Cisco Unified IP Phone 8961, 9951, and 9971 Administration Guide for Cisco Unified CM 8.0 (SIP)
Understanding the VoIP Wireless
Downloads: This chapterpdf (PDF - 368.0KB) The complete bookPDF (PDF - 11.96MB) | Feedback

Understanding the VoIP Wireless Network

Table Of Contents

Understanding the VoIP Wireless Network

Understanding the Wireless LAN

Understanding WLAN Standards and Technologies

802.11 Standards for WLAN Communications

World Mode (802.11d)

Radio Frequency Ranges

802.11 Data Rates, Tx Power, Ranges, and Decibel Tolerances

Wireless Modulation Technologies

AP, Channel, and Domain Relationships

WLANs and Roaming

Bluetooth Wireless Technology

Components of the VoIP Wireless Network

Interacting with Cisco Unified Wireless APs

Associating to APs

Voice QoS in a Wireless Network

Interacting with Cisco Unified Communications Manager

Security for Voice Communications in WLANs

Authentication Methods

Authenticated Key Management

Encryption Methods

Choosing AP Authentication and Encryption Methods

VoIP WLAN Configuration

Supported Access Points

Supported APs and Modes

Supported Antennas

Configuring Wireless LAN

Summary of Configuring the Wireless LAN in Cisco Unified Communications Manager Administration

Summary of Configuring the Wireless LAN on the Cisco Unified IP Phone


Understanding the VoIP Wireless Network


This chapter provides an overview of the interaction between a wireless-capable Cisco Unified IP Phone 9971 and other key components of a VoIP network in a wireless local area network (WLAN) environment. This chapter contains the following sections:

Understanding the Wireless LAN

Understanding WLAN Standards and Technologies

Bluetooth Wireless Technology

Components of the VoIP Wireless Network

Security for Voice Communications in WLANs

VoIP WLAN Configuration

Configuring Wireless LAN


Note For instructions on deploying and configuring a wireless Cisco Unified IP Phone 9971, refer to the Cisco Unified IP Phone 9971 Wireless LAN Deployment Guide at this location:

http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/9971_9951_8961/7_1_3/english/deployment/guide/9971dply.pdf


Understanding the Wireless LAN

With the introduction of wireless communication, Cisco Unified IP Phones with wireless capability, such as the Cisco Unified IP Phone 9971, can provide voice communication within the corporate WLAN. The Cisco Unified IP Phone depends upon and interacts with wireless access points (APs) and key Cisco IP telephony components, including Cisco Unified Communications Manager Administration, to provide wireless voice communication. Cisco Access Points can run in standalone or unified mode. Unified mode requires the Cisco Unified Wireless LAN Controller.

The Cisco Unified IP Phone 9971 exbihits Wi-fi capabilities which can be used 802.11a, 802.11b and 802.11g Wi-Fi.

Figure 6-1 shows a typical WLAN topology that enables the wireless transmission of voice for wireless IP telephony.

Figure 6-1 WLAN with Wireless IP Phones

When a Cisco Unified IP Phone powers on, it searches for and becomes associated with an AP if the phone Wireless access is set to On.

The AP uses its connection to the wired network to transmit data and voice packets to and from the switches and routers. Voice signaling is transmitted to the Cisco Unified Communications Manager server for call processing and routing.

APs are critical components in a WLAN because they provide the wireless links or "hot spots" to the network. Cisco requires that the APs supporting voice communications use Cisco IOS Release 12.3(8)JA or later. Cisco IOS software provides features for managing voice traffic.

In some WLANs, each AP has a wired connection to an Ethernet switch, such as a Cisco Catalyst 3750, that is configured on a LAN. The switch provides access to gateways and the Cisco Unified Communications Manager server to support wireless IP telephony.

Some networks have wired components that support wireless components. The wired components can comprise switches, routers, and bridges with special modules to enable wireless capability.

For more information about Cisco Unified Wireless Networks, refer to http://www.cisco.com/en/US/products/hw/wireless/index.html

Understanding WLAN Standards and Technologies

This section describes the following concepts:

802.11 Standards for WLAN Communications

World Mode (802.11d)

Radio Frequency Ranges

802.11 Data Rates, Tx Power, Ranges, and Decibel Tolerances

Wireless Modulation Technologies

AP, Channel, and Domain Relationships

WLANs and Roaming

802.11 Standards for WLAN Communications

Wireless LANs must follow the Institute of Electrical and Electronics Engineers (IEEE) 802.11 standards that define the protocols that govern all Ethernet-based wireless traffic. The Cisco Unified IP Phone supports the following standards:

802.11a—Uses the 5 GHz band that provides more channels and improved data rates by using OFDM technology. Dynamic Frequency Selection (DFS) and Transmit Power Control (TPC) support this standard.

