Extensible Authentication Protocol - Transport Layer Security (Eap-Tls) - Cisco 8861 Deployment Manual

Ensure the production master EAP-FAST RADIUS server is setup to send the EAP-FAST master keys and policies to the
staging slave EAP-FAST RADIUS server, which will then allow the Cisco IP Phone 8861 and 8865 to use the provisioned PAC
in the production environment where Allow anonymous in-band PAC provisioning is disabled.
When it is time to renew the PAC, then authenticated in-band PAC provisioning will be used, so ensure that Allow
authenticated in-band PAC provisioning is enabled.
Ensure that the Cisco IP Phone 8861 and 8865 has connected to the network during the grace period to ensure it can use its
existing PAC created either using the active or retired master key in order to get issued a new PAC.
Is recommended to only have the staging wireless LAN pointed to the staging RADIUS server and to disable the staging access
point radios when not being used.

Extensible Authentication Protocol - Transport Layer Security (EAP-TLS)

Extensible Authentication Protocol - Transport Layer Security (EAP-TLS) is using the TLS protocol with PKI to secure
communications to the authentication server.
TLS provides a way to use certificates for both user and server authentication and for dynamic session key generation.
A certificate is required to be installed.
EAP-TLS provides excellent security, but requires client certificate management.
EAP-TLS may also require a user account to be created on the authentication server matching the common name of the
certificate imported into the Cisco IP Phone 8861 or 8865.
It is recommended to use a complex password for this user account and that EAP-TLS is the only EAP type enabled on the
RADIUS server.
Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide
29