Cisco 8861 Deployment Manual
  1. Manuals
  2. Brands
  3. Cisco Manuals
  4. IP Phone
  5. 8861
  6. Deployment manual

Cisco 8861 Deployment Manual

Wireless lan ip phone
Hide thumbs Also See for 8861:
Table of Contents

Advertisement

Quick Links

See also: Administration Manual , User Manual
Cisco IP Phone 8861 and 8865
Wireless LAN Deployment Guide
The Cisco IP Phone 8861 and 8865 are adaptable for professionals that require the ability to unplug the wired network
connection and remain connected. The Wireless LAN and Bluetooth 3.0 capabilities enable mobility and cord-free
communications.
This guide provides information and guidance to help the network administrator deploy these phones in a wireless LAN
environment.

Advertisement

Table of Contents
loading

Related Manuals for Cisco 8861

Summary of Contents for Cisco 8861

  • Page 1 Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide The Cisco IP Phone 8861 and 8865 are adaptable for professionals that require the ability to unplug the wired network connection and remain connected. The Wireless LAN and Bluetooth 3.0 capabilities enable mobility and cord-free communications.

  • Page 2: Revision History

    Revision History Date Comments 08/13/14 10.2(1) Release 08/17/16 11.0(1) Release 10/06/16 11.5(1) Release 08/01/17 11.7(1) Release Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...

  • Page 3: Table Of Contents

    Controller Settings .................................... 57 Call Admission Control (CAC) ................................ 59 RF Profiles ......................................62 FlexConnect Groups ..................................64 Multicast Direct ....................................65 QoS Profiles ...................................... 66 Advanced Settings .................................... 70 Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 4 Wireless LAN Profiles ................................... 117 Cisco Unified Communications Manager Express ..........................125 Product Specific Configuration Options ............................130 Configuring the Cisco IP Phone 8861 and 8865 ..........................147 Wi-Fi Profile Configuration ................................147 Automatic Provisioning .................................. 147 Local User Interface ..................................147 Certificate Management ..................................
  • Page 5 Call Statistics ...................................... 202 Status Messages ....................................203 Restoring Factory Defaults ................................. 203 Capturing a Screenshot of the Phone Display ............................ 204 Additional Documentation ................................... 205 Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...

  • Page 6: Cisco Ip Phone 8861 And 8865 Overview

    Through the use of unlicensed spectrum, and the inability to guarantee the delivery of messages to a WLAN device, the Cisco IP Phone 8861 and 8865 is not intended to be used as a medical device and should not be used to make clinical decisions.

  • Page 7: Requirements

    Rule of thumb is to ensure that the received signal at the access point is -67 dBm or higher. It is recommended to design the cell size to ensure that the Cisco IP Phone 8861 and 8865 can hold a signal for at least 5 seconds.

  • Page 8: Call Control

    Prior to release 11.0 of Cisco Unified Communications Manager Express, the Cisco IP Phone 8861 and 8865 are to utilize the fast track method utilizing the Cisco Unified IP Phone 9971 as the reference model (use 7975 as reference model if needing softkey template support).

  • Page 9: Access Points

    Note: Cisco Wireless LAN Controller release 8.0.121.0 or later is required if utilizing Flexconnect + Local Switching mode. Access Points Below are the Cisco access points that are supported. Any access point model that is not listed below is not supported.
  • Page 10 Note: The Cisco IP Phone 8861 and 8865 are supported with the Cisco AP3600 when the internal 802.11a/b/g/n radio is utilized, however is not supported if the 802.11ac module (AIR-RM3000AC) for the Cisco AP3600 is installed. The table below lists the modes that are supported by each Cisco Aironet access point.
  • Page 11 The Cisco Meraki MR12, MR16, and Z1 access point platforms are not certified for use with Cisco IP Phone 8861 and 8865 deployments. Note: If an access point model is not specifically listed above, then it is not supported.

  • Page 12: Protocols

    QoS Basic Service Set (QBSS) Antenna Systems Some Cisco access points require or allow external antennas. Please refer to the following URL for the list of supported antennas for Cisco Aironet access points and how these external antennas should be mounted. http://www.cisco.com/c/en/us/products/collateral/wireless/aironet-antennas- accessories/product_data_sheet09186a008008883b.html...
  • Page 13 (Depends on region) 30 Mbps (MCS 1) OFDM - QPSK -87 dBm 45 Mbps (MCS 2) OFDM - QPSK -85 dBm 60 Mbps (MCS 3) OFDM - 16 QAM -82 dBm Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 14 -92 dBm 21 Mbps (MCS 2) OFDM - QPSK -90 dBm 29 Mbps (MCS 3) OFDM - 16 QAM -87 dBm 43 Mbps (MCS 4) OFDM - 16 QAM -83 dBm Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...

  • Page 15: Regulatory

    The Cisco IP Phone 8861 and 8865 will passively scan DFS channels first before engaging in active scans of those channels. If 802.11d is not enabled, then the Cisco IP Phone 8861 and 8865 can attempt to connect to the access point using reduced transmit power.

  • Page 16: Bluetooth

    Paraguay (PY) Vietnam (VN) Hungary (HU) Peru (PE) Note: Compliance information is available on the Cisco Product Approval Status web site at the following URL: http://tools.cisco.com/cse/prdapp/jsp/externalsearch.do?action=externalsearch&page=EXTERNAL_SEARCH Bluetooth The Cisco IP Phone 8861 and 8865 support Bluetooth 3.0 technology allowing for wireless headset communications.

  • Page 17: Languages

    Note: It is recommended to use 802.11a/n/ac if using Bluetooth due to 802.11b/g/n and Bluetooth both utilizing 2.4 GHz, but also due to the above limitations. Languages The Cisco IP Phone 8861 and 8865 currently support the following languages. French Polish...

  • Page 18: Cisco 8865 Video Calls

    WVGA 480p or HD 720p is the recommended video format to utilize unless higher-grade video is required when communicating with other capable endpoints. For remote users, WVGA 480p or HD 720p should be the maximum video resolution enabled in the Cisco IP Phone 8865 configuration within Cisco Unified Communications Manager.

  • Page 19: Wireless Lan Design

    802.11a/n/ac environment, which allows for seamless roaming. For critical areas, it is recommended to increase the overlap (30% or more) to ensure that there can be at least 2 access points available with -67 dBm or better, while the Cisco IP Phone 8861 and 8865 also meet the access point’s receiver sensitivity (required signal level for the current data rate).

  • Page 20: Ghz (802.11B/G/N)

    22 MHz of separation and are at least 5 channels apart. There are only 3 non-overlapping channels in the 2.4 GHz frequency range (channels 1, 6, 11). Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...

