kfarrington Tue, 08/18/2009 - 01:08

Hi mate,

This is excellent news.

Can I just ask as the deployment guide has excellent info and the CUCM security guide has some but not a great deal?

The initiall install of certs will always have to be via USB so the phone can auth onto the WLAN. Correct?

Can the CAPF function renew certs before they expire?

Many thx indeed,


migilles Tue, 08/18/2009 - 11:50

Thanks for the compliments on the DG.

Yes for certificates to be used for WLAN authentication with PEAP or EAP-TLS, they must be installed via the phone webpage, which can be done via USB or over the air.

CAPF is not used for WLAN certificates currently.

kfarrington Wed, 08/19/2009 - 04:17

Hi Michael, Can I just confirm the last statement.

Yes we will load the certs via USB etc etc on the phone, and then they will connect to the WLAN.

After that, CAPF can be used to renew certs on the wireless IP phones, correct?

Sorry if I am mis-understanding mate :)



migilles Wed, 08/19/2009 - 09:12

No can not renew WLAN certs via CAPF.

CAPF certs (LSC) are for media, signaling and tftp encryption.

Currently WLAN cert management is manual, so if planning to use EAP-TLS with user certs signed by your CA then want to ensure you set an adequate validity period.

You can also use the MIC in the phone for WLAN authentication.

That info is in the deployment guide.


This Discussion