KB13668 - [PPS/PCS] Integrating Cisco IP phone 7941 or 7911G for 802.1x authentication with the Pulse Policy Secure solution

This article discusses how to configure Cisco IP phone 7941 or 7911G for 802.1x authentication within the Pulse Policy Secure solution. We will focus on using the Infranet Controller System Local database to store user information, and which CISCO VSA VLAN attributes can work when using the phone in multi-domain scenario.

Cannot get a Cisco IP Phone to authenticate properly to the PPS.

Note: This article assumes familiarity with configuring the PPS Network Access section of the Pulse Policy Secure Solution. Review the PPS Administration Guide for more information on how to configure the Network Access section.

Once the user roles are configured, the next items to configuring are your Authentication server, Authentication realm, Sign in policy, Location Group, RADIUS client, and RADIUS Attribute policies.

1. When using the Infranet Controller's system local authentication server, keep in mind how the Infranet Controller stores the users' passwords. In this case the users will be the IP phones. Since these IP phones support only EAP-MD5-Challenge as their EAP protocol, make sure that "Password stored as clear text" option is enabled on the system local database.  Note: this option can only be enabled when a new system local authentication server is created.  You won't be able to enable this option on an existing local authentication server.
   
   
   Fig. 1 - Local authentication server instance

 

• Next, configure the User authentication realm that points to the local database to authenticate your users. For testing purposes, you could add role mapping rules based on usernames only. Then customize it accordingly.

 

• Configure the Sign-In policy. Make sure to assign the User authentication realm to the sign in policy and then assign the Authentication Protocol set to the sign in policy. Some system admins inadvertently miss adding the authentication protocol set, namely, default 802.1x IP phones.

 

• The next step has to do with the PPS Network Access configuration, where you would configure the Infranet Controller to work as a RADIUS server. Configure a Location Group where you would associate it with the sign in policy. Also configure a RADIUS client that will be the authenticator for those IP phones.

 

• Last, configure the RADIUS attribute policies needed.  For the RADIUS Attribute policy, configure the following return list attribute: Cisco-AVPAIR with value device-traffic-class=voice.
  
  
  Fig. 2 - Configuring RADIUS attribute policy with the CISCO VSA Return list attribute.

 

• Select the appropriate role and then click “save”.