Cisco Unified Ip Phone 8961, 9951, And 9971 Administration Guide For Cisco Unified Communications Manager - Cisco 9971 Administration Manual

Supported Security Features
the AP allows the requesting device to authenticate. A device can authenticate only if the device WEP
key matches the WEP key on the APs.
Shared key authentication can be less secure than open authentication with WEP because someone can
monitor the challenges. An intruder can calculate the WEP key by comparing the unencrypted and
encrypted challenge text strings.
• Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST)
Authentication: This client server security architecture encrypts EAP transactions within a Transport
Level Security (TLS) tunnel between the AP and the RADIUS server, such as the Cisco Access Control
Server (ACS).
The TLS tunnel uses Protected Access Credentials (PACs) for authentication between the client (phone)
and the RADIUS server. The server sends an Authority ID (AID) to the client (phone), which in turn
selects the appropriate PAC. The client (phone) returns a PAC-Opaque to the RADIUS server. The
server decrypts the PAC with the master key. Both endpoints now contain the PAC key and a TLS tunnel
is created. EAP-FAST supports automatic PAC provisioning, but you must enable it on the RADIUS
server.
Note
• Light Extensible Authentication Protocol (LEAP): Cisco proprietary password-based mutual authentication
scheme between the client (phone) and a RADIUS server. Cisco Unified IP Phone can use LEAP for
authentication with the wireless network.
• Auto (AKM): Selects the 802.11 Authentication mechanism automatically from the configuration
information that the AP, WPA-PSK, or WPA exhibits.
The following authentication schemes use the RADIUS server to manage authentication keys:
• WPA/WPA2: Uses RADIUS server information to generate unique keys for authentication. Because
these keys are generated at the centralized RADIUS server, WPA/WPA2 provides more security than
WPA preshared keys that are stored on the AP and phone.
• Cisco Centralized Key Management (CCKM): Uses RADIUS server and a wireless domain server
(WDS) information to manage and authenticate keys. The WDS creates a cache of security credentials
for CCKM-enabled client devices for fast and secure reauthentication.
With WPA/WPA2 and CCKM, encryption keys are not entered on the phone, but are automatically derived
between the AP and phone. But the EAP username and password that are used for authentication must be
entered on each phone.
Only WPA(TKIP) and 802.1x(WEP) support CCKM.
Note
To ensure that voice traffic is secure, the Cisco Unified IP Phone supports WEP, TKIP, and Advanced
Encryption Standards (AES) for encryption. When these mechanisms are used for encryption, both the
signalling SIP packets and voice Real-Time Transport Protocol (RTP) packets are encrypted between the AP
and the Cisco Unified IP Phone.

Cisco Unified IP Phone 8961, 9951, and 9971 Administration Guide for Cisco Unified Communications Manager

10.0
168
In the Cisco ACS, by default, the PAC expires in one week. If the phone has an expired
PAC, authentication with the RADIUS server takes longer while the phone gets a new
PAC. To avoid PAC provisioning delays, set the PAC expiration period to 90 days or
longer on the ACS or RADIUS server.