7920 Secure Authentication

dhingst · ‎01-04-2006

I'm getting ready to deploy some 7920's and want to make sure I've got some decent security. What I'd like to do is combine mac address security with a userid/password unique to the phone. (or I could live with a common one for all phones but I don't want to) I'm looking for the best security so that if some part of it is comprimised I don't have to pull all the phones back from around the country to reset id's, keys or whatever.

As best I can tell combining mac address with userid/password authentication is probably the best way to go. I've got WPA on the phones working but I'm trying to figure out how to add the mac address part. Does anyone know of a good document on the subject?

I've got various 1100/1200/1300 AP's with an ACS 3.3 server on the back end.

michaelgillespie · ‎01-04-2006

Below are key commands to enable 802.1x w/ MAC authentication and CCKM (fast roaming).

aaa group server radius rad_eap

server 10.0.0.15 auth-port 1645 acct-port 1646

!

aaa group server radius rad_mac

server 10.0.0.15 auth-port 1645 acct-port 1646

!

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods group rad_mac

!

dot11 ssid voice

vlan 21

authentication network-eap eap_methods mac-address mac_methods

authenticaiton key-management cckm

!

interface dot11radio 0

encryption vlan 21 mode ciphers tkip

ssid voice

!

radius-server host 10.0.0.15 auth-port 1645 acct-port 1646 key X

dcavanaugh · ‎01-21-2006

Username/password (LEAP)

MAC Authentication

Radius authentication for SSID access

You are going to require an identity to login to the phone. If that user leaves the company then you can disable that account. You maintain a list of MAC accounts for authentication. If a phone is lost or stolen, remove that account from the ACS server. The usernames will only be permitted to authenticate to the designated voice ssid in the company. And finally those usernames can't be used to authenticate on other ssids within the company.