Eap-Fast; Okc; Cckm - Polycom SpectraLink 8020 Deployment Manual

Deploying SpectraLink 8020/8030
Wireless Telephones
July 2009
making the use of a time source optional. If the certificate is deemed expired (or not yet valid) the handset
will stop operating and display an error message. Note that because access to NTP is available much
earlier in the boot up process than access to the call server time, providing an NTP server provides
stronger security, protecting handset firmware downloads and checking in with the call server.
5.3.2.2

EAP-FAST

EAP-FAST (Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling) was created
by Cisco as a replacement for LEAP (Lightweight Extensible Authentication Protocol) (see Cisco FSR, in
this section). EAP-FAST has since gained adoption by WLAN vendors besides Cisco and is growing in
popularity.
Rather than relying on certificates, EAP-FAST use a Protected Access Credential (PAC) to establish a
tunnel in which client credentials are verified. PAC files may be provisioned either over-the-air (called
server unauthenticated or Phase 0) or manually via the HAT. Server unauthenticated provisioning is easy
to manage, but offers a lesser degree of security than manual provisioning. The administrator must
choose between the two methods by weighing the desired level of security with ease of management.
5.3.2.3

OKC

Opportunistic Key Caching (OKC), sometimes called PMK (Pairwise Master Key) caching, is a fast AP
handoff technique specified in the 802.11i standard. OKC has growing support among enterprise WLAN
vendors and is the only standards-based fast AP handoff method supported today. Check Polycom‟s
VIEW Certified Products Guide to find a list of WLAN products tested for OKC support.
The combination of either PEAP or EAP-FAST and OKC is expected to result in soft handoffs, once the
initial 802.1X exchange has occurred establishing network connectivity for the handset. The soft handoffs
occur as the user roams within the coverage area and the WLAN infrastructure retains authentication key
information for the associated clients. Therefore, the RADIUS server does not need to be reached at
every handoff and the duration of the authentication exchange is fast enough to maintain audio quality.
Hard handoffs occur when the handset loses AP connectivity and subsequently the handset must re-
acquire its connection to the WLAN. When WPA2 Enterprise is the selected security method and
connectivity is lost, a full 802.1X authentication with the RADIUS server is required during the re-
acquisition. Once the handset has re-acquired the network after a hard handoff, soft handoffs will resume
as long as OKC is used and WLAN connectivity is maintained. OKC must be supported and properly
configured on the WLAN. Consult the
operation.
5.3.2.4

CCKM

Cisco Centralized Key Management (CCKM) is a Cisco-proprietary fast AP handoff method and therefore
only supported on Cisco APs. CCKM is required for CCX certification and will automatically be used if
CCX operating mode is selected for the handset. CCKM is also available for use with Cisco APs through
the Custom menu options.
The combination of either PEAP or EAP-FAST and CCKM is expected to result in soft handoffs, once the
initial 802.1X exchange has occurred establishing network connectivity for the handset. The soft handoffs
occur as the user roams within the coverage area and the WLAN infrastructure retains authentication key
information for the associated clients. Therefore, the RADIUS server does not need to be reached at
every handoff and the duration of the authentication exchange is fast enough to maintain audio quality.
Hard handoffs occur when the handset loses AP connectivity and subsequently the handset must re-
acquire its connection to the WLAN. When WPA2 Enterprise is the selected security method and
connectivity is lost, a full 802.1X authentication with the RADIUS server is required during the re-
©2009 Polycom, Inc. All rights reserved.
Polycom and the Polycom logo are registered trademarks of Polycom, Inc. All other trademarks are the property of Polycom, Inc. or their respective companies.
VIEW Configuration Guide
37
Best Practices Guide
for your WLAN product to ensure proper