Cisco 8821 Manual page 154

Hide thumbs Also See for 8821:

Administration manual (158 pages)

User manual (116 pages)

Accessory manual (30 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

Table of Contents

The Cisco Wireless IP Phone 8821 and 8821-EX utilize the following parameters defined in Cisco Unified Communications

Manager for SCEP requests.

The WLAN SCEP Server must be configured to include either the IP address or hostname of the SCEP RA.

The WLAN Root CA Fingerprint (SHA256 or SHA1) must be configured to include the fingerprint of the CA that issuing the

certificates. If the issuing CA in which the SCEP RA is enrolled to is a subordinate CA, then enter its fingerprint and not the

fingerprint of the root CA. The defined fingerprint is used to validate the received certificate.

Removing these parameters will disable SCEP.

The Cisco Wireless IP Phone 8821 and 8821-EX then sends a SCEP enroll request to the SCEP RA including the phone's

Manufacturing Installed Certificate (MIC) as the Proof of Identity (POI).

The SCEP RA validates the phone's MIC using the certificate of the subordinate CA that issued the phone's MIC, then passes it

to the RADIUS server for further device authentication.

The RADIUS server validates the device and sends a response to the SCEP RA.

The SCEP RA then forwards the enroll request to the CA if RADIUS authentication was successful.

The SCEP RA receives the user certificate from the CA and sends it to the phone after it receives a poll request from the phone.

The Cisco Wireless IP Phone 8821 and 8821-EX will periodically check the user and server certificate expiration periods.

Certificate renewal will occur when the expiration date is within 50 days.

If the CA certificate used to define the WLAN Root CA Fingerprint (SHA256 or SHA1) has expired, then the phone will

send a SCEP getca request for a new CA certificate, but the admin would need to update the fingerprint in the phone's

configuration within Cisco Unified Communication Manager to match the new CA certificate prior so it can be successfully

validated. The old CA certificate will then be removed if the new one is successfully received from the CA.

If the user certificate has expired, the phone will send a new SCEP enroll request to update the user certificate. The old user

certificate will then be removed if a new user certificate is successfully received from the CA.

Certificate Authority (CA) Configuration

Is recommended to use Microsoft® Certificate Authority (CA) servers.

Use the following guidelines to configure a the Microsoft CA.

•

Create Certificate Authority and Active Directory Domain Service on Microsoft Windows server.

•

Enable Network Device Enrollment Service.

•

Make Administrator a member of IIS_IUSERS group by going to MemberOf tab of user property screen.

•

Launch Server Manager, then click Add roles.

Cisco Wireless IP Phone 8821 and 8821-EX Wireless LAN Deployment Guide

154

Table of Contents

This manual is also suitable for:

8821-ex

Cisco 8821 Manual page 154

Related Manuals for Cisco 8821

Related Products for Cisco 8821

This manual is also suitable for:

Table of Contents