Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

7920 Secure Authentication

I'm getting ready to deploy some 7920's and want to make sure I've got some decent security. What I'd like to do is combine mac address security with a userid/password unique to the phone. (or I could live with a common one for all phones but I don't want to) I'm looking for the best security so that if some part of it is comprimised I don't have to pull all the phones back from around the country to reset id's, keys or whatever.

As best I can tell combining mac address with userid/password authentication is probably the best way to go. I've got WPA on the phones working but I'm trying to figure out how to add the mac address part. Does anyone know of a good document on the subject?

I've got various 1100/1200/1300 AP's with an ACS 3.3 server on the back end.

New Member

Re: 7920 Secure Authentication

Below are key commands to enable 802.1x w/ MAC authentication and CCKM (fast roaming).

aaa group server radius rad_eap

server auth-port 1645 acct-port 1646


aaa group server radius rad_mac

server auth-port 1645 acct-port 1646


aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods group rad_mac


dot11 ssid voice

vlan 21

authentication network-eap eap_methods mac-address mac_methods

authenticaiton key-management cckm


interface dot11radio 0

encryption vlan 21 mode ciphers tkip

ssid voice


radius-server host auth-port 1645 acct-port 1646 key X

New Member

Re: 7920 Secure Authentication

Username/password (LEAP)

MAC Authentication

Radius authentication for SSID access

You are going to require an identity to login to the phone. If that user leaves the company then you can disable that account. You maintain a list of MAC accounts for authentication. If a phone is lost or stolen, remove that account from the ACS server. The usernames will only be permitted to authenticate to the designated voice ssid in the company. And finally those usernames can't be used to authenticate on other ssids within the company.

CreatePlease login to create content