Blog Home
Attend a Webinar

Thank you for subscribing.

Ensure legacy VoIP phones don’t poke security holes in your wired network

Cisco Meraki switches let VoIP phones freely access voice VLANs while requiring authentication from clients connecting behind them.

Locking down wired security often means preventing unauthorized users from plugging devices directly into wall jacks or VoIP phones to gain access to internal resources. To prevent this intrusion, network admins using Cisco Meraki MS switches can apply port access policies that prompt for authentication once traffic is detected on a switch port.

But what if you’re deploying legacy VoIP phones on your network, phones that can’t respond  to authentication requests? Leaving these phones connected through open ports poses a security risk since it’s possible that clients will plug directly into the network through the phone’s Ethernet jack. A typical setup would look like this:

Slide1

Meraki MS switches neatly solve this problem with the ability to allow voice VLAN clients (i.e. VoIP phones) to bypass authentication, while requiring any devices connected through the phone to authenticate.

To enable this feature, navigate to Configure > Access policies in the Meraki dashboard for your switches. This page is where you define authentication server credentials and the type of authentication required for connecting clients (i.e. 802.1x for username credentials or MAC-based RADIUS for authorized client devices).

Screen Shot 2014-11-03 at 2.05.54 PM

The relevant section here is the “Voice VLAN clients” section, where you can decide whether clients connecting to a voice VLAN (typically VoIP phones) can bypass authentication themselves, or whether they will need to authenticate like any other client.

Simply allow legacy VoIP phones to bypass authentication, but know that clients connected to the LAN through the phone will still be prompted for credentials. This prevents a malicious device from gaining unauthorized access to your LAN via a non-authenticating VoIP phone.