Filter
Top Products
Technical Assistance Center (TAC) (if problems arise) is limited for this situation.
Security for the Cisco 7920 and WLAN Networks
The Cisco 7920 is supported in the architecture of the Cisco Wireless Security Suite.
The architecture is discussed in detail in documents for Wireless LAN Security Solution.
The architecture fits into the overall Cisco SAFE security architecture. For more information, refer to Cisco
SAFE: Wireless LAN Security in Depth.
Note: The Cisco 7920 does not support Cisco Temporal Key Integrity Protocol (TKIP) or Cisco Message
Integrity Check (MIC) in the initial software release. Future versions of the Cisco 7920 software will add
support for TKIP and MIC as well as Wi−Fi Protected Access (WPA).
The Cisco 7920 supports both static Wired Equivalency Protocol (WEP), 802.1, and Extensible
Authentication Protocol (EAP) − Cisco Light Extensible Authentication Protocol (LEAP) for authentication
and data encryption. When either encryption model is used, both the signaling (Signaling Connection Control
Part (SCCP)) and media (RTP) are encrypted between the Cisco 7920 and AP.
Static WEP requires that a 40 or 128 bit key be manually entered on all of the Cisco 7920s as well as the APs.
It performs AP−based authentication based on the device (such as the Cisco 7920) having a matching key.
LEAP allows devices (such as the Cisco 7920 and the AP) to be mutually authenticated (Cisco 7920 > AP, AP
> Cisco 7920) based on a username and password. Upon authentication, a dynamic key is used between the
Cisco 7920 and the AP to encrypt traffic.
If LEAP is used, a LEAP−compliant RADIUS server such as the Cisco Secure ACS for Windows, is required
to provide access to the user database. The ACS server can either store the username and password database
locally, or it can access that information from an external Microsoft Windows directory.
Note: While it is a valid configuration option, it is not recommended that an external (off ACS) database be
used to store the username and password credentials for Cisco 7920 phones. Because the ACS server must be
queried whenever the Cisco 7920 roams between APs, the unpredictable delay to access this external database
could cause excessive delay and poor voice quality.
The placement of the ACS server should be considered when deploying LEAP. This is because LEAP
authentication is required every time a Cisco 7920 roams between APs, and RTP traffic (voice) does not flow
until the LEAP authentication is completed. Reducing the amount of delay (such as router hops and WAN
links) between APs and the ACS significantly improves the overall voice quality when Cisco 7920 users are
roaming..
The three options for deploying the ACS functionality are as follows:
Centralized ACS server All users access the ACS server in a central location within the network.•
Remote ACS server For remote offices that have slow speed WAN links or congested WAN links
that might delay LEAP processing, a ACS server could be deployed locally in the office.
•
Local and Fallback RADIUS server functionality in a Cisco AP In Cisco IOS® Software
Release 12.2(11)JA , the Cisco AP supports the ability to authenticate LEAP users without having to
access an external ACS server. This functionality supports up to 50 users, and is supported for
EAP−Cisco (LEAP) only. This functionality does not interact with a centralized or remote ACS
server in terms of database synchronization. This functionality is designed to be used as the primary
•
Cisco − Wireless IPT Design Guide for the Cisco 7920 IP Phone