
Cisco Employee
Cisco Employee

‎11-15-2016 08:17 AM

Is there any design documentation on how an IP Phone using VPN and connected to Communications Manager will interact (authentication, posture, profile) with ISE?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
kthiruve
Cisco Employee
Cisco Employee

‎11-15-2016 11:32 AM

IP phone usually is configured for 802.1x multidomain or MAC filtering using Macauthbypass. This is specific to wired connection using 802.1x. Some of the Cisco IP phones also as supplicants that faciliates that.

The idea is to provide access to voice independent of the data. Also to provide access from IP phone to the Voice management software prior to getting authenticated so that phone connection does not go down during authentication.

Usually IP phones do not have VPN agents to connect to a VPN server such as ASA. So initiating a VPN connection is a problem here. For access, you need to provide connection from the IP phone to the Voice management software prior to authentication to provide seamless access to IP phones before and after authentication.

Posture needs Anyconnect posture module, hostscan that is supported for various OS, not phones. ISE profiling uses different probes and gathers information from typically inside a corporate network.

Hope it helps.

Thanks

Krishnan

View solution in original post

0 Helpful
2 Replies 2

Go to solution
kthiruve
Cisco Employee
Cisco Employee

‎11-15-2016 11:32 AM

IP phone usually is configured for 802.1x multidomain or MAC filtering using Macauthbypass. This is specific to wired connection using 802.1x. Some of the Cisco IP phones also as supplicants that faciliates that.

The idea is to provide access to voice independent of the data. Also to provide access from IP phone to the Voice management software prior to getting authenticated so that phone connection does not go down during authentication.

Usually IP phones do not have VPN agents to connect to a VPN server such as ASA. So initiating a VPN connection is a problem here. For access, you need to provide connection from the IP phone to the Voice management software prior to authentication to provide seamless access to IP phones before and after authentication.

Posture needs Anyconnect posture module, hostscan that is supported for various OS, not phones. ISE profiling uses different probes and gathers information from typically inside a corporate network.

Hope it helps.

Thanks

Krishnan

0 Helpful

Go to solution
gbekmezi-DD
Level 5
Level 5

‎11-15-2016 01:43 PM

I haven’t tried it, but I expect you should be able to do authorization with ISE just fine which would allow you to push an appropriate policy for the phones.

George

0 Helpful
Customers Also Viewed These Support Documents