1. Manuals
  2. Brands
  3. Cisco Manuals
  4. IP Phone
  5. 8800 Series
  6. Deployment manual

Cisco 8800 Series Deployment Manual page 18

Wireless lan deployment guide
Hide thumbs Also See for 8800 Series:
Table of Contents

Advertisement

The TLS tunnel uses Protected Access Credentials (PACs) for authentication between the client (the Cisco IP Phone 8800
Series) and the RADIUS server. The server sends an Authority ID (AID) to the client, which in turn selects the appropriate
PAC. The client returns a PAC-Opaque to the RADIUS server. The server decrypts the PAC with its master-key. Both
endpoints now have the PAC key and a TLS tunnel is created. EAP-FAST supports automatic PAC provisioning, but it must
enable don the RADIUS server.
To enable EAP-FAST, a certificate must be installed on to the RADIUS server.
The Cisco IP Phone 8800 Series currently supports only automatic provisioning of the PAC, so enable Allow anonymous in-
band PAC provisioning on the RADIUS server as shown below.
Both EAP-GTC and EAP-MSCHAPv2 must be enabled when Allow anonymous in-band PAC provisioning is enabled.
EAP-FAST requires that a user account be created on the authentication server.
If anonymous PAC provisioning is not allowed in the production wireless LAN environment then a staging RADIUS server can
be setup for initial PAC provisioning of the Cisco IP Phone 8800 Series.
This requires that the staging RADIUS server be setup as a slave EAP-FAST server and components are replicated from the
product master EAP-FAST server, which include user and group database and EAP-FAST master key and policy info.
Ensure the production master EAP-FAST RADIUS server is setup to send the EAP-FAST master keys and policies to the
staging slave EAP-FAST RADIUS server, which will then allow the Cisco IP Phone 8800 Series to use the provisioned PAC in
the production environment where Allow anonymous in-band PAC provisioning is disabled.
When it is time to renew the PAC, then authenticated in-band PAC provisioning will be used, so ensure that Allow
authenticated in-band PAC provisioning is enabled.
Ensure that the Cisco IP Phone 8800 Series has connected to the network during the grace period to ensure it can use its existing
PAC created either using the active or retired master key in order to get issued a new PAC.
Is recommended to only have the staging wireless LAN pointed to the staging RADIUS server and to disable the staging access
point radios when not being used.
Cisco IP Phone 8800 Series Wireless LAN Deployment Guide
18

Advertisement

Table of Contents
loading

Related Manuals for Cisco 8800 Series

Related Products for Cisco 8800 Series

Table of Contents