Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1409
Views
0
Helpful
6
Replies

VoWLAN with CCKM for 792x series

Go to solution
janesh_abey
Level 1
Level 1

‎01-22-2012 05:07 PM - edited ‎07-03-2021 09:25 PM

Hi all,

Could someone kindly confirm whether we could implement WPA2/AES, 802.1x (EAP-TLS) with CCKM for voice pls?

The 7921g deployment guide imply that this could be done.It states that   "As of the 1.3(4) release, the Cisco Unified Wireless IP Phone 7921G supports CCKM with WPA2 (AES or TKIP), WPA (TKIP or AES) and 802.1x (WEP) authentication".

Any help is much appreciated.

cheers,

J

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
blakekrone
Level 4
Level 4
In response to janesh_abey

‎01-22-2012 07:48 PM

802.1x (WEP) is dynamic WEP, still an encryption.

EAP-TLS is supported on the 7925, just not in conjunction with CCKM for fast roaming.

Most people do WPA2 using CCKM and EAP-FAST. Depending on your deployment size you would have either a single username/password or per device username/password. I would recommend the latter so that in case an account is comprised you don't have to touch all your phones again.

CCKM will work with WPA-TKIP, that is what was originally supported, now with the newer firmwares you can also use WPA2-AES.

The handsets will do AES, I have it on my 7921 sitting at home here.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
blakekrone
Level 4
Level 4

‎01-22-2012 05:14 PM

You should be able to use TLS, CCKM uses various EAP methods and TLS is a supported one.

Edit, I take that back. According to the guides EAP-FAST is supported (username, password) but not EAP-TLS.

0 Helpful

Go to solution
janesh_abey
Level 1
Level 1
In response to blakekrone

‎01-22-2012 05:45 PM

if thats the case  what is the meaning of "As of the 1.3(4) release, the Cisco Unified Wireless IP Phone 7921G  supports CCKM with WPA2 (AES or TKIP), WPA (TKIP or AES) and 802.1x  (WEP) authentication".

i'm more confused now :-)

0 Helpful

Go to solution
blakekrone
Level 4
Level 4
In response to janesh_abey

‎01-22-2012 05:55 PM

Code prior to 1.3(4) only supported CCKM with WPA and not WPA2. CCKM is just a method of caching the authentication keys, so you are still using either a WPA method or 802.1x (WEP). Within the WPA method you then need an EAP type, on the 7925 phones you can use FAST. If we were using say a CB21 PCMCIA card then you could use FAST or TLS and have the benefits of CCKM.

0 Helpful

Go to solution
janesh_abey
Level 1
Level 1
In response to blakekrone

‎01-22-2012 07:00 PM

Hi Blake,

Code prior to 1.3(4) only supported CCKM with WPA and not WPA2.

>>Ok. I can agree on that

CCKM is  just a method of caching the authentication keys, so you are still using  either a WPA method or 802.1x (WEP).

>>I'm not getting this.Please correct me if I got the wrong end of the stick.My understanding is that WPA is for encryption and 802.1x is for authentication.Therefore, I don't quite get what you meant by  "either a WPA method or 802.1x (WEP)" as we are talking about two seperate things here.

Within the WPA method you then  need an EAP type, on the 7925 phones you can use FAST. If we were using  say a CB21 PCMCIA card then you could use FAST or TLS and have the  benefits of CCKM.

>>Based on your intial andd above comments, EAP-TLS is not an option for 7925G, correct?

Confusing bit is the data sheet under wireless secuirty section states that EAP-TLS works on 7925.

http://www.cisco.com/en/US/prod/collateral/voicesw/ps6788/phones/ps379/ps9900/data_sheet_c78-504890.pdf

Blake, what is the best recommendation (authentication and encryption) for VoWLAN depolyment for enterprise soultion provided that you require CCKM/OKC functionality?When you come to think of it,I'm not even sure whether the handsets are capable of doing AES due to low CPU power.

Sometime back I read somewhere that CCKM will not work with WPA and thats also working in my mind.

cheers,

Janesh

0 Helpful

Go to solution
blakekrone
Level 4
Level 4
In response to janesh_abey

‎01-22-2012 07:48 PM

802.1x (WEP) is dynamic WEP, still an encryption.

EAP-TLS is supported on the 7925, just not in conjunction with CCKM for fast roaming.

Most people do WPA2 using CCKM and EAP-FAST. Depending on your deployment size you would have either a single username/password or per device username/password. I would recommend the latter so that in case an account is comprised you don't have to touch all your phones again.

CCKM will work with WPA-TKIP, that is what was originally supported, now with the newer firmwares you can also use WPA2-AES.

The handsets will do AES, I have it on my 7921 sitting at home here.

0 Helpful

Go to solution
janesh_abey
Level 1
Level 1
In response to blakekrone

‎01-22-2012 08:16 PM

Hi Blake,

Eveything is crystal clear now.

Thank you vey much taking time to clarify my doubts.

It seems that based on the release notes firmware 1.3(4) supports TLS,AES with CCKM

http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/7925g/firmware/1_3_4/english/release/notes/792x_134.html#wp249493

cheers,

Janesh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card