Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
301
Views
0
Helpful
1
Replies

Security on VoWLAN - 802.1x

frapedjun
Level 1
Level 1

‎09-05-2014 06:01 AM - edited ‎07-05-2021 01:29 AM

Folks, greetings.
We are about to go for a VoWLAN deployment and we are having a hard time deciding on what security to set on the wlan, and the authentication server.
There are so many options: EAP/PEAP, EAP/LEAP, EAP/TLS, ACS, FreeRadius, NPS. Not to mention the PKI infrastructure. AD, LDAP, ....
We are digging the documentation, but it seems that there is not a common sense on what is the best balance between security, performance, manageability. We have also

read that 802.1x causes problems during the roaming of the phones. Is that true? Any trick to avoid that?
What is the easiest way to deploy security on this sort of environment without having an adminstrative nightmare and communications or performance issues?
Can we go for Local EAP set on WLC and having only one user certificate to be rolled out on all the 7925G phones? Is it possible or is it mandatory to have as many

users certificates as phone devices?
How about using the MIC preloaded on the phones; any hint on that?
I have read that WPA2/PSK/TKIP is the recommended, but I don't think the customer will want to go over all the 7925Gs to change the psk in the case of a psk leakage.
Of course we will go for a lab prior to the implementation.
Versions envolved:
WLC 7.5.102 (it will be upgraded)
7925G 1.4.5.3

Any help will be highly appreciated.

Regards,

FPJ

Labels:
0 Helpful
1 Reply 1

Rasika Nayanajith
VIP
VIP

‎09-06-2014 01:41 PM

Hi FPJ,

Here is the latest 7925G deployment guide which should be followed for any directions.

http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/cuipph/7925g/7_0/english/deployment/guide/7925dply.pdf

If you are using EAP, then PEAP is the less administrative (no clietn certs) & provide enough security as well. Local EAP on WLC may not be scalable/flexible as WLC won't act as full RADIUS server.

You have to configure CCKM to get faster roaming experience (ie 802.1X+ CCKM as L2 AKM suite). Below should gives you an idea how roaming works in WiFi

http://mrncciew.com/2014/09/02/cwsp-802-11-roaming-basics/

HTH

Rasika

**** Pls rate all useful responses ****

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card