  • Page 21: Signal Strength And Coverage

    Signal Strength and Coverage To ensure acceptable voice quality, the Cisco IP Phone 8861 and 8865 should always have a signal of -67 dBm or higher when using 5 GHz or 2.4 GHz, while the Cisco IP Phone 8861 and 8865 also meet the access point’s receiver sensitivity required signal level for the transmitted data rate.
  • Page 22 802.11a/n/ac for voice and use 802.11b/g/n for data. However there are products that also utilize the non-licensed 5 GHz frequency (e.g. 5.8 GHz cordless phones, which can impact UNII-3 channels). Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 23 The Cisco Unified Network Control System (NCS) can be utilized to verify signal strength and coverage. Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...

  • Page 24: Data Rates

    The Cisco IP Phone 8861 and 8865 both have a single antenna, therefore it supports up to MCS 7 data rates for 802.11n (up t to 150 Mbps) and up to MCS 9 data rates for 802.11ac (up to 433 Mbps).

  • Page 25: Rugged Environments

    Due to the potential of elevated multipath in rugged environments, the transmit power of the access point and Cisco IP Phone 8861 and 8865 should also be restricted. This is more important if planning to deploy 2.4 GHz in a rugged environment.
  • Page 26 Need to ensure that DSCP values are preserved throughout the wired network, so that the WMM UP tag for voice, video, and call control frames can be set correctly. Beamforming If using Cisco 802.11n capable access points, then Beamforming (ClientLink) should be enabled, which can help with client reception. Multipath Multipath occurs when RF signals take multiple paths from a source to a destination.

  • Page 27: Security

    TKIP / MIC (Temporal Key Integrity Protocol / Message Integrity Check) • WEP (Wired Equivalent Protocol) 40/64 and 104/128 bit Note: Shared Key authentication is not supported. The Cisco IP Phone 8861 and 8865 also support the following additional security features. • Image authentication •...

  • Page 28: Extensible Authentication Protocol - Flexible Authentication Via Secure Tunneling (Eap-Fast)

    To enable EAP-FAST, a certificate must be installed on to the RADIUS server. The Cisco IP Phone 8861 and 8865 currently support automatic provisioning of the PAC only, so enable Allow anonymous in- band PAC provisioning on the RADIUS server as shown below.

  • Page 29: Extensible Authentication Protocol - Transport Layer Security (Eap-Tls)

    PAC provisioning is enabled. Ensure that the Cisco IP Phone 8861 and 8865 has connected to the network during the grace period to ensure it can use its existing PAC created either using the active or retired master key in order to get issued a new PAC.

  • Page 30: Protected Extensible Authentication Protocol (Peap)

    PEAP requires that a user account be created on the authentication server. The authentication server can be validated via importing a certificate into the Cisco IP Phone 8861 and 8865. Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...

  • Page 31: Eap And User Database Compatibility

    For more information on Cisco Secure Access Control System (ACS) and Cisco Identity Services Engine (ISE), refer to the following links. http://www.cisco.com/c/en/us/products/security/secure-access-control-system/datasheet-listing.html http://www.cisco.com/c/en/us/products/security/identity-services-engine/datasheet-listing.html EAP and User Database Compatibility The following chart displays the EAP and database configurations supported by the Cisco IP Phone 8861 and 8865.

  • Page 32: Call Admission Control (Cac)

    If the AP sends an ADDTS successful message then the Cisco IP Phone 8861 or 8865 establishes the call. If the access point rejects the call and the Cisco IP Phone 8861 or 8865 has no other access point to roam to, then the phone will display Network Busy.

  • Page 33: Qos Basic Service Set (Qbss)

    There are three different versions of QoS Basic Service Set (QBSS) that the Cisco IP Phone 8861 and 8865 support. The first version from Cisco was on a 0-100 scale and was not based on clear channel assessment (CCA), so it does not account for channel utilization, but only the 802.11 traffic traversing that individual access point’s radio.

  • Page 34: Roaming

    Roaming The Cisco IP Phone 8861 and 8865 default to Auto for the 802.11 mode, which allows the Cisco IP Phone 8861 and 8865 to connect to either 5 GHz or 2.4 GHz and enables interband roaming support.

  • Page 35: Fast Secure Roaming (Fsr)

    RSSI, which results in seamless roaming (no voice interruptions). For seamless roaming to occur, the Cisco IP Phone 8861 and 8865 must be associated to an access point for at least 3 seconds, otherwise roams can occur based on packet loss (max tx retransmissions or missed beacons).

  • Page 36: Interband Roaming

    At power on, the Cisco IP Phone 8861 and 8865 will scan all 2.4 and 5 GHz channels when in Auto mode, then attempt to associate to an access point for the configured network if available.

  • Page 37: Call Capacity

    DTPC prevents one-way audio when RF traffic is heard in one direction only. If the access point does not support DTPC, then the Cisco IP Phone 8861 and 8865 will use the highest available transmit power depending on the current channel and data rate.
  • Page 38 (20 MHz Channels) Bluetooth Disabled 3-11 802.11a/n or MCS 1 - MCS 7 G.722 / 64 Kbps 1000 Kbps HD 720p 1280 x 720 802.11g/n + G.711 (40 MHz Channels) Bluetooth Disabled Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...

  • Page 39: Multicast

    When enabling multicast in the wireless LAN, performance and capacity must be considered. If there is an associated client that is in power save mode, then all multicast packets will be queued until the DTIM period. Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...

  • Page 40: Configuring The Cisco Wireless Lan

    The Cisco IP Phone 8861 and 8865 utilize active mode primarily, but if there is an associated client that is in power save mode, then all multicast packets will be queued until the DTIM period. With multicast, there is no guarantee that the packet will be received the by the client.

  • Page 41: 802.11 Network Settings

    Set the 802.1p tag to 5 for the Platinum QoS profile 802.11 Network Settings It is recommended to have the Cisco IP Phone 8861 and 8865 operate on the 5 GHz band only due to have many channels available and not as many interferers as the 2.4 GHz band has.
  • Page 42 For releases prior to 7.2.103.0, ClientLink can be enabled globally via the 802.11 Global Parameters section or on individual access points via the access point’s 802.11 radio configuration page. As of release 7.2.103.0, ClientLink is no longer configurable via the Cisco Wireless LAN Controller’s web interface and is only configurable via command line.
  • Page 43 Enabled Auto RF (RRM) When using the Cisco Wireless LAN Controller it is recommended to enable Auto RF to manage the channel and transmit power settings. Configure the access point transmit power level assignment method for either 5 or 2.4 GHz depending on which frequency band is to be utilized.
  • Page 44 The 5 GHz channel width can be configured for 20 MHz or 40 MHz if using Cisco 802.11n Access Points and 20 MHz, 40 MHz, or 80 MHz if using Cisco 802.11ac Access Points.
  • Page 45 This may be necessary if there is an intermittent interferer present in an area. The 5 GHz channel width can be configured for 20 MHz or 40 MHz if using Cisco 802.11n Access Points and 20 MHz, 40 MHz, or 80 MHz if using Cisco 802.11ac Access Points.

