Wpa Personal, Wpa2 Personal; Wpa2 Enterprise; Peapv0/Mschapv2 - Polycom SpectraLink 8020 Deployment Manual

Deploying SpectraLink 8020/8030
Wireless Telephones
July 2009
WPA2 has two different authentication modes, Personal and Enterprise, both of which are supported on
the SpectraLink 8020/8030 Wireless Telephone. Authentication is the process that occurs after WLAN
association in which the handset and authentication server verify each other‟s credentials, then allow the
handset access to the network.
5.3.1

WPA Personal, WPA2 Personal

Personal mode uses a password-based authentication method called Pre-Shared Key (PSK). Personal
mode is good for time-sensitive applications such as voice, because the key exchange sequence is
limited and does not adversely affect roaming between APs. The PSK can be entered in hexadecimal or
as an ASCII passphrase from the handset‟s administration menu or the HAT. The handset supports both
WPA Personal and WPA2 Personal modes.
5.3.2

WPA2 Enterprise

With Release 3.0, the SpectraLink 8020/8030 handset added support of WPA2 Enterprise. Enterprise
mode requires a WLAN device to mutually validate credentials with an 802.1X authentication server on
the network every time the device roams to a new AP. With each roam, authentication delays may cause
dropped packets resulting in audio dropouts. The size of the credentials used and the location of the
RADIUS authentication server can significantly impact the duration of the delay. Larger credentials are
more secure, but take more time to process. RADIUS servers that are local and reside on high-speed
Ethernet switches are faster to respond to authentication requests than those in remote locations.
Because the use of WPA2 Enterprise requires 802.1X authentication by the device and that exchange
can cause delays at each AP handoff, Polycom requires the use of a fast AP handoff mechanism. Fast
AP handoff techniques allow for the part of the key derived from the authentication server to be cached in
the wireless network, thereby shortening the time to renegotiate a secure handoff. The handset offers
two 802.1X authentication types (PEAP and EAP-FAST) and two fast AP handoff techniques (OKC and
CCKM) for WPA2 Enterprise. The combination of the selected 802.1X authentication type and fast AP
handoff mechanism is expected to result in soft handoffs as the handset user roams the facility.
5.3.2.1

PEAPv0/MSCHAPv2

PEAP (Protected Extensible Authentication Protocol) was developed by Microsoft, Cisco and RSA
Security for 802.1X authentication on WLANs. PEAPv0/MSCHAPv2 is one of the most-commonly used
subtypes. PEAP makes use of a server-side public key certificate to authenticate the server and creates
an encrypted tunnel to exchange information between the server and the client. Larger certificate key
sizes provide stronger encryption, but are more computationally intensive and therefore take more time to
process. This longer processing time to perform the 802.1X key validation means that the handset cannot
communicate with the rest of the network for a longer time, and cannot receive or transmit audio packets,
resulting in missing audio. While the handset supports key sizes of 512, 1024, 2048 and 4096 bits, a key
size of 512 or 1024 bits is recommended, as these sizes balance the degree of security with the need to
maintain audio during WLAN acquisition.
PEAP root certificates must be loaded using the Handset Administration Tool (HAT). Each handset
supports a single root certificate in DER format loaded into non-volatile memory. Other certificate formats
exist, and can be translated to DER format by third party tools before being loaded using the HAT.
A username (relates to the device name, not necessarily an end-user) and password are entered via the
HAT or handset administration menu.
Certificates carry a validation period (start and end date of validity). When using a certificate, the handset
will attempt to check its validity by using time information available from an NTP server, and in certain
cases from the call server. If no time information is available, the certificate is assumed to be valid,
©2009 Polycom, Inc. All rights reserved.
Polycom and the Polycom logo are registered trademarks of Polycom, Inc. All other trademarks are the property of Polycom, Inc. or their respective companies.
36
Best Practices Guide