Cisco Systems 7920 IP manual Security for the Cisco 7920 and Wlan Networks

Technical Assistance Center (TAC) (if problems arise) is limited for this situation.

Security for the Cisco 7920 and WLAN Networks

The Cisco 7920 is supported in the architecture of the Cisco Wireless Security Suite.

The architecture is discussed in detail in documents for Wireless LAN Security Solution.

The architecture fits into the overall Cisco SAFE security architecture. For more information, refer to Cisco SAFE: Wireless LAN Security in Depth.

Note: The Cisco 7920 does not support Cisco Temporal Key Integrity Protocol (TKIP) or Cisco Message Integrity Check (MIC) in the initial software release. Future versions of the Cisco 7920 software will add support for TKIP and MIC as well as Wi−Fi Protected Access (WPA).

The Cisco 7920 supports both static Wired Equivalency Protocol (WEP), 802.1, and Extensible Authentication Protocol (EAP) − Cisco Light Extensible Authentication Protocol (LEAP) for authentication and data encryption. When either encryption model is used, both the signaling (Signaling Connection Control Part (SCCP)) and media (RTP) are encrypted between the Cisco 7920 and AP.

Static WEP requires that a 40 or 128 bit key be manually entered on all of the Cisco 7920s as well as the APs. It performs AP−based authentication based on the device (such as the Cisco 7920) having a matching key.

LEAP allows devices (such as the Cisco 7920 and the AP) to be mutually authenticated (Cisco 7920 > AP, AP

>Cisco 7920) based on a username and password. Upon authentication, a dynamic key is used between the Cisco 7920 and the AP to encrypt traffic.

If LEAP is used, a LEAP−compliant RADIUS server such as the Cisco Secure ACS for Windows, is required to provide access to the user database. The ACS server can either store the username and password database locally, or it can access that information from an external Microsoft Windows directory.

Note: While it is a valid configuration option, it is not recommended that an external (off ACS) database be used to store the username and password credentials for Cisco 7920 phones. Because the ACS server must be queried whenever the Cisco 7920 roams between APs, the unpredictable delay to access this external database could cause excessive delay and poor voice quality.

The placement of the ACS server should be considered when deploying LEAP. This is because LEAP authentication is required every time a Cisco 7920 roams between APs, and RTP traffic (voice) does not flow until the LEAP authentication is completed. Reducing the amount of delay (such as router hops and WAN links) between APs and the ACS significantly improves the overall voice quality when Cisco 7920 users are roaming..

The three options for deploying the ACS functionality are as follows:

∙Centralized ACS server ￿ All users access the ACS server in a central location within the network.

∙Remote ACS server ￿ For remote offices that have slow speed WAN links or congested WAN links that might delay LEAP processing, a ACS server could be deployed locally in the office.

∙Local and Fallback RADIUS server functionality in a Cisco AP ￿ In Cisco IOS® Software Release 12.2(11)JA , the Cisco AP supports the ability to authenticate LEAP users without having to access an external ACS server. This functionality supports up to 50 users, and is supported for EAP−Cisco (LEAP) only. This functionality does not interact with a centralized or remote ACS server in terms of database synchronization. This functionality is designed to be used as the primary

Cisco − Wireless IPT Design Guide for the Cisco 7920 IP Phone