  • Page 46: Client Roaming

    In the DFS (802.11h) configuration, channel announcement and quiet mode should be enabled. Power Constraint should be left un-configured or set to 0 dB as DTPC will be used by the Cisco IP Phone 8861 and 8865 to control the transmission power.
  • Page 47 Ensure that WMM is enabled and WPA2(AES) is configured in order to utilize 802.11n/ac data rates. The Cisco IP Phone 8861 and 8865 support HT MCS 0 - MCS 7 and VHT MCS 0 - MCS 9 data rates only, but higher MCS rates can optionally be enabled if there are other 802.11n/ac clients utilizing the same band frequency that include MIMO...
  • Page 48 User Priority 0, 4, 5 = Enabled User Priority 1, 2, 3, 6, 7 = Disabled Use the following commands to configure the A-MPDU and A-MSDU settings per the Cisco IP Phone 8861 and 8865 recommendations. In order to configure the 5 GHz settings, the 802.11a network will need to be disabled first, then re-enabled after the changes are complete.
  • Page 49 Priority 4....... Enabled Priority 5....... Enabled Priority 6....... Disabled Priority 7....... Disabled CleanAir CleanAir should be Enabled when utilizing Cisco access points with CleanAir technology in order to detect any existing interferers. Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 50 Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...

  • Page 51: Wlan Settings

    However, if there is an existing SSID configured to support voice capable Cisco Wireless LAN endpoints already, then that WLAN can be utilized instead. The SSID to be used by the Cisco IP Phone 8861 and 8865 can be configured to only apply to a certain 802.11 radio type (e.g. 802.11a only).
  • Page 52 802.1x, CCKM and/or PSK may also be enabled if wanting to utilize the same SSID for various type of voice clients, where some clients do not support 802.11r (FT) depending on whether 802.1x or PSK is being utilized. Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 53 To utilize CCKM for fast secure roaming, enable WPA2 policy with AES encryption and 802.1x + CCKM for authenticated key management type. The WMM policy should be set to Required only if the Cisco IP Phone 8861 and 8865 or other WMM enabled phones will be using this SSID.
  • Page 54 The Maximum Allowed Clients Per AP Radio can be configured as necessary. Off Channel Scanning Defer can be tuned to defer scanning for certain queues as well as the scan defer time. Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 55 It is recommended to set Re-anchor Roamed Voice Clients to disabled as this can cause brief interruptions with wireless LAN connectivity when a call is terminated after performing an inter-controller roaming. Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 56 On the RF Profile tab, select the desired 802.11a or 802.11b RF Profile, then select Apply. If changes are made after access points have joined the AP Group, then those access points will reboot once those changes are made. Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...

  • Page 57: Controller Settings

    Controller Settings Ensure the Cisco Wireless LAN Controller hostname is configured correctly. Enable Link Aggregation (LAG) if utilizing multiple ports on the Cisco Wireless LAN Controller. Configure the desired AP multicast mode. Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 58 If utilizing multicast, then Enable Global Multicast Mode and Enable IGMP Snooping should be enabled. If utilizing layer 3 mobility, then Symmetric Mobility Tunneling should be Enabled. In the recent versions, Symmetric Mobility Tunneling is enabled by default and non-configurable. Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...

  • Page 59: Call Admission Control (Cac)

    When multiple Cisco Wireless LAN Controllers are to be in the same mobility group, then the IP address and MAC address of each Cisco Wireless LAN Controller should be added to the Static Mobility Group Members configuration. Call Admission Control (CAC) It is recommended to enable Admission Control Mandatory for Voice and configure the maximum bandwidth and reserved roaming bandwidth percentages for either 5 or 2.4 GHz depending on which frequency band is to be utilized.
  • Page 60 If the Cisco IP Phone 8861 and 8865 uses TCP for SIP communications and the channel is busy where another call can not be allowed, then the Cisco IP Phone 8861 and 8865 could potentially lose registration to the Cisco Unified Communications Manager if SIP CAC is enabled.
  • Page 61 Ensure QoS is setup correctly under the WLAN configuration, which can be displayed by using the following command. (Cisco Controller) >show wlan <WLAN id> Quality of Service....... Platinum (voice) WMM..........Allowed Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...

  • Page 62: Rf Profiles

    RF Profiles can be created to specify which frequency bands, data rates, RRM settings, etc. a group of access points should use. It is recommended to have the SSID used by the Cisco IP Phone 8861 and 8865 to be applied to 5 GHz radios only.
  • Page 63 6 Mbps to be enabled as a mandatory (basic) rate. On the RRM tab, the Maximum Power Level Assignment and Minimum Power Level Assignment settings as well as other DCA, TPC, and Coverage Hole Detection settings can be configured. Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...

  • Page 64: Flexconnect Groups

    If utilizing 802.11r (FT) or CCKM, then seamless roams can only occur when roaming to access points within the same FlexConnect Group. The maximum number of access points allowed per FlexConnect Group is limited, which is WLC model specific. Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...

  • Page 65: Multicast Direct

    In the Media Stream settings, Multicast Direct feature should be enabled. After Multicast Direct feature is enabled, then there will be an option to enable Multicast Direct in the QoS menu of the WLAN configuration. Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...

  • Page 66: Qos Profiles

    Configure the four QoS profiles (Platinum, Gold, Silver, Bronze), by selecting 802.1p as the protocol type and set the 802.1p tag for each profile. • Platinum = 5 • Gold = 4 • Silver = 2 • Bronze = 1 Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 67 Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 68 Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 69 Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...

  • Page 70: Advanced Settings

    Need to ensure that the advanced EAP settings in the Cisco Wireless LAN Controller are configured per the information below. To view the EAP configuration on the Cisco Wireless LAN Controller, telnet or SSH to the controller and enter the following command.
  • Page 71 EAP-Broadcast Key Interval....... 3600 If using 802.1x or WPA/WPA2, the EAP-Request Timeout on the Cisco Wireless LAN Controller should be set to at least 20 seconds. In later versions of Cisco Wireless LAN Controller software, the default EAP-Request Timeout was changed from 2 to 30 seconds.
  • Page 72 CCKM Timestamp Tolerance The default CCKM timestamp tolerance is set to 1000 ms. It is recommended to adjust the CCKM timestamp tolerance to 5000 ms to optimize the Cisco IP Phone 8861 and 8865 roaming experience. (Cisco Controller) >config wlan security wpa akm cckm timestamp-tolerance ? <tolerance>...

