Cisco 7921G - Unified Wireless IP Phone VoIP Administration Manual page 43

Chapter 2 Overview of the VoIP Wireless Network
• Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling
(EAP-FAST)—This client server security architecture encrypts EAP transactions within a Transport
Level Security (TLS) tunnel between the AP and the RADIUS server such as the Cisco Access
Control Server (ACS).
The TLS tunnel uses Protected Access Credentials (PACs) for authentication between the client
(phone) and the RADIUS server. The server sends an Authority ID (AID) to the client (phone),
which in turn selects the appropriate PAC. The client (phone) returns a PAC-Opaque to the RADIUS
server. The server decrypts the PAC with its master-key. Both end points now have the PAC key
and a TLS tunnel is created. EAP-FAST supports automatic PAC provisioning, but you must enable
it on the RADIUS server.
Note
Extended Authentication Protocol Transport Level Security (EAP-TLS)—EAP–TLS/RFC 2716
•
uses the TLS protocol (RFC 2246), which is the latest IETF version of the SSL security protocol.
TLS provides a way to use certificates for both user and server authentication, and for dynamic
session key generation.
Microsoft Windows XP provides support for 802.1x, allowing EAP authentication protocols
(including EAP-TLS) to be used for authentication. The authentication used in EAP-TLS is mutual:
the server authenticates the user and the user authenticates the server. Mutual authentication is
required in a WLAN. EAP-TLS provides excellent security but requires client certificate
management.
EAP-TLS uses Public Key Infrastructure (PKI) with the following conditions:
–
–
–
Protected Extensible Authentication Protocol (PEAP)—PEAP uses server-side public key
•
certificates to authenticate clients by creating an encrypted SSL/TLS tunnel between the client and
the authentication server.
• PEAP with Server Certificate Authentication—The Cisco Unified IP Phone validates the server
certificate during the authentication handshakes over an 802.11 wireless link. This functionality is
disabled by default and is enabled in Cisco Unified CallManager Administration.
The exchange of authentication information is encrypted and the user credentials are safe from
eavesdropping. MS-CHAP v2 is the supported inner authentication protocol.
Light Extensible Authentication Protocol (LEAP)—Cisco proprietary password-based mutual
•
authentication scheme between the client (phone) and a RADIUS server. Cisco Unified Wireless
IP Phone 7921G can use LEAP for authentication with the wireless network.
This section describes the following concepts:
Authenticated Key Management, page 2-16
•
Encryption Methods, page 2-16
•
Cisco Unified Wireless IP Phone 7921G Administration Guide for Cisco Unified Communications Manager Release 7.0
OL-15985-01
In the Cisco ACS, by default, the PAC expires in one week. If the phone has an expired PAC,
authentication with the RADIUS server takes longer while the phone gets a new PAC. To avoid
the PAC provisioning delays, set the PAC expiration period to 90 days or longer on the ACS or
RADIUS server.
Wireless LAN client (user machine) requires a valid certificate to authenticate to the WLAN
network.
AAA server requires a "server" certificate to validate its identity to the clients.
Certificate Authority (CA) server infrastructure issues certificates to the AAA server and the
clients.
Security for Voice Communications in WLANs
2-15