Cisco 7925G Administration Guide - Page 47

Chapter 2 Overview of the VoIP Wireless Network Security for Voice Communications in WLANs OL-15984-01 • Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST) Authentication-This client server security architecture encrypts EAP transactions within a Transport Level Security (TLS) tunnel between the AP and the RADIUS server such as the Cisco Access Control Server (ACS). The TLS tunnel uses Protected Access Credentials (PACs) for authentication between the client (phone) and the RADIUS server. The server sends an Authority ID (AID) to the client (phone), which in turn selects the appropriate PAC. The client (phone) returns a PAC-Opaque to the RADIUS server. The server decrypts the PAC with its master-key. Both end points now have the PAC key and a TLS tunnel is created. EAP-FAST supports automatic PAC provisioning, but you must enable it on the RADIUS server. Note In the Cisco ACS, by default, the PAC expires in one week. If the phone has an expired PAC, authentication with the RADIUS server takes longer while the phone gets a new PAC. To avoid the PAC provisioning delays, set the PAC expiration period to 90 days or longer on the ACS or RADIUS server. • Extended Authentication Protocol Transport Level Security (EAP-TLS) Authentication-EAP-TLS/RFC 2716 uses the TLS protocol (RFC 2246), which is the latest IETF version of the SSL security protocol. TLS provides a way to use certificates for both user and server authentication, and for dynamic session key generation. Microsoft Windows XP provides support for 802.1x, allowing EAP authentication protocols (including EAP-TLS) to be used for authentication. The authentication used in EAP-TLS is mutual: the server authenticates the user and the user authenticates the server. Mutual authentication is required in a WLAN. EAP-TLS provides excellent security but requires client certificate management. EAP-TLS uses Public Key Infrastructure (PKI) with the following conditions: - Wireless LAN client (user machine) requires a valid certificate to authenticate to the WLAN network. - AAA server requires a "server" certificate to validate its identity to the clients. - Certificate Authority (CA) server infrastructure issues certificates to the AAA server and the clients. • Protected Extensible Authentication Protocol (PEAP) Authentication-PEAP uses server-side public key certificates to authenticate clients by creating an encrypted SSL/TLS tunnel between the client and the authentication server. • PEAP with Server Certificate Authentication-The Cisco Unified Wireless IP Phone 7925G can validate the server certificate during the authentication handshakes over an 802.11 wireless link. This functionality is disabled by default and is enabled in Cisco Unified Communications Manager Administration. The exchange of authentication information is encrypted and the user credentials are safe from eavesdropping. MS-CHAP v2 is the supported inner authentication protocol. • Light Extensible Authentication Protocol (LEAP)-Cisco proprietary password-based mutual authentication scheme between the client (phone) and a RADIUS server. Cisco Unified Wireless IP Phone 7925G can use LEAP for authentication with the wireless network. This section describes the following concepts: • Authenticated Key Management, page 2-18 • Encryption Methods, page 2-18 Cisco Unified Wireless IP Phone 7925G Administration Guide for Cisco Unified Communications Manager 7.0(1) 2-17