  • Page 73: Cisco Meraki Access Points

    To change the TKIP countermeasure holdoff time on the Cisco Wireless LAN Controller, telnet or SSH to the controller and enter the following command specifying the number of seconds and WLAN ID. (Cisco Controller) >config wlan security tkip hold-down <nseconds> <wlan-id>...

  • Page 74: Creating The Wireless Network

    Cisco Meraki access points can be claimed either by specifying the serial number or order number. Once claimed, those Cisco Meraki access points will then be listed in the available inventory. Cisco Meraki access points can be claimed either by selecting Claim on the Create network or Organization > Configure > Inventory pages.
  • Page 75 Once claimed, Cisco Meraki access points can be added to the desired wireless network via the Organization > Configure > Inventory page. Access points can also be added to a wireless network by selecting Add APs on the Wireless > Monitor > Access points page.

  • Page 76: Ssid Configuration

    To create a SSID, select the desired network from the drop-down menu then select Wireless > Configure > SSIDs. It is recommended to have a separate SSID for the Cisco IP Phone 8861 and 8865; data clients and other type of clients should utilize a different SSID and VLAN.
  • Page 77 If WPA2-Enterprise is enabled where the Cisco Meraki authentication server will be utilized as the RADIUS server, then a user account must be created on the Network-wide > Configure > Users page, which the Cisco IP Phone 8861 and 8865 will be configured to use for 802.1x authentication.
  • Page 78 8865 can be configured as necessary. It is recommended to select 5 GHz band only to have the Cisco IP Phone 8861 and 8865 operate on the 5 GHz band due to have many channels available and not as many interferers as the 2.4 GHz band has.

  • Page 79: Radio Settings

    802.11ac capable. The Default 5 GHz channel width can also be set to use 20 MHz or 40 MHz. It is recommended to utilize the same channel width for all access points. Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 80 Note: Cisco Meraki access points do not support Dynamic Transmit Power Control (DTPC), therefore the Cisco IP Phone 8861 and 8865 will utilize the maximum transmit power supported for the current channel and data rate.

  • Page 81: Traffic Shaping

    Once Shape traffic on this SSID has been applied, then select Create a new rule to define Traffic shaping rules. By default, Cisco Meraki access points currently tag voice frames marked with DSCP EF (46) as WMM UP 5 instead of WMM UP 6 and call control frames marked with DSCP CS3 (24) as WMM UP 3 instead of WMM UP 4.

  • Page 82: Cisco Autonomous Access Points

    Set IGMP Snooping to Enabled 802.11 Network Settings It is recommended to have the Cisco IP Phone 8861 and 8865 operate on the 5 GHz band only due to have many channels available and not as many interferers as the 2.4 GHz band has.
  • Page 83 This may be necessary if there is an intermittent interferer present in an area. The 5 GHz channel width can be configured for 20 MHz or 40 MHz if using Cisco 802.11n Access Points and 20 MHz, 40 MHz, or 80 MHz if using Cisco 802.11ac Access Points.
  • Page 84 Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 85 Mbps to be enabled as a mandatory (basic) rate. If 802.11b clients exist, then 11 Mbps should be set as the mandatory (basic) rate and 12 Mbps and higher as supported (optional). Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...

  • Page 86: Wlan Settings

    However, if there is an existing SSID configured to support voice capable Cisco Wireless LAN endpoints already, then that WLAN can be utilized instead. The SSID to be used by the Cisco IP Phone 8861 and 8865 can be configured to only apply to a certain 802.11 radio type (e.g. 802.11a only).
  • Page 87 Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 88 Ensure that Public Secure Packet Forwarding (PSPF) is not enabled for the voice VLAN as this will prevent clients from communicating directly when associated to the same access point. If PSPF is enabled, then the result will be no way audio. Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 89 Ensure AES is selected for encryption type. Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 90 Configure the RADIUS servers to be used for authentication and accounting. Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 91 Wireless Domain Services (WDS) Wireless Domain Services should be utilized in the Cisco Autonomous Access Point environment, which is also required for fast secure roaming. Select one access point to be the primary WDS server and another to be the backup WDS server.
  • Page 92 For the native VLAN, it is recommended to not use VLAN 1 to ensure that IAPP packets are exchanged successfully. Port security should be disabled on switch ports that Cisco Autonomous Access Points are directly connected to. Server groups for Wireless Domain Services must be defined.
  • Page 93 Then, define the server group to be used for client authentication. Will need to ensure that all access points with Wireless Domain Services enabled are configured in the RADIUS server. Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 94 Define the user account in which access points will be configured for to authenticate to the Wireless Domain Services enabled access point. Configure local RADIUS on each access point participating in Wireless Domain Services. Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 95 If using a single WDS server, then can specify the IP address of the WDS server; otherwise enable Auto Discovery. Enter the Username and Password to be used to authenticate to the WDS server. Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...

  • Page 96: Call Admission Control (Cac)

    WDS server. Call Admission Control (CAC) Load-based CAC and support for multiple streams are not present on the Cisco Autonomous Access Points therefore it is not recommended to enable CAC on Cisco Autonomous Access points.

  • Page 97: Qos Policies

    If enabling Admission Control for Voice or for Video on the Cisco Autonomous Access Point, the admission must be unblocked on the SSID as well. In recent releases, the admission is unblocked by default. dot11 ssid voice vlan 3 authentication open eap eap_methods...
  • Page 98 To enable QBSS, select Enable and check Dot11e. If Dot11e is checked, then both CCA versions (802.11e and Cisco version 2) will be enabled. Ensure IGMP Snooping is enabled. Ensure Wi-Fi MultiMedia (WMM) is enabled. Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 99 If the Stream feature is enabled, ensure that only voice packets are being put into the voice queue. Signaling packets (SIP) should be put into a separate queue. This can be ensured by setting up a QoS policy mapping the DSCP to the correct queue. Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...

  • Page 100: Power Management

    Proxy ARP can optimize idle battery life, by answering any ARP requests on behalf of the phone. To enable Proxy ARP, set Client ARP Caching to Enable. Also ensure that Forward ARP Requests to Radio Interfaces When Not All Client IP Addresses Are Known is checked. Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...

