Cisco Unified Ip Phone 8961, 9951, And 9971 Administration Guide For Cisco Unified Communications Manager - Cisco 9971 Administration Manual

WEP
With WEP use in the wireless network, authentication happens at the AP by using open or shared-key
authentication. The WEP key that is setup on the phone must match the WEP key that is configured at
the AP for successful connections. The Cisco Unified IP Phone supports WEP keys that use 40-bit
encryption or a 128-bit encryption and remain static on the phone and AP.
EAP and CCKM authentication can use WEP keys for encryption. The RADIUS server manages the
WEP key and passes a unique key to the AP after authentication for encrypting all voice packets;
consequently, these WEP keys can change with each authentication.
TKIP
WPA and CCKM use TKIP encryption that has several improvements over WEP. TKIP provides
per-packet key ciphering and longer initialization vectors (IVs) that strengthen encryption. In addition,
a message integrity check (MIC) ensures that encrypted packets are not being altered. TKIP removes
the predictability of WEP that helps intruders decipher the WEP key.
AES
An encryption method used for WPA2 authentication. This national standard for encryption uses a
symmetrical algorithm that has the same key for encryption and decryption. AES uses Cipher Blocking
Chain (CBC) encryption of 128 bits in size, which supports key sizes of 128, 192 and 256 bits, as a
minimum. The Cisco Unified IP Phone supports a key size of 256 bits.
The Cisco Unified IP Phone does not support Cisco Key Integrity Protocol (CKIP) with CMIC.
Note
Authentication and encryption schemes are set up within the wireless LAN. VLANs are configured in the
network and on the APs and specify different combinations of authentication and encryption. An SSID
associates with a VLAN and the particular authentication and encryption scheme. In order for wireless client
devices to authenticate successfully, you must configure the same SSIDs with their authentication and encryption
schemes on the APs and on the Cisco Unified IP Phone.
Some authentication schemes require specific types of encryption. With Open authentication, you can use
static WEP for encryption for added security. But if you are using Shared Key authentication, you must set
static WEP for encryption, and you must configure a WEP key on the phone.
When you use Authenticated Key Management (AKM) for the Cisco Unified IP Phone, several choices for
both authentication and encryption can be set up on the APs with different SSIDs. When the phone attempts
to authenticate, it chooses the AP that advertises the authentication and encryption scheme that the phone can
support. Auto (AKM) mode can authenticate by using WPA, WPA2, WPA Pre-shared key, or CCKM.

Cisco Unified IP Phone 8961, 9951, and 9971 Administration Guide for Cisco Unified Communications Manager 10.0

Supported Security Features
169