Cisco Cisco IP Phone 8841 Designanleitung
Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide
27
• PEAP-MSCHAPv2 (Protected Extensible Authentication Protocol - Microsoft Challenge Handshake Authentication
Protocol version 2)
• 802.11r / Fast Transition (FT)
• CCKM (Cisco Centralized Key Management)
• None
WLAN Encryption
• AES (Advanced Encryption Standard)
• TKIP / MIC (Temporal Key Integrity Protocol / Message Integrity Check)
• WEP (Wired Equivalent Protocol) 40/64 and 104/128 bit
Note: Shared Key authentication is not supported.
The Cisco IP Phone 8861 and 8865 also support the following additional security features.
• Image authentication
• Device authentication
• File authentication
• Signaling authentication
• Secure Cisco Unified SRST
• Media encryption (SRTP)
• Signaling encryption (TLS)
• Certificate authority proxy function (CAPF)
• Secure profiles
• Encrypted configuration files
• Settings Access (can limit user access to configuration menus)
Extensible Authentication Protocol - Flexible Authentication via Secure Tunneling (EAP-FAST)
Extensible Authentication Protocol - Flexible Authentication via Secure Tunneling (EAP-FAST) encrypts EAP transactions
within a Transport Level Security (TLS) tunnel between the access point and the Remote Authentication Dial-in User Service
(RADIUS) server such as the Cisco Access Control Server (ACS) or Cisco Identity Services Engine (ISE).
The TLS tunnel uses Protected Access Credentials (PACs) for authentication between the client (the Cisco IP Phone 8861 and
8865) and the RADIUS server. The server sends an Authority ID (AID) to the client, which in turn selects the appropriate PAC.
The client returns a PAC-Opaque to the RADIUS server. The server decrypts the PAC with its master-key. Both endpoints now
have the PAC key and a TLS tunnel is created. EAP-FAST supports automatic PAC provisioning, but it must enable don the
RADIUS server.
within a Transport Level Security (TLS) tunnel between the access point and the Remote Authentication Dial-in User Service
(RADIUS) server such as the Cisco Access Control Server (ACS) or Cisco Identity Services Engine (ISE).
The TLS tunnel uses Protected Access Credentials (PACs) for authentication between the client (the Cisco IP Phone 8861 and
8865) and the RADIUS server. The server sends an Authority ID (AID) to the client, which in turn selects the appropriate PAC.
The client returns a PAC-Opaque to the RADIUS server. The server decrypts the PAC with its master-key. Both endpoints now
have the PAC key and a TLS tunnel is created. EAP-FAST supports automatic PAC provisioning, but it must enable don the
RADIUS server.
To enable EAP-FAST, a certificate must be installed on to the RADIUS server.
The Cisco IP Phone 8861 and 8865 currently support automatic provisioning of the PAC only, so enable Allow anonymous in-
band PAC provisioning on the RADIUS server as shown below.
Both EAP-GTC and EAP-MSCHAPv2 must be enabled when Allow anonymous in-band PAC provisioning is enabled.
EAP-FAST requires that a user account be created on the authentication server.
The Cisco IP Phone 8861 and 8865 currently support automatic provisioning of the PAC only, so enable Allow anonymous in-
band PAC provisioning on the RADIUS server as shown below.
Both EAP-GTC and EAP-MSCHAPv2 must be enabled when Allow anonymous in-band PAC provisioning is enabled.
EAP-FAST requires that a user account be created on the authentication server.