  • Page 101: Advanced Settings

    (default = 60 seconds). To change the TKIP countermeasure holdoff time on the Cisco Autonomous Access Point, telnet or SSH to the access point and enter the following command specifying the number of seconds and WLAN ID.
  • Page 102 1D0E0416 0414FC2F E6CF0EE0 380A4011 3814595D 596E3EA6 84DA300D 06092A86 4886F70D 01010505 00038181 0053F55B 5EBB1FE2 C849BC45 47D0E710 0200404E A8B174BC A46EB56A 857166C3 B9FD71DF 7264F5AF DC804A67 16BD35A2 4F39AFD7 0BD24F71 BAF916AC E984343C A54B7395 E5D15237 8897D436 A150BFB2 DC23E8D3 Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 103 1 source-learning no bridge-group 1 unicast-flooding interface Dot11Radio1 no ip address encryption vlan 2 mode ciphers aes-ccm encryption vlan 3 mode ciphers aes-ccm ssid data ssid voice antenna gain 0 peakdetect Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 104 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding interface GigabitEthernet0 no ip address duplex auto speed auto interface GigabitEthernet0.2 encapsulation dot1Q 2 Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 105 7 <REMOVED> wlccp ap wds ip address 10.9.0.9 wlccp authentication-server infrastructure method_WDS wlccp authentication-server client eap method_Clients wlccp authentication-server client leap method_Clients wlccp wds priority 255 interface BVI1 Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...

  • Page 106: Configuring Cisco Call Control

    Cisco Unified Communications Manager offers many different phone, call and security features. When adding the Cisco IP Phone 8861 or 8865 to the Cisco Unified Communications Manager it must be provisioned using the Ethernet MAC address as the Wireless LAN MAC is used for Wi-Fi connectivity only.

  • Page 107: Phone Button Templates

    Phone Button Templates When creating a new Cisco IP Phone 8861 or 8865, a Phone Button Template must be configured. Custom phone button templates can be created with the option for many different features, which can then be applied on a device or group level.

  • Page 108: Security Profiles

    The Certificate Authority Proxy Function (CAPF) must be operational in order to utilize a Locally Signed Certificate (LSC) with a security profile. The Cisco IP Phone 8861 and 8865 have a Manufacturing Installed Certificate (MIC), which can be utilized with a security profile as well.

  • Page 109: Sip Profiles

    When creating a new Cisco IP Phone 8861 or 8865, a SIP Profile must be configured. It is recommended to create a custom SIP Profile for the Cisco IP Phone 8861 and 8865 EX (do not use the Standard SIP Profile or Standard SIP Profile for Mobile Device).
  • Page 110 (default = 120) Timer Subscribe Delta (seconds) = (default = 5) Ensure SIP Station KeepAlive Interval at System > Service Parameters > Cisco CallManager remains configured for 120 seconds. Custom 8861 SIP Profile Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 111 Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...

  • Page 112: Common Settings

    Wireless LAN and Bluetooth are enabled by default for the Cisco IP Phone 8861 and 8865. Wireless LAN is automatically disabled temporarily when Ethernet is connected to the Cisco IP Phone 8861 or 8865, but will be automatically re-enabled once Ethernet is disconnected if Wireless LAN was enabled previously.

  • Page 113: Qos Parameters

    Advertise G.722 and iSAC Codecs to Disabled. Audio and Video Bit Rates The audio and video bit rate can be configured by creating or editing existing Regions in the Cisco Unified Communications Manager. It is recommended to select G.722 or G.711 for the audio codec.
  • Page 114 The value configured will determine the resolution of the transmitted video stream from the Cisco IP Phone 8865. The Cisco IP Phone 8865 can receive up to HD 720p video depending on the remote device’s capabilities, where the region settings configuration is factored in.

  • Page 115: Video Capabilities

    1360-2500 Kbps Video Capabilities In order for the Cisco IP Phone 8865 to send and receive video, that capability must be enabled in the Cisco Unified Communications Manager. The Video Capabilities option is set to Enabled by default, but ensure it remains enabled in the phone’s configuration within the Product Specific Configuration Layout section.
  • Page 116 If the Cisco IP Phone 8861 or 8865 is currently connected to a network and is unable to connect to the Cisco Unified Communications Manager then it can attempt to establish a VPN session automatically if a VPN profile is configured.

  • Page 117: Wireless Lan Profiles

    Profile data is not passed down to the Cisco IP Phone 8861 and 8865 in clear text via TFTP. • Once the security profile has been created, it then needs to be applied to the Cisco IP Phone 8861 and 8865 to enable TFTP encryption for that Cisco IP Phone 8861 and 8865’ configuration files.
  • Page 118 • To create a Wireless LAN Profile, navigate to Device > Device Settings > Wireless LAN Profile within the Cisco Unified Communications Manager’s Administration interface. • From the Wireless LAN Profile page, select Add New. • A Wireless LAN Profile can then be created where the Name, Description, Wireless Settings (SSID, Frequency Band, User Modifiable), and Authentication Settings are specified.
  • Page 119 Disallowed - The user is unable to change any Wireless LAN settings. • Restricted - The user is only able to change certain Wireless LAN settings (e.g. Username and Password). Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 120 If Provide Shared Credentials is not checked, then the Username and Password will need to be configured locally on the Cisco IP Phone 8861 and 8865 by the admin or user. Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 121 • If Provide Shared Credentials is checked, then the specified Username and Password will be utilized for all Cisco IP Phone 8861 and 8865 that utilize this Wireless LAN Profile. • Up to 64 characters can be entered for the Username and Password.
  • Page 122 Select Save once the Wireless LAN Profile configuration is complete. • The Cisco IP Phone 8861 and 8865 do not support the Network Access Profile option. • To create a Wireless LAN Profile Group, navigate to Device > Device Settings > Wireless LAN Profile Group within the Cisco Unified Communications Manager’s Administration interface.
  • Page 123 • Select Save once the Wireless LAN Profile Group configuration is complete. • Once the Wireless LAN Profile Group has been created, it can be applied to a Device Pool or an individual Cisco IP Phone 8861 and 8865. •...
  • Page 124 • To apply a Wireless LAN Profile Group to an individual Cisco IP Phone 8861 and 8865, navigate to Device > Phone within the Cisco Unified Communications Manager’s Administration interface. • Navigate to the desired Cisco IP Phone 8861 and 8865, configure the Wireless LAN Profile Group then select Save.

