https://community.cisco.com/t5/wireless/7920-secure-authentication/m-p/405728#M192165 <P>I'm getting ready to deploy some 7920's and want to make sure I've got some decent security. What I'd like to do is combine mac address security with a userid/password unique to the phone. (or I could live with a common one for all phones but I don't want to) I'm looking for the best security so that if some part of it is comprimised I don't have to pull all the phones back from around the country to reset id's, keys or whatever.</P><P></P><P>As best I can tell combining mac address with userid/password authentication is probably the best way to go. I've got WPA on the phones working but I'm trying to figure out how to add the mac address part. Does anyone know of a good document on the subject?</P><P></P><P>I've got various 1100/1200/1300 AP's with an ACS 3.3 server on the back end.</P> Sun, 04 Jul 2021 18:28:08 GMT dhingst 2021-07-04T18:28:08Z https://community.cisco.com/t5/wireless/7920-secure-authentication/m-p/405728#M192165 <P>I'm getting ready to deploy some 7920's and want to make sure I've got some decent security. What I'd like to do is combine mac address security with a userid/password unique to the phone. (or I could live with a common one for all phones but I don't want to) I'm looking for the best security so that if some part of it is comprimised I don't have to pull all the phones back from around the country to reset id's, keys or whatever.</P><P></P><P>As best I can tell combining mac address with userid/password authentication is probably the best way to go. I've got WPA on the phones working but I'm trying to figure out how to add the mac address part. Does anyone know of a good document on the subject?</P><P></P><P>I've got various 1100/1200/1300 AP's with an ACS 3.3 server on the back end.</P> Sun, 04 Jul 2021 18:28:08 GMT https://community.cisco.com/t5/wireless/7920-secure-authentication/m-p/405728#M192165 dhingst 2021-07-04T18:28:08Z https://community.cisco.com/t5/wireless/7920-secure-authentication/m-p/405729#M192166 <HTML><HEAD></HEAD><BODY><P>Below are key commands to enable 802.1x w/ MAC authentication and CCKM (fast roaming).</P><P></P><P>aaa group server radius rad_eap</P><P> server 10.0.0.15 auth-port 1645 acct-port 1646</P><P>!</P><P>aaa group server radius rad_mac</P><P> server 10.0.0.15 auth-port 1645 acct-port 1646</P><P>!</P><P>aaa authentication login eap_methods group rad_eap</P><P>aaa authentication login mac_methods group rad_mac</P><P>!</P><P>dot11 ssid voice</P><P>vlan 21</P><P>authentication network-eap eap_methods mac-address mac_methods</P><P>authenticaiton key-management cckm</P><P>!</P><P>interface dot11radio 0</P><P> encryption vlan 21 mode ciphers tkip</P><P> ssid voice</P><P>!</P><P>radius-server host 10.0.0.15 auth-port 1645 acct-port 1646 key X</P><P></P><P></P><P></P><P></P></BODY></HTML> Thu, 05 Jan 2006 07:14:36 GMT https://community.cisco.com/t5/wireless/7920-secure-authentication/m-p/405729#M192166 michaelgillespie 2006-01-05T07:14:36Z https://community.cisco.com/t5/wireless/7920-secure-authentication/m-p/405730#M192167 <HTML><HEAD></HEAD><BODY><P>Username/password (LEAP)</P><P>MAC Authentication</P><P>Radius authentication for SSID access</P><P></P><P>You are going to require an identity to login to the phone. If that user leaves the company then you can disable that account. You maintain a list of MAC accounts for authentication. If a phone is lost or stolen, remove that account from the ACS server. The usernames will only be permitted to authenticate to the designated voice ssid in the company. And finally those usernames can't be used to authenticate on other ssids within the company.</P></BODY></HTML> Sun, 22 Jan 2006 04:42:47 GMT https://community.cisco.com/t5/wireless/7920-secure-authentication/m-p/405730#M192167 dcavanaugh 2006-01-22T04:42:47Z