Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Security on VoWLAN - 802.1x

Folks, greetings.
We are about to go for a VoWLAN deployment and we are having a hard time deciding on what security to set on the wlan, and the authentication server.
There are so many options: EAP/PEAP, EAP/LEAP, EAP/TLS, ACS, FreeRadius, NPS. Not to mention the PKI infrastructure. AD, LDAP, ....
We are digging the documentation, but it seems that there is not a common sense on what is the best balance between security, performance, manageability. We have also

read that 802.1x causes problems during the roaming of the phones. Is that true? Any trick to avoid that?
What is the easiest way to deploy security on this sort of environment without having an adminstrative nightmare and communications or performance issues?
Can we go for Local EAP set on WLC and having only one user certificate to be rolled out on all the 7925G phones? Is it possible or is it mandatory to have as many

users certificates as phone devices?
How about using the MIC preloaded on the phones; any hint on that?
I have read that WPA2/PSK/TKIP is the recommended, but I don't think the customer will want to go over all the 7925Gs to change the psk in the case of a psk leakage.
Of course we will go for a lab prior to the implementation.
Versions envolved:
WLC 7.5.102 (it will be upgraded)
7925G 1.4.5.3

Any help will be highly appreciated.

Regards,

FPJ

Everyone's tags (1)
1 REPLY
VIP Purple

Hi FPJ,Here is the latest

Hi FPJ,

Here is the latest 7925G deployment guide which should be followed for any directions.

http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/cuipph/7925g/7_0/english/deployment/guide/7925dply.pdf

If you are using EAP, then PEAP is the less administrative (no clietn certs) & provide enough security as well. Local EAP on WLC may not be scalable/flexible as WLC won't act as full RADIUS server.

You have to configure CCKM to get faster roaming experience (ie 802.1X+ CCKM as L2 AKM suite). Below should gives you an idea how roaming works in WiFi

http://mrncciew.com/2014/09/02/cwsp-802-11-roaming-basics/

HTH

Rasika

**** Pls rate all useful responses ****

96
Views
0
Helpful
1
Replies
CreatePlease login to create content