  • Page 125: Cisco Unified Communications Manager Express

    Note: The Cisco IP Phone 8861 and 8865 currently do not support use of the LSC (Locally Significant Certificate) as the User Certificate for EAP-TLS. Cisco Unified Communications Manager Express Prior to release 11.0 of Cisco Unified Communications Manager Express, the Cisco IP Phone 8861 and 8865 are to utilize the fast track method utilizing the Cisco Unified IP Phone 9971 as the reference model (use 7975 as reference model if needing softkey template support).
  • Page 126 716B441C 9389C987 612BBBEA 7B9E30CB 4BAF41A7 0F0DB51D E4F45FB2 F8A139B3 70DF1E94 A7EE4F81 B08E3F21 C0743E56 59D42988 D7FAB957 FADBBFE0 A77F404F 634BDD93 87559D1D CCA93BCA 87899A98 C151CF62 EF183C8E CB2C9DFC 71F45AE0 92A26FBF CBA7FA2B F9C5DB6D EEC936 quit voice-card 0 voice service voip Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 127 2 number 1102 name 8865 label 1102 voice register pool 1 busy-trigger-per-button 2 id mac 6C99.8984.B7E5 session-transport tcp type 8861 number 1 dn 1 dtmf-relay rtp-nte username 8861 password <REMOVED> Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 128 Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 129 0 4 privilege level 15 transport input telnet ssh line vty 5 15 privilege level 15 transport input telnet ssh scheduler allocate 20000 1000 ntp source GigabitEthernet0/0 ntp server 10.0.0.2 Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...

  • Page 130: Product Specific Configuration Options

    Phone 8861 and 8865. For a description of these options, click ? at the top of the configuration page. Product specific configuration options can be configured in bulk via the Bulk Admin Tool if using Cisco Unified Communications Manager. Some of the product specific configuration options can be configured on an enterprise phone, common phone profile or individual phone configuration level.
  • Page 131 Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 132 PC that requires monitoring of the phones traffic. These could include monitoring and recording applications and use of network monitoring software for analysis purposes. Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 133 Notice. Notice: WHILE POWER SAVE PLUS MODE (THE "MODE") IS IN EFFECT, ENDPOINTS CONFIGURED FOR THE MODE ARE DISABLED FOR EMERGENCY CALLING AND Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 134 Administration product specific configuration fields that enable and configure Power Save Plus mode, and the help text for each field. Table: Unified CM Administration Configuration Fields for Power Save Plus Field Label Help Text Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 135 Absence of pfs or base,pfs will be set to the default value 0 and base will be set to the default value 7. Cisco Discover Protocol (CDP): Allows administrator to enable or disable Cisco Discovery Protocol (CDP) on the Switch Port switch port.
  • Page 136 Indicates that the phone will use an alternative server to obtain firmware loads and upgrades, rather than the defined TFTP server. This option enables you to indicate a local server to be used for firmware upgrades, which can assist in Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 137 Specifies an IPv6 address and port of a remote system where log messages are sent. The format is:[xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx]:ppppp@@options. Options will be format as base=x;pfs=y; base value range is 0~7,pfs value range is 0~1.And Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 138 Run the pre-defined debug command remotely. Advertise G.722 and iSAC Codecs Indicates whether Cisco IP Phones will advertise the G.722 codec to Cisco Unified CallManager. Codec negotiation involves two steps: first, the phone must advertise the supported codec(s) to Cisco Unified CallManager (not all endpoints support the same set of codecs).
  • Page 139 SHA256 fingerprint or every 2, 4, or 8 hexadecimal characters for a SHA1 fingerprint. WLAN Authentication Attempts This parameter specifies the number of authentication attempts when there is explicit failure due to invalid credentials. Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 140 This is to set the video stop port. XML Syntax To configure product specific configuration options for the Cisco IP Phone 8861 and 8865 with Cisco Unified Communications Manager Express, add the necessary options under telephony-service. service phone <module> <value>...
  • Page 141 20-1440 (Default = 60) Enable Audible Alert enableAudibleAlert false = Disabled true = Enabled EnergyWise Domain energyWiseDomain Up to 127 character string EnergyWise Secret energyWiseSecret Up to 127 character string Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 142 802.1x Authentication eapAuthentication 0 = User Controlled 1 = Disabled 2 = Enabled Automatic Port PortAutoLinkSync 0 = Disabled Synchronization 1 = Enabled Switch Port Remote SWRemoteConfig 0 = Disabled Configuration Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 143 Record Call Log From Shared logCallFromSharedLine 0 = Disabled Line 1 = Enabled Minimum Ring Volume minimumRingVolume 0 = Silent 1 = Volume Level 1 2 = Volume Level 2 Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 144 0 = Enabled 1 = Disabled Bluetooth bluetooth 0 = Disabled 1 = Enabled btpbap 0 = Disabled Allow Bluetooth Contacts Import 1 = Enabled Allow Bluetooth Mobile bthfu 0 = Disabled Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 145 0 = Normal Connection Failure 1 = Delayed Power Negotiation powerNegotiation 0 = Disabled 1 = Enabled Provide Dial Tone from dialToneFromReleaseKey 0 = Disabled Release Button 1 = Enabled Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 146 Up to 95 character string (SHA256 or SHA1) WLAN Authentication wlanAuthAttempts 1 = 1 Attempts 2 = 2 3 = 3 WLAN Profile 1 Prompt Mode promptMode1 0 = Disabled Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...

  • Page 147: Configuring The Cisco Ip Phone 8861 And 8865

    > Network setup > Wi-Fi client setup. Wi-Fi Profile Configuration To configure the Wi-Fi settings on the Cisco IP Phone 8861 and 8865, either use an Ethernet network to connect to a Cisco Unified Communications Manager or use the local user interface and keypad.
  • Page 148 The key management and encryption type (cipher) will be auto-configured based on the access point’s current configuration, where precedence is giving to the strongest key management type enabled (e.g. WPA2) then the strongest cipher enabled (e.g. AES). Security Mode 802.1x Type Key Management Encryption Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 149 Only key index 1 is supported, so will want to ensure that only key index 1 is configured on the access point. Select Save after making the necessary changes. Key Style Key Size Characters ASCII 40/64 bit ASCII 104/128 bit 40/64 bit 10 (0-9, A-F) 104/128 bit 26 (0-9, A-F) Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 150 The root CA certificate of the CA chain that issues the RADIUS server certificates can optionally be installed either manually via the admin webpage or via SCEP if wanting to use PEAP with server validation. Server validation is automatically enabled once a server certificate is installed. Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 151 EAP-TLS. Server validation is automatically enabled once a server certificate is installed. • Select one of the following 802.11 modes to set the frequency band, then Save. • Auto • 2.4 GHz • 5 GHz Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 152 It is recommended to set the frequency band on the Cisco IP Phone 8861 and 8865 to 5 GHz when wanting to utilize the 5 GHz frequency band only, which prevents scanning and potentially roaming to the 2.4 GHz frequency band.

  • Page 153: Certificate Management

    Certificate Management The Cisco IP Phone 8861 and 8865 can utilize X.509 digital certificates for EAP-TLS or to enable Server Validation when using PEAP-GTC or PEAP-MSCHAPV2. A User Certificate and/or Server Certificate can be installed either automatically via Simple Certificate Enrollment Protocol (SCEP) or manually via the phone’s admin webpage interface (https://x.x.x.x:8443).

