Authenticated Key Management; Encryption Methods; Choosing Ap Authentication And Encryption Methods - Cisco 7925G - Unified Wireless IP Phone VoIP Administration Manual

Security for Voice Communications in WLANs

Authenticated Key Management

The following authentication schemes use the RADIUS server to manage authentication keys:
•
•
With WPA and CCKM, encryption keys are not entered on the phone, but are automatically derived
between the AP and phone. But the EAP username and password that are used for authentication must
be entered on each phone.

Encryption Methods

To ensure that voice traffic is secure, the Cisco Unified Wireless IP Phone 7925G supports WEP, TKIP,
and Advanced Encryption Standards (AES) for encryption. When using these mechanisms for
encryption, both the signaling Skinny Client Control Protocol (SCCP) packets and voice Real-Time
Transport Protocol (RTP) packets are encrypted between the AP and the wireless IP phone.
•
•
•
Note

Choosing AP Authentication and Encryption Methods

Authentication and encryption schemes are setup within the wireless LAN. VLANS are configured in
the network and on the APs and specify different combinations of authentication and encryption. An
SSID is associated with a VLAN and its particular authentication and encryption scheme. In order for
wireless client devices to authenticate successfully, you must configure the same SSIDs with their
authentication and encryption schemes on the APs and on the wireless IP phone.
Cisco Unified Wireless IP Phone 7925G Administration Guide for Cisco Unified Communications Manager 7.0(1)
2-18
WPA—Uses information on a RADIUS server to generate unique keys for authentication. Because
these keys are generated at the centralized RADIUS server, WPA provides more security than WPA
pre-shared keys that are stored on the AP and phone.
Cisco Centralized Key Management (CCKM)—Uses information on a RADIUS server and a
wireless domain server (WDS) to manage and authenticate keys. The WDS creates a cache of
security credentials for CCKM-enabled client devices for fast and secure reauthentication.
WEP—When using WEP in the wireless network, authentication happens at the AP by using open
or shared-key authentication. The WEP key that is setup on the phone must match the WEP key that
is configured at the AP for successful connections. The Cisco Unified Wireless IP Phone 7925G
supports WEP keys that use 40-bit encryption or a 128-bit encryption and remain static on the phone
and AP.
EAP and CCKM authentication can use WEP keys for encryption. The RADIUS server manages the
WEP key and passes a unique key to the AP after authentication for encrypting all voice packets;
consequently, these WEP keys can change with each authentication.
TKIP—WPA and CCKM use TKIP encryption that has several improvements over WEP. TKIP
provides per-packet key ciphering and longer initialization vectors (IVs) that strengthen encryption.
In addition, a message integrity check (MIC) ensures that encrypted packets are not being altered.
TKIP removes the predictability of WEP that helps intruders decipher the WEP key.
AES—An encryption method used for WPA2 authentication. This national standard for encryption
uses a symmetrical algorithm that has the same key for encryption and decryption. AES uses Cipher
Blocking Chain (CBC) encryption of 128 bits in size, supporting key sizes of 128, 192 and 256 bits,
as a minimum.
The Cisco Unified Wireless IP Phone 7925G does not support Cisco Key Integrity Protocol
(CKIP) with CMIC.
Chapter 2 Overview of the VoIP Wireless Network
OL-15984-01