Cisco 7921 - Does anyone Use EAP-TLS in their VoWLAN Deployments?

kfarrington · ‎03-02-2009

Hi Guys,

I am looking at making a technology decision, in regards to VoWLAN and authentication.

For our Data Deployment, we use EAP-TLS with a PKI infrastructure and ACS. The ACS passes fields from the certs to AD for verification.

Can I do exactly the same for the Voice Deployment?

Has anyone used EAP-TLS with Voice? Are there any problems? Or should I just go ahead and get some certs minted for the phones, setup some AD accounts and whey hey, its time to party?

Many thx indeed,

Ken

migilles · ‎03-02-2009

EAP-TLS is supported on the 7921G since releases 1.1(1) and is supported on the 7925G in all releases.

The certs would have to be imported via the phone webpage. If wanting to user intalled cert, then must run the wizard for the certificate signing request in order to get signed by the CA server as well. See the 7925G Deployment Guide @ http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/7925g/7_0/english/deployment/guide/7925dply.pdf.

kfarrington · ‎03-03-2009

Many thx for this :)

May I ask,

Do many customer run eap-tls with the phones, or is it still the fact that most customers would run eap-fast?

We have all our PKI infra in place, but I hear that eap-tls is not widley deployed, and would want to know if we would be doing something that is not widley used?

Many thx for your help,

Ken

Leo Laohoo · ‎03-03-2009

Hi Ken,

LEAP is considered the best suited of these for VoWLAN handsets as it requires fewer network transactions for authentication and has lower CPU requirements than the other EAP mechanisms.

Hope this helps.

kfarrington · ‎03-04-2009

Many thx for the help :)

If we have a security policy that states, we must use EAP-TLS, will this cuase problems, ie, when roaming, even though we will use CCKM, will it cause stablity issues?

Many thx indeed once again,

Ken

kfarrington · ‎03-04-2009

Also, another important point with this if I may.

Where were do a CN/SAN comparison for data clients against active directory, I am assuming we could setup user accounts on AD for the phones, rather than using an internal ACS database?

Does that sound like a whacky idea?

Many thx

Ken

Leo Laohoo · ‎03-04-2009

Will EAP-TLS be supported is one question that pops into mind. The 7921/7925 can support EAP-TLS.

I am not sure how EAP-TLS will behave, in terms of chattiness over the WLAN, but how will affect your WLAN traffic if you have x amount of VoWLAN handsets roaming.

Although the argument here will be if you have N amount of VoWLAN handsets, do you honestly believe all of them will be congregated in one big room, Associated to the one-and-only AP and on the call?

My opinion ...

migilles · ‎03-04-2009

So first off LEAP is not a recommend EAP type due to the vulnerabilities. EAP-FAST was the replacement and is also easy to deploy.

We offered PEAP(MSCHAPv2) and EAP-TLS as of the 1.1(1) release.

So some customers do not want the burden of client cert management, so don't go the EAP-TLS route and go with EAP-FAST or PEAP.

CCKM is supported on all EAP types, but is not currently supported in conjunction with WPA2(AES). So would have to use WPA(TKIP) in order to utilize CCKM for now.

We support up to 27 wireless phones on call per AP at a date rate of 24 Mbps or higher.

See the 7925G Deployment Guide for more info @ http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/7925g/7_0/english/deployment/guide/7925dply.pdf.

kfarrington · ‎03-05-2009

Hey guys, thx so much for the responses.

So we are going to go WPA2(Tkip) with eap-tls and cckm. hahaha. Is that the right way to put it? So many factors.

I hope this works, gonna have to do a lot of testing of the wlan controllers to ensure that full backend auth does not happen and the eapol keys keys exchanged without reference to the radius server for the fastest roaming and qaulity of the voice calls :))

Will update all on the progress, and many thx for all the help (as always)

Ken :))

Christoph.Schaefers · ‎04-23-2009

Hello Ken,

what has been your experience?

We are considering using EAP-TLS with WPA2 for *machine* authentication for non MS smartphones, i.e. thus entering them on the ACS database.

I apprciate your feedback on your experience.

regards, Christoph

kfarrington · ‎04-23-2009

Hi Mate,

At the moment, we are testing the call quaility

The thing is, you have to use TKIP and should really set a session timeout of 300 secs, not ideal, as Cisco would prefer 86400 seconds, but there is a vunerability that TKIP is exposed to.

When I roam from ap to ap listening to music, you can hear the click when you roam. I will have much more info on the technical stuff in a few weeks.

At the mo, it seems to work quite well.

The only issue I have with roaming at the moment, with PMK or CCKM, is, I beleive, the keys can get screwed up and thus a small break can happen if you roam from one ap to another and then walk back in the direction of the first AP, and sometimes this causes problems.

Defo a problem with PMK, but think i may have seen it with CCKM.

Am testing further.

Please bear with me on this.

Kind regards,

Ken

kfarrington · ‎03-05-2009

Hi Michael,

So looking at the deployment guide, this is worded (imho) in a confusing manor? Sorry.

CCKM is listed under authentication, where i though CCKM is an authentication "key managment" protocol?

It also says 802.1x authentication with AES encrytion, under the authentication heading?

It says eap-tls, should this not say 802.1x eap-tls or collapse this with the 802.1x authentication?

ahh, when it says 802.1x, does that mean 802.1x dynamic wep?

Would it be correct to say, that I want to use 802.1x eap-tls with tkip and CCKM?

Sorry, this hurts :)

Thx,

Ken

Wireless Security

When deploying a wireless LAN, you must provide security. The Cisco Unified Wireless IP Phone 7921G supports the following wireless security features.

Authentication

- Cisco Centralized Key Management (CCKM)

- 802.11i (802.1x authentication + TKIP encryption)

- 802.11i (802.1x authentication + AES encryption)

- 802.11i (Pre-Shared key + TKIP encryption)

- 802.11i (Pre-Shared key + AES encryption)

- Extensible Authentication Protocol - Flexible Authentication via Secure Tunneling (EAP-FAST)

- Extensible Authentication Protocol - Transport Layer Security (EAP-TLS)

- Protected Extensible Authentication Protocol (PEAP)

- Lightweight Extensible Authentication Protocol (LEAP)

- Open and Shared Key

Encryption

- Advanced Encryption Scheme (AES)

- Temporal Key Integrity Protocol (TKIP) / Message Integrity Check (MIC)

- 40-bit and 128-bit Wired Equivalent Protocol (WEP)

Cisco Centralized Key Management (CCKM)

When using 802.1x type authentication, you should implement CCKM for authentication. 802.1x can introduce delay during roaming due to its requirement for full re-authentication. CCKM centralizes the key management and reduces the number of key exchanges. Also, WPA introduces additional transient keys and can lengthen roaming time. TKIP encryption is recommended when using CCKM for fast roaming as CCKM does not support AES currently.

migilles · ‎03-05-2009

CCKM is fast reassociation and yes is authenticated key management type.

If you want to use CCKM with the WLAN controller, then must enable WPA and TKIP and 802.1x+CCKM for the authenticated key management type only as displayed on page 38 of the deployment guide.

http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/7921g/6_0/english/deployment/guide/7921dply.pdf

When referring to 802.1x authentication this is referring to using EAP (i.e. LEAP, EAP-FAST, PEAP, EAP-TLS).

Under the authentication section previously the phone was not WPA enterprise certified from the WiFi Allicance, so coudln't use the terms WPA or WPA2.

But yes if referring to 802.1x in the same concept as WPA, this can mean EAP+WEP.