  • Page 154: Manual Installation

    The temporary password will no longer be available once the phone registers to Cisco Unified Communications Manager. The admin webpage interface will be Disabled on the phone once it registers to Cisco Unified Communications Manager regardless if it contains support for the Web Admin and Admin Password options.
  • Page 155 Select Browse to point to the user certificate in PKCS #12 format (.p12 or .pfx). Enter the Extract password (up to 12 characters), then select Upload. Ensure the CA chain that issued the user certificate is added to the RADIUS server’s trust list. Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 156 Will need to restart the Cisco IP Phone 8861 or 8865 after all certificates are installed. Server Certificate The root CA certificate that issued the RADIUS server’s certificate must be installed for EAP-TLS or to enable Server Validation for PEAP-GTC or PEAP-MSCHAPV2.

  • Page 157: Simple Certificate Enrollment Protocol (Scep)

    SCEP is the standard for automatically provisioning and renewing certificates avoiding manual installation and re-installation of certificates on clients. A Cisco IOS Registration Agent (RA) (e.g. Cisco IOS router) can serve as a proxy (e.g. SCEP RA) to the SCEP enabled CA that is to issue certificates.
  • Page 158 Add the Network Device Enrollment Service role service. • In the Add Roles Wizard, on the Select Role Services page, select the Network Device Enrollment Service check box, then click Next. Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 159 Click Yes to continue the installation. • Click User Account under Role Services and then click Select User…. Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 160 • Type in Administrator as the user name, then enter the password. • Enter the Registration Authority information. Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 161 • Select Microsoft Strong Cryptographic Provider for Signature Key CSP and Encryption key CSP. • Select 2048 for Key character length. Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 162 • Select Install. Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 163 (HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Cryptography > MSCEP > EnforcePassword) • SCEP uses the certificate template that is set in the registry for issuing certificates. (HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Cryptography > MSCEP) Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 164 Make sure a correct template is set to the above registries before enrolling the RA to the SCEP server. • After the Cisco RA is enrolled to the SCEP server, admin needs to change the template in the registry (if the user certificate period needs to be shorter than that of the root CA).
  • Page 165 • Configure the Validity Period on the General tab as necessary. Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 166 • Configure Subject Name tab as shown below. Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 167 • Configure Extensions tab as shown below. Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 168 • Configure Algorithm Name, Minimum Key Size, and Request Hash as necessary on the Cryptography tab. Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 169 • Enable the newly created template by right clicking Certificate Templates then selecting New > Certificate Template to Issue. • Select SCEP User template. Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 170 Use the following guidelines to configure the RADIUS server. • Add the SCEP RA under Network Device and AAA Clients. • Configure the RADIUS shared secret that the SCEP RA is currently configured for. Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 171 Create a user account matching the common name of the phone’s Manufacturing Installed Certificate (MIC) with the password set to cisco (e.g. CP-8861-SEPxxxxxxxxxxxx). • Add the Cisco Manufacturing CA chain to the RADIUS trust list as well as any other CA chains utilized for authentication. Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 172 Create an Identity Store Sequence to be used for EAP-TLS authentication. • Check Certificate Based, select the newly created Certificate Authentication Profile, and select Internal Users as the additional identity store. Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 173 Create an Identity Store Sequence to be used for SCEP authentication. • Check Password Based, select the newly created Certificate Authentication Profile, and select Internal Users as the identity store. Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 174 • Create an Authorization Profile to be used for SCEP authorization. Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 175 • Under the RADIUS Attributes tab, add the cisco-av-pair attribute where the Type is set to String and Value is set to pki:cert-application=all. Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 176 • Create an Access Policy to be used for EAP-TLS authentication. Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 177 • For the Access Service for EAP-TLS authentication, need to ensure that EAP-TLS is enabled. Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 178 • Under Identity, rules can be defined to match EAP type then determine which identity source to use for authentication. Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 179 • Under Identity, rules can be defined to match various conditions then determine which authorization profile to use. • Create an Access Policy to be used for SCEP authentication. Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 180 • For the Access Service for SCEP authentication, need to ensure that PAP/ASCII is enabled. Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 181 • Under Identity, rules can be defined to match various conditions then determine which identity source to use for authentication. Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 182 Under Identity, rules can be defined to match various conditions then determine which authorization profile to use. SCEP RA Configuration Currently only a Cisco IOS router running IOS version 15.1(4)M10 or later is supported as the SCEP RA. Use the following guidelines to configure a Cisco IOS router as a SCEP RA.
  • Page 183 Trustpoint 'MIC_trustpoint' is a subordinate CA and holds a non self-signed cert. Certificate has the following attributes: Fingerprint MD5: AC14F08F C3780F8F D9EEE6C9 39111280 Fingerprint SHA1: 90B2E06B 7AD5DAFF CFD43187 2909F381 37471BF8 Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 184 Feb 17 15:21:42: CRYPTO_PKI: Certificate Request Fingerprint MD5: CDE40276 04A28DA8 BDE5DF48 0BC1A8F7 Feb 17 15:21:42: CRYPTO_PKI: Certificate Request Fingerprint SHA1: AE5CDEF2 A633DEF4 1D5A5104 7D6A8BD7 E08B576C Feb 17 15:21:43: %PKI-6-CERTRET: Certificate received from Certificate Authority Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 185 MSCA enrollment mode ra enrollment url http://10.81.116.249:80/certsrv/mscep/mscep.dll serial-number fingerprint 81512B4316429092925C6891701B374EBD254447 revocation-check none rsakeypair MSCA_Key 2048 crypto pki certificate chain MIC_trustpoint certificate ca 02 Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 186 7FEACFAB DCF72D2F EED90BB4 1E03F1E3 B5472BCD 2B0B3D37 4E1CC375 34C66C49 6BD821AA 2F9165BF 22B9E4B7 C8DB9061 C920FA5D 02030100 01A38202 F2308202 EE300E06 03551D0F 0101FF04 04030205 A0301D06 03551D0E 04160414 986F9130 BCF33BE4 79317708 ECE4E226 9F6A7E0A 301F0603 551D2304 18301680 14769747 Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 187 010B0500 03820101 007D4DAD 1170BBD8 2D9A2FB5 4B2B6A52 ECF5AF2B 4AB7D9D7 EACA3085 7083958A 49ED5EC1 3331E97F 6DD88E2F 40C3968F AB6CBB86 86A8402A 5940CC72 1B1AB153 572443CA B2FF8AB4 730A0206 9359D9E3 6DFF8B47 B3AE34ED B007C8B2 0E126243 C32FCFB6 7BF76A1B 7233D92E 4336BEB8 D9672598 ABE97BD3 Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 188 0 0 line aux 0 line vty 0 4 exec-timeout 0 0 transport input all line vty 5 15 exec-timeout 0 0 transport input all scheduler allocate 20000 1000 Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...

