01-04-2006 06:48 PM - edited 07-04-2021 11:28 AM
I'm getting ready to deploy some 7920's and want to make sure I've got some decent security. What I'd like to do is combine mac address security with a userid/password unique to the phone. (or I could live with a common one for all phones but I don't want to) I'm looking for the best security so that if some part of it is comprimised I don't have to pull all the phones back from around the country to reset id's, keys or whatever.
As best I can tell combining mac address with userid/password authentication is probably the best way to go. I've got WPA on the phones working but I'm trying to figure out how to add the mac address part. Does anyone know of a good document on the subject?
I've got various 1100/1200/1300 AP's with an ACS 3.3 server on the back end.
01-04-2006 11:14 PM
Below are key commands to enable 802.1x w/ MAC authentication and CCKM (fast roaming).
aaa group server radius rad_eap
server 10.0.0.15 auth-port 1645 acct-port 1646
!
aaa group server radius rad_mac
server 10.0.0.15 auth-port 1645 acct-port 1646
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods group rad_mac
!
dot11 ssid voice
vlan 21
authentication network-eap eap_methods mac-address mac_methods
authenticaiton key-management cckm
!
interface dot11radio 0
encryption vlan 21 mode ciphers tkip
ssid voice
!
radius-server host 10.0.0.15 auth-port 1645 acct-port 1646 key X
01-21-2006 08:42 PM
Username/password (LEAP)
MAC Authentication
Radius authentication for SSID access
You are going to require an identity to login to the phone. If that user leaves the company then you can disable that account. You maintain a list of MAC accounts for authentication. If a phone is lost or stolen, remove that account from the ACS server. The usernames will only be permitted to authenticate to the designated voice ssid in the company. And finally those usernames can't be used to authenticate on other ssids within the company.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide