Chapter 6 Understanding the VoIP Wireless Network

Security for Voice Communications in WLANs

Encryption Methods

To ensure that voice traffic is secure, the Cisco Unified IP Phone supports WEP, TKIP, and Advanced Encryption Standards (AES) for encryption. When using these mechanisms for encryption, both the signaling Skinny Client Control Protocol (SCCP) packets and voice Real-Time Transport Protocol (RTP) packets are encrypted between the AP and the Cisco Unified IP Phone.

WEP—When using WEP in the wireless network, authentication happens at the AP by using open or shared-key authentication. The WEP key that is setup on the phone must match the WEP key that is configured at the AP for successful connections. The Cisco Unified IP Phone supports WEP keys that use 40-bit encryption or a 128-bit encryption and remain static on the phone and AP.

EAP and CCKM authentication can use WEP keys for encryption. The RADIUS server manages the WEP key and passes a unique key to the AP after authentication for encrypting all voice packets; consequently, these WEP keys can change with each authentication.

TKIP—WPA and CCKM use TKIP encryption that has several improvements over WEP. TKIP provides per-packet key ciphering and longer initialization vectors (IVs) that strengthen encryption. In addition, a message integrity check (MIC) ensures that encrypted packets are not being altered. TKIP removes the predictability of WEP that helps intruders decipher the WEP key.

AES—An encryption method used for WPA2 authentication. This national standard for encryption uses a symmetrical algorithm that has the same key for encryption and decryption. AES uses Cipher Blocking Chain (CBC) encryption of 128 bits in size, supporting key sizes of 128, 192 and 256 bits, as a minimum. The Cisco Unified IP Phone supports a key size of 256 bits.

Note The Cisco Unified IP Phone does not support Cisco Key Integrity Protocol (CKIP) with CMIC.

Choosing AP Authentication and Encryption Methods

 

 

 

 

Authentication and encryption schemes are setup within the wireless LAN. VLANs are configured in the

 

 

 

 

network and on the APs and specify different combinations of authentication and encryption. An SSID

 

 

 

 

is associated with a VLAN and its particular authentication and encryption scheme. In order for wireless

 

 

 

 

client devices to authenticate successfully, you must configure the same SSIDs with their authentication

 

 

 

 

and encryption schemes on the APs and on the Cisco Unified IP Phone.

 

 

 

 

Some authentication schemes require specific types of encryption. With Open authentication, you have

 

 

 

 

the option to use static WEP for encryption for added security. But if you are using Shared Key

 

 

 

 

authentication, you must set static WEP for encryption, and you must configure a WEP key on the phone.

 

 

 

 

When using Authenticated Key Management (AKM) for the Cisco Unified IP Phone, several choices for

 

 

 

 

both authentication and encryption can be set up on the APs with different SSIDs. When the phone

 

 

 

 

attempts to authenticate, it chooses the AP that advertises the authentication and encryption scheme that

 

 

 

 

the phone can support. Auto (AKM) mode can authenticate by using WPA, WPA2, WPA Pre-shared key,

 

 

 

 

or CCKM.

 

 

 

 

 

 

 

Note

 

When using WPA Pre-shared key or WPA2 Pre-shared key, the pre-shared key must be statically set

 

 

 

 

 

on the phone. These keys must match the keys configured on the AP.

 

 

 

 

 

When using Auto (AKM), encryption options are automatically configured for WPA, WPA2, WPA

 

 

 

 

 

Pre-shared key, WPA2 Pre-shared key, or CCKM.

 

 

 

 

 

In AKM mode, the phone will authenticate with LEAP if it is configured with WPA, WPA2, or

 

 

 

 

 

CCKM key management, or if 802.1x is used.

 

 

 

 

Cisco Unified IP Phone 8961, 9951, and 9971 Administration Guide for Cisco Unified Communications Manager 8.5 (SIP)

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

OL-20861-01

 

 

 

6-13

 

 

 

 

 

 

Page 103
Image 103
Cisco Systems 8961 manual Choosing AP Authentication and Encryption Methods, Or Cckm