Table of Contents
Advertisement
If the initiator phone is configured for encryption, the barge initiator can barge into a nonsecure call from the
encrypted phone. After the barge occurs, Cisco Unified Communications Manager classifies the call as
nonsecure.
If the initiator phone is configured for encryption, the barge initiator can barge into an encrypted call, and the
phone indicates that the call is encrypted.
WLAN Security
Because all WLAN devices that are within range can receive all other WLAN traffic, securing voice
communications is critical in WLANs. To ensure that intruders do not manipulate nor intercept voice traffic,
the Cisco SAFE Security architecture supports the Cisco IP Phone and Cisco Aironet APs. For more information
about security in networks, see
home.html.
The Cisco Wireless IP telephony solution provides wireless network security that prevents unauthorized
sign-ins and compromised communications by using the following authentication methods that the wireless
Cisco IP Phone supports:
• Open Authentication: Any wireless device can request authentication in an open system. The AP that
receives the request may grant authentication to any requestor or only to requestors that are found on a
list of users. Communication between the wireless device and AP could be nonencrypted or devices can
use Wired Equivalent Privacy (WEP) keys to provide security. Devices that use WEP only attempt to
authenticate with an AP that is using WEP.
• Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST)
Authentication: This client server security architecture encrypts EAP transactions within a Transport
Level Security (TLS) tunnel between the AP and the RADIUS server, such as the Cisco Access Control
Server (ACS).
The TLS tunnel uses Protected Access Credentials (PACs) for authentication between the client (phone)
and the RADIUS server. The server sends an Authority ID (AID) to the client (phone), which in turn
selects the appropriate PAC. The client (phone) returns a PAC-Opaque to the RADIUS server. The
server decrypts the PAC with the master key. Both endpoints now contain the PAC key and a TLS tunnel
is created. EAP-FAST supports automatic PAC provisioning, but you must enable it on the RADIUS
server.
Note
• Protected Extensible Authentication Protocol (PEAP): Cisco proprietary password-based mutual
authentication scheme between the client (phone) and a RADIUS server. Cisco IP Phone can use PEAP
for authentication with the wireless network. Both PEAP-MSCHAPV2 and PEAP-GTC authentication
methods are supported.
The following authentication schemes use the RADIUS server to manage authentication keys:
• WPA/WPA2: Uses RADIUS server information to generate unique keys for authentication. Because
these keys are generated at the centralized RADIUS server, WPA/WPA2 provides more security than
WPA preshared keys that are stored on the AP and phone.
http://www.cisco.com/en/US/netsol/ns744/networking_solutions_program_
In the Cisco ACS, by default, the PAC expires in one week. If the phone has an expired
PAC, authentication with the RADIUS server takes longer while the phone gets a new
PAC. To avoid PAC provisioning delays, set the PAC expiration period to 90 days or
longer on the ACS or RADIUS server.
Cisco IP Phone 8800 Series Administration Guide for Cisco Unified Communications Manager
Supported Security Features
93
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
