Cisco 8832 Administration Manual page 87

Cisco IP Conference Phone Administration
The TLS tunnel uses Protected Access Credentials (PACs) for authentication between the client (phone)
and the RADIUS server. The server sends an Authority ID (AID) to the client (phone), which in turn
selects the appropriate PAC. The client (phone) returns a PAC-Opaque to the RADIUS server. The server
decrypts the PAC with the master key. Both endpoints now contain the PAC key and a TLS tunnel is
created. EAP-FAST supports automatic PAC provisioning, but you must enable it on the RADIUS server.
• Protected Extensible Authentication Protocol (PEAP): Cisco proprietary password-based mutual
authentication scheme between the client (phone) and a RADIUS server. Cisco IP Phone can use PEAP
for authentication with the wireless network. Only PEAP-MSCHAPV2 is supported. PEAP-GTC is not
supported.
The following authentication schemes use the RADIUS server to manage authentication keys:
• WPA/WPA2: Uses RADIUS server information to generate unique keys for authentication. Because
these keys are generated at the centralized RADIUS server, WPA/WPA2 provides more security than
WPA preshared keys that are stored on the AP and phone.
• Fast Secure Roaming: Uses RADIUS server and a wireless domain server (WDS) information to manage
and authenticate keys. The WDS creates a cache of security credentials for CCKM-enabled client devices
for fast and secure reauthentication. The Cisco IP Phone 8800 Series supports 802.11r (FT).
With WPA/WPA2 and CCKM, encryption keys are not entered on the phone, but are automatically derived
between the AP and phone. But the EAP username and password that are used for authentication must be
entered on each phone.
To ensure that voice traffic is secure, the Cisco IP Phone supports WEP, TKIP, and Advanced Encryption
Standards (AES) for encryption. When these mechanisms are used for encryption, both the signalling SIP
packets and voice Real-Time Transport Protocol (RTP) packets are encrypted between the AP and the Cisco
IP Phone.
WEP
With WEP use in the wireless network, authentication happens at the AP by using open or shared-key
authentication. The WEP key that is setup on the phone must match the WEP key that is configured at
the AP for successful connections. The Cisco IP Phone supports WEP keys that use 40-bit encryption
or a 128-bit encryption and remain static on the phone and AP.
EAP and CCKM authentication can use WEP keys for encryption. The RADIUS server manages the
WEP key and passes a unique key to the AP after authentication for encrypting all voice packets;
consequently, these WEP keys can change with each authentication.
TKIP
WPA and CCKM use TKIP encryption that has several improvements over WEP. TKIP provides
per-packet key ciphering and longer initialization vectors (IVs) that strengthen encryption. In addition,
a message integrity check (MIC) ensures that encrypted packets are not being altered. TKIP removes the
predictability of WEP that helps intruders decipher the WEP key.
Note In the Cisco ACS, by default, the PAC expires in one week. If the phone has an
expired PAC, authentication with the RADIUS server takes longer while the
phone gets a new PAC. To avoid PAC provisioning delays, set the PAC expiration
period to 90 days or longer on the ACS or RADIUS server.
Cisco IP Conference Phone 8832 Administration Guide for Cisco Unified Communications Manager
WLAN Security
77