Integration with IP Phones
Integration with IP Phones
Copyright © 2010 Sophos Limited. All
rights reserved. No part of this publication
may be reproduced, stored in retrieval
system, or transmitted, in any form or
by any means electronic, mechanical,
photocopying, recording or otherwise
unless you are either a valid licensee
where the documentation can be
reproduced in accordance with the lice nc e
terms or you otherwise have the prior
permission in writing of the copyright
owner.
Sophos and Sophos Anti-Virus are
registered trademarks of Sophos Limited.
All other product and company names
are trademarks or registered trademarks
of their respective owners.
Document version 3.2
Published December 2010
2
Integration with IP Phones
Table of Contents
Sophos NAC Advanced Integration with IP Phones ...................................................................... 4
Configuring the Network to Support IP Phones and Sophos NAC Advanced ....................................................... 4
Configuring Sophos NAC Advanced to Support IP Phones ................................................................................... 5
Operating the Endpoints and IP Phones ................................................................................................................ 6
3
Integration with IP Phones
Sophos NAC Advanced Integration with IP Phones
This document provides information on integrating Sophos NAC Advanced with a network where endpoints are
connected through switches imbedded in IP phones. The IP phone models for this test are the Cisco
7940.
The key to the integration is to set up separate VL ANs and use 802.1x authentication with RADIUS to access the
separate VLANs based on compliance. While Cisco equipment was used for the purposes of this testing, other
equipment that support 802.1x and RADIUS authentication are also supported with Sophos NAC Advanced.
The following diagram displays a simplified view of the configuration that is used:
®
7912 and
Important: This configuration ensures that the IP phones will work regardless of which VLAN the endpoint has
access to or whether the endpoint is turned off. More importantly, all voice traffic is shuttled to VLAN 100, which is
not used by Sophos NAC Advanced.
Configuring the Network to Support IP Phones and Sophos NAC Advanced
This configuration requ ir es r unning Cisco Call Manager (v3.0 or above) on the 2811 router. Call Manager supports
configuration and administration of the IP phones that are connected to the network.
4
Integration with IP Phones
Three VLANs must be created: one dedicated to voice, one for Sophos permitted access, and one for Sophos
denied access. This test uses the following VLANs:
VLAN Purpose
VLAN 100 Voice
VLAN 102 Permit access
VLAN 103 Deny access
The ports on the switch must be configured to carry traffic from a voice VLAN. To do this, type the following
command for each port while in privileged EXEC mode:
switchport voice vlan <vlan-id>
The specified VLAN then supports all voice traffic from the IP phone, while data traffic is carried on one of the other
two VLANs. This configuration ensures that voice traffic on the IP phone is always available, even if Sophos NAC
Advanced determines that the endpoint is not compliant with the defined security policy.
Configuring Sophos NAC Advanced t o S upport IP Phones
The Sophos Compliance Application Server must have a RADIUS compliance setting to support the other two
VLANs (102 and 103 in this case). For more information on configuring dynamic VLANs for 802.1x authentication,
see the 802.1x Dynamic VLAN Assignment document located on the Sophos web site:
http://www.sophos.com/sophos/docs/eng/manuals/nacadv8021x_32_tgeng.pdf
Using the Sophos Compliance Manager, create a new RADIUS setti ng with the IP address pointing to the switch.
For this test, the Cisco 2950 switch is used. The following Tunnel-Private-Group-ID attribute will send data traffic
from the endpoint to VLAN 102 when Sophos NAC Advanced permits access.
5
Loading...