Filter
Top Products
6-12
Cisco Unified IP Phone 8961, 9951, and 9971 Administration Guide for Cisco Unified Communications Manager 8.5 (SIP)
OL-20861-01
Chapter 6 Understanding the VoIP Wireless Network
Security for Voice Communications in WLANs
• Shared Key Authentication—The AP sends an unencrypted challenge text string to any device
attempting to communicate with the AP. The device that is requesting authentication uses a
pre-configured WEP key to encrypt the challenge text and sends it back to the AP. If the challenge
text is encrypted correctly, the AP allows the requesting device to authenticate. A device can
authenticate only if its WEP key matches the WEP key on the APs.
Shared key authentication can be less secure than open authentication with WEP because someone
can monitor the challenges. An intruder can calculate the WEP key by comparing the unencrypted
and encrypted challenge text strings.
• Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST)
Authentication—This client server security architecture encrypts EAP transactions within a
Transport Level Security (TLS) tunnel between the AP and the RADIUS server such as the Cisco
Access Control Server (ACS).
The TLS tunnel uses Protected Access Credentials (PACs) for authentication between the client
(phone) and the RADIUS server. The server sends an Authority ID (AID) to the client (phone),
which in turn selects the appropriate PAC. The client (phone) returns a PAC-Opaque to the RADIUS
server. The server decrypts the PAC with its master-key. Both endpoints now have the PAC key and
a TLS tunnel is created. EAP-FAST supports automatic PAC provisioning, but you must enable it
on the RADIUS server.
Note In the Cisco ACS, by default, the PAC expires in one week. If the phone has an expired PAC,
authentication with the RADIUS server takes longer while the phone gets a new PAC. To avoid
the PAC provisioning delays, set the PAC expiration period to 90 days or longer on the ACS or
RADIUS server.
• Light Extensible Authentication Protocol (LEAP)—Cisco proprietary password-based mutual
authentication scheme between the client (phone) and a RADIUS server. Cisco Unified IP Phone
can use LEAP for authentication with the wireless network.
• Auto (AKM)—Selects the 802.11 Authentication mechanism automatically from the configuration
information exhibited by the AP. WPA-PSK or WPA.
Authenticated Key Management
The following authentication schemes use the RADIUS server to manage authentication keys:
• WPA/WPA2—Uses information on a RADIUS server to generate unique keys for authentication.
Because these keys are generated at the centralized RADIUS server, WPA/WPA2 provides more
security than WPA pre-shared keys that are stored on the AP and phone.
• Cisco Centralized Key Management (CCKM)—Uses information on a RADIUS server and a
wireless domain server (WDS) to manage and authenticate keys. The WDS creates a cache of
security credentials for CCKM-enabled client devices for fast and secure reauthentication.
With WPA/WPA2 and CCKM, encryption keys are not entered on the phone, but are automatically
derived between the AP and phone. But the EAP username and password that are used for authentication
must be entered on each phone.
Note CCKM is only supported with WPA(TKIP) and 802.1x(WEP).