Authenticated Key Management - Cisco 8961 Administration Manual

Security for Voice Communications in WLANs
•
•
Note
•
•

Authenticated Key Management

The following authentication schemes use the RADIUS server to manage authentication keys:
•
•
With WPA/WPA2 and CCKM, encryption keys are not entered on the phone, but are automatically
derived between the AP and phone. But the EAP username and password that are used for authentication
must be entered on each phone.
CCKM is only supported with WPA(TKIP) and 802.1x(WEP).
Note
Cisco Unified IP Phone 8961, 9951, and 9971 Administration Guide for Cisco Unified Communications Manager 8.6 (SIP)
6-12
Shared Key Authentication—The AP sends an unencrypted challenge text string to any device
attempting to communicate with the AP. The device that is requesting authentication uses a
pre-configured WEP key to encrypt the challenge text and sends it back to the AP. If the challenge
text is encrypted correctly, the AP allows the requesting device to authenticate. A device can
authenticate only if the device WEP key matches the WEP key on the APs.
Shared key authentication can be less secure than open authentication with WEP because someone
can monitor the challenges. An intruder can calculate the WEP key by comparing the unencrypted
and encrypted challenge text strings.
Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST)
Authentication—This client server security architecture encrypts EAP transactions within a
Transport Level Security (TLS) tunnel between the AP and the RADIUS server such as the Cisco
Access Control Server (ACS).
The TLS tunnel uses Protected Access Credentials (PACs) for authentication between the client
(phone) and the RADIUS server. The server sends an Authority ID (AID) to the client (phone),
which in turn selects the appropriate PAC. The client (phone) returns a PAC-Opaque to the RADIUS
server. The server decrypts the PAC with the master-key. Both endpoints now contain the PAC key
and a TLS tunnel is created. EAP-FAST supports automatic PAC provisioning, but you must enable
it on the RADIUS server.
In the Cisco ACS, by default, the PAC expires in one week. If the phone has an expired PAC,
authentication with the RADIUS server takes longer while the phone gets a new PAC. To avoid
the PAC provisioning delays, set the PAC expiration period to 90 days or longer on the ACS or
RADIUS server.
Light Extensible Authentication Protocol (LEAP)—Cisco proprietary password-based mutual
authentication scheme between the client (phone) and a RADIUS server. Cisco Unified IP Phone
can use LEAP for authentication with the wireless network.
Auto (AKM)—Selects the 802.11 Authentication mechanism automatically from the configuration
information exhibited by the AP. WPA-PSK or WPA.
WPA/WPA2—Uses RADIUS server information to generate unique keys for authentication.
Because these keys are generated at the centralized RADIUS server, WPA/WPA2 provides more
security than WPA pre-shared keys that are stored on the AP and phone.
Cisco Centralized Key Management (CCKM)—Uses RADIUS server and a wireless domain server
(WDS) information to manage and authenticate keys. The WDS creates a cache of security
credentials for CCKM-enabled client devices for fast and secure reauthentication.
Chapter 6 Understanding the VoIP Wireless Network