7921G with EAP-TLS or WPA2 experiences?

Unanswered Question

Has anyone successfully configured the 7921G to use WPA2 Enterprise with EAP-TLS?

My understanding is that WPA2 (and WPA) Enterprise support implies EAP-TLS support as one of the 5 EAP methods required by the standard.

However, there seems to be no way to install a client certificate on the 7921G and no reference to certificate operations in the product docs.

The "Auto (AKM)" option seems also to be a very random way of enabling WPA or WPA2 - with no configurable parameters except a username/password (which I assume precludes machine-based authentication).

Has anyone by chance found any decent documentation on the WLAN security features, or perhaps discovered the hard way what the phone can really support?

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
migilles Sun, 08/19/2007 - 22:07

7921 doesn't support EAP-TLS. It supports LEAP and EAP-FAST for 802.1x authentication currently.

No WPA2 support doesn't imply which 802.1x methods are supported.

AKM is authenticated key management. This is also like an auto mode, supporting CCKM, WPA, WPA2, WPA-PSK, WPA2-PSK. For CCKM, WPA and WPA2 which require 802.1x, LEAP will be used as the method.

If wanting to use WPA2 with EAP-FAST, then set the authentication mode to EAP-FAST vs AKM.

Thanks Michael. I appreciate your feedback.

Sadly the support for only LEAP and EAP-FAST methods was what I suspected.

Um, yes the Wi-Fi Alliance does mandate specific EAP types (and LEAP not EAP-FAST ain't on the list) for WPA and WPA2. See the doc at http://www.wi-fi.org/files/kc_2_Extended%20EAP%20QandA_4-12-05.pdf

To me that kinda means that the 7921 supports a "WPA/WPA2-like" scheme, which is not actually WPA/WPA2. Maybe that's just being pedantic?

802.11i *doesn't* mandate any particular EAP on the other hand.

I'm hesitant to use either of Cisco's proprietary EAPs due to bad press such as this: http://articles.techrepublic.com.com/5100-1035_11-6148557.html

I understand that we should use what the device supports and that the threats are relatively infeasible, but doesn't it concern anyone that we are being compelled to implement mechanisms for which are known to be vulnerable?

Since i'm only dealing with a small deployment of the phones (25 devices) I'm tempted to go with WPA2-PSK TKIP (to allow CCKM) and secure the provisioning process. That is, if the WPA2-PSK on the 7921s is actually *real* WPA2-PSK, and not a "reasonable facsimile".

Cheers,

Justin

migilles Mon, 08/20/2007 - 07:29

WPA and WPA2 are supported, but as mentioned before the 802.1x method must be LEAP or EAP-FAST. Recommend you to use EAP-FAST w/ CCKM if planning to go the 802.1x route.

pedro.lourenco Wed, 09/19/2007 - 01:45

Hi,

I'm implementing an enterprise solution wich integrates with IAS from Microsoft via Cisco Aironet 1130 Access Points. In this case I suppose I will be unable to use LEAP or EAP-FAST, since they are Cisco Proprietary.

I still didn't find out exactly how the AKM works. It really looks pretty random, as was said before.

Do you have any suggestion or, better yet, a configuration example, cookbook or documentation describing the Auto AKM method in depth.

I've tried:

1)configuring the APs with TKIP + Network EAP with mandatory and optional CCKM and apparently it didn't work. The 7921 was unable to find the SSID.

2)configuring the APs with AES + Network EAP with mandatory WPA and apparently it also didn't work. The 7921 was unable to find the SSID.

Best Regards

Pedro

Hi Pedro,

I still haven't found anything which explains the algorithm behind "Auto (AKM)", however I get the idea that it basically tells the phone to commence authentication against any SSID that matches the one configured on the phone and that advertises the WPA information element (or similar mechanism for plain EAP) in it's probe response frames.

The RADIUS server (if there is one - otherwise the AP/Controller) will then advertise it's supported EAP type codes in the EAPOL reponses, sent via the AP. The phone should then select one of the available types corresponding to the information it has (username/password or pre-shared key).

Yes, attempting to use IAS will prevent you from playing Cisco's proprietary protocol game. This means that no EAP other than Cisco's two will work.

So, unless you like the idea of vendor lock-in, I'd suggest the next best option to go for is WPA2 PSK. It's not very scalable, but at least it's sufficiently secure at the present time.