  • Page 189: Certificate Removal

    Select the Bluetooth device after it is displayed in the list. • The Cisco IP Phone 8861 and 8865 will then attempt to pair will attempt to use the pin code 0000. If unsuccessful, enter the pin code when prompted.
  • Page 190 Selecting the Bluetooth device then selecting Disconnect will disconnect that currently connected Bluetooth device. • Select Delete to unpair the selected Bluetooth device. • Selecting Show detail will display additional details of the Bluetooth device. Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...

  • Page 191: Mobile Phone Sharing

    Mobile Phone Sharing The Cisco IP Phone 8861 and 8865 support mobile phone sharing where a mobile phone can be paired to it. • Ensure Hand-free-2-way audio is set to On. • Ensure the Bluetooth enabled mobile phone is in pairing mode, then select the device in the list.
  • Page 192 • Once paired, then the Cisco IP Phone 8861 or 8865 will attempt to connect to the Bluetooth enabled mobile phone. • A prompt then will be displayed to select whether the contacts and call history from the Bluetooth enabled mobile phone should be stored locally in the Cisco IP Phone 8861 or 8865 or not.
  • Page 193 Calls can easily be moved between the Cisco IP Phone 8861 or 8865 and the Bluetooth enabled mobile phone. • To move a call from the Bluetooth enabled mobile phone to the Cisco IP Phone 8861 or 8865, simply select the Move audio softkey on the Cisco IP Phone 8861 or 8865.

  • Page 194: Video Call Settings

    The downloaded phone configuration file is parsed and the device load is identified. The Cisco IP Phone 8861 or 8865 then downloads the firmware files to flash if it is not running the specified image already. The Load Server can be specified as an alternate TFTP server to retrieve firmware files, which is located in the product specific configuration section of Cisco IP Phone 8861 and 8865 within Cisco Unified Communications Manager Administration.
  • Page 195 Cisco Unified Communications Manager Express To install the firmware on Cisco Unified Communications Manager Express, extract the contents of the TAR file and upload into the router’s flash. Each file will need to be enabled for TFTP download. Configure the phone load and reset the phones to upgrade the firmware.

  • Page 196: Troubleshooting

    The Cisco IP Phone 8861 and 8865 provide device information, where network status, MAC address and version information is displayed. Browse to the standard web interface (https://x.x.x.x) of the Cisco IP Phone 8861 or 8865 select Device information to view this information.

  • Page 197: Network Setup

    The Cisco IP Phone 8861 and 8865 provide network setup information, where network and Cisco Unified Communications Manager information is displayed. Browse to the standard web interface (https://x.x.x.x) of the Cisco IP Phone 8861 or 8865 then select Network setup to view this information.

  • Page 198: Streaming Statistics

    The Cisco IP Phone 8861 and 8865 provide call statistic information, where MOS, jitter and packet counters are displayed. Browse to the standard web interface (https://x.x.x.x) of Cisco IP Phone 8861 or 8865 then select the necessary menu item under Streaming statistics to view this information.

  • Page 199: Device Logs

    Device Logs Console Logs Console logs, core dumps, status messages, and debug display can be obtained from the web interface of Cisco IP Phone 8861 or 8865 for troubleshooting purposes. Browse to the standard web interface (https://x.x.x.x) of Cisco IP Phone 8861 or 8865 then select the necessary menu item under Device Logs to view this information.
  • Page 200 Status Messages The Cisco IP Phone 8861 and 8865 provide status message information. Browse to the standard web interface (https://x.x.x.x) of Cisco IP Phone 8861 or 8865 then select the necessary menu item under Status messages to view this information.

  • Page 201: Wlan Signal Indicator

    WLAN Signal Indicator The WLAN signal indicator is displayed in the upper right hand corner of the main screen when the Cisco IP Phone 8861 and 8865 is connected to an access point. Current Access Point The Cisco IP Phone 8861 and 8865 only show the current access point (no neighbor list). To view current access point details go to Applications >...

  • Page 202: Wlan Statistics

    Wireless statistic information can be viewed locally on the phone under Applications > Admin settings > Status > Wireless statistics. Call Statistics Call statistic information can be viewed locally on the phone under Applications > Admin settings > Status > Call statistics. Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...

  • Page 203: Status Messages

    A confirmation screen will appear where Reset must be selected to proceed with the factory data reset. If the Cisco IP Phone 8861 or 8865 is not able to boot properly, a factory reset can also be initiated via the following procedure: •...

  • Page 204: Capturing A Screenshot Of The Phone Display

    The current display of the Cisco IP Phone 8861 or 8865 can be captured by browsing to http://x.x.x.x/CGI/Screenshot, where x.x.x.x is the IP address of the Cisco IP Phone 8861 or 8865. At the prompt enter the username and password for the account that the Cisco IP Phone is associated to in Cisco Unified Communications Manager.

  • Page 205: Additional Documentation

    Cisco Unified Communications Manager Express http://www.cisco.com/c/en/us/support/unified-communications/unified-communications-manager-express/tsd-products-support- series-home.html Cisco Voice Software http://software.cisco.com/download/navigator.html?mdfid=278875240 Cisco IP Phone Services Application Development Notes http://www.cisco.com/c/en/us/support/unified-communications/unified-communications-manager-callmanager/products- programming-reference-guides-list.html Real-Time Traffic over Wireless LAN SRND http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/RToWLAN/CCVP_BK_R7805F20_00_rtowlan-srnd.html Cisco Unified Communications SRND http://www.cisco.com/c/en/us/support/unified-communications/unified-communications-manager-callmanager/products- implementation-design-guides-list.html Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 206 Cisco Wireless LAN Controller Documentation http://www.cisco.com/c/en/us/support/wireless/5500-series-wireless-controllers/products-installation-and-configuration-guides- list.html Cisco Meraki Wireless LAN Documentation https://meraki.cisco.com/products Cisco Autonomous Access Point Documentation http://www.cisco.com/c/en/us/td/docs/wireless/access_point/12-4-25d-JA/Configuration/guide/cg_12_4_25d_JA.html Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide...
  • Page 207 Cisco and any other company. (0809R) The Bluetooth word mark and logo are registered trademarks owned by Bluetooth SIG, Inc., and any use of such marks by Cisco Systems, Inc., is under license.

This manual is also suitable for:

8865

Table of Contents