The configuration export facility on the phone does enforces some kind of (again proprietary) encryption of the exported config, which allows you to mass-provision phones without anyone besides you having to know the shared key. This is "in theory" because I've found that the pre-shared key doesn't actually re-import correctly (firmware 1.03). If you re-type it manually after the import then it does work and the import saves you from having to enter all of the other network profile information.

The reason I think a PSK scheme is sufficient under the circumstances is because the phones would normally be limited to only interacting with the CallManager environment, where the users themselves would be authenticated individually anyway. Because the exported config containing the shared key is (theoretically) unusable on any device other than a 7921G it presents limited opportunities for an attacker. Also the advantage of gaining access to a well-isolated voice network lowers the appeal for potential attackers too.

As I've said, the disadvantage is scalability and you should consider how you will periodically rotate your pre-shared keys if you go that route. Another advantage of PSK is that it should incur more or less the same kind of roaming delays as CCKM.

I'm sure some people will disagree, but I hope this helps.

Regards,

Justin

p.s. - if you use pre-shared keys, do use WPA2 and do make your keys 63 characters in length and preferably ASCII.

Oh, and another charming characteristic of the 7921G, which probably explains the problem you are seeing:

If the phone finds the SSID and fails authentication it will move on to the next network profile - even if all the other profiles are disabled! In the phone's web GUI you will see the disabled profile marked as "Active" which indicates that the phone is sitting there spinning it's wheels on unconfigured network profiles. Eventually it might get back to the original profile... I guess ;-)

migilles Wed, 09/19/2007 - 12:51

That is incorrect. The phone will not scan any profiles that are not enabled.

To explain AKM, this stands for auto key-management, which is the AUTO mode, which supports WPA and WPA-PSK versions 1 and 2 as well as CCKM. So as long as not using open or shared key, then can use this mode.

Will use LEAP as the 802.1x method for the non-PSK methods.

Currently the 7921 supports only the Cisco 802.1x methods (LEAP and EAP-FAST). If you want to use EAP-FAST, then set the phone to EAP-FAST, which can also support WPA, WPA2, CCKM.

For your issue of not being able to use WPA or WPA2 in AKM mode, would suggest trying open first, ensure you can at least estabilish connectivity to the AP, then can build up from there.

Also would check your radius server logs for failure messages, but if you are using MS radius, then probably doesn't support the Cisco 802.1x methods.

pedro.lourenco Mon, 09/24/2007 - 12:03

Hi again,

thanks for the info.

Indeed I had to give up on the EAP auth with IAS since the 7921G is closed in Cisco Propriethary EAP protocols. I went with the WPA-PSK + AES.

But now I was trying to use the Nokia E65 with PEAP against the IAS (again the IAS!!!!!), but to prevent problems with latency during handover I would like to use CCKM. Sad new discovery... when I use CCKM, the WDS tries to authenticate the APs against the RADIUS server using... LEAP!!! so my question is:

Can I use CCKM integrated with IAS, or again am I in a dead end because of the propriethary LEAP protocol?

Best Regards to all,

Pedro

pedro.lourenco Tue, 09/25/2007 - 06:35

I found the ansewr. There is a workarround for this. Client auth in IAS and infrastructure auth in Local Radius Server of the WDS. for detailed info there is a cool TAQ Case Collection: K85415361.

Pedro

aciscolook Mon, 02/04/2008 - 18:30

I'm trying to set up a 7921 phone for EAP-FAST. I am using the WLC's Local EAP and have a user in the WLC's local Net Users database. I have the WLAN set for WPA/WPA2 and so forth and the phone set to EAP-Fast, but I am getting an 'authentication failed' on the 7921.

Do you have any ideas what may be the problem? I seem to be having trouble with local eap in general.

migilles Mon, 02/04/2008 - 21:11

Ensure you have increased the 802.1x timeout on the WLC.

Step 1 SSH or Telnet to the WLAN controller(s.)

Step 2 Type "config advanced eap request-timeout 20".

Step 3 Type "save config".

Step 4 Type "y" to confirm.

Were also some bugs in the early 4.1 code, so would ensure you are using 4.1.185.0 or later.

Ensure to use firmware 1.0(5) or late for the 7921G phone.

Actions

This Discussion