802.11b—Specifies the radio frequency (RF) of 2.4 Ghz for both transmitting and receiving data at lower data rates (1,2,5.5, 11 Mbps).

802.11d—Enables access points to advertise their currently supported radio channels and transmit power levels. The 802.11d enabled client then uses that information to determine which channels and powers to use. The Cisco Unified IP Phone 9971 requires world mode (802.11d) to determine which channels are legally allowed for any given country. For supported channels, see Table 6-1. Make sure that 802.11d is properly configured on the Cisco IOS Access Points or Cisco Unified Wireless LAN Controller; for more information, see the "World Mode (802.11d)" section.

802.11e—QoS

802.11g—Uses the same unlicensed 2.4 Ghz band as 802.11b, but extends the data rates to provide greater performance by using Orthogonal Frequency Division Multiplexing (OFDM) technology. OFDM is a physical-layer encoding technology for transmitting signals by using RF.

802.11h—5 GHz spectrum and transmit power management

802.11i—Security

Table 6-1 Supported Channels for the Cisco Unified IP Phone 9971

Part Number
Band Range
Available Channels
5 GHz Channel Set

CP-9971-K9

2.412 - 2.484 GHz

5.180 - 5.240 GHz

5.260 - 5.320 GHz

5. 500 - 5.700 GHz

5.745 - 5.805 GHz

13 (14 in Japan)

4

4

11

4

UNII-2

UNII-2

UNII-2 Extended

UNII-3



Note 802.11j (channels 34, 38, 42, 46) and channel 165 are not supported.


World Mode (802.11d)

If you are using the Cisco Unified IP Phone 9971 in the Wolrd Mode, you must enable World mode (802.11d). The Cisco Unified IP Phone 9971 uses 802.11d to determine which channels and transmit powers to use and inherits its client configuration from the associated access point.


Note Enabling Wolrd Mode (802.11d) may not be necessary if the frequency is 2.4GHz and the current access point is transmitting on a channel 1-11.


As all countries support these frequencies, you can attempt to scan these channels regardless of supporting World Mode (802.11d). For the countries which support 2.4GHz, refer to Cisco Unified IP Phone 9971 Wireless LAN Deployment Guide.

Enable World Mode (802.11d) for the corresponding country where the access point is located. World Mode is enabled automatically for the Cisco Unified Wireless LAN Controller.

World Mode must be enabled manually for Cisco Autonomous Access Points using the following commands:

Interface dot11radio X

world-mode dot11d country US both

Supported Countries

The following countries are supported by the Cisco Unified IP Phone 9971:

Argentina (AR)

India (IN)

Poland (PL)

Australia (AU)

Indonesia (ID)

Portugal (PT)

Austria (AT)

Ireland (IE)

Puerto Rico (PR)

Belgium (BE)

Israel (IL)

Romania (RO)

Brazil (BR)

Italy (IT)

Russian Federation (RU)

Bulgaria (BG)

Japan (JP)

Saudi Arabia (SA)

Canada (CA)

Korea (KR / KP)

Singapore (SG)

Chile (CL)

Latvia (LV)

Slovakia (SK)

Colombia (CO)

Liechtenstein (LI)

Slovenia (SI)

Costa Rica (CR)

Lithuania (LT)

South Africa (ZA)

Cyprus (CY)

Luxembourg (LU)

Spain (ES)

Czech Republic (CZ)

Malaysia (MY)

Sweden (SE)

Denmark (DK)

Malta (MT)

Switzerland (CH)

Estonia (EE)

Mexico (MX)

Taiwan (TW)

Finland (FI)

Monaco (MC)

Thailand (TH)

France (FR)

Netherlands (NL)

Turkey (TR)

Germany (DE)

New Zealand (NZ)

Ukraine (UA)

Gibraltar (GI)

Norway (NO)

United Arab Emirates (AE)

Greece (GR)

Oman (OM)

United Kingdom (GB)

Hong Kong (HK)

Panama (PA)

United States (US)

Hungary (HU)

Peru (PE)

Venezuela (VE)

Iceland (IS)

Philippines (PH)

Vietnam (VN)


Radio Frequency Ranges

WLAN communications use the following radio frequency (RF) ranges:

2.4 GHz—Many devices that utilize 2.4 GHz can potentially interfere with the 802.11b/g connection. An interferer can produce a Denial of Service (DoS) scenario, possibly preventing successful 802.11 transmissions.

5 GHz—Divided into several sections called Unlicensed National Information Infrastructure (UNII) bands and has four channels each. The channels are spaced at 20 MHz to provide non-overlapping channels and more channels than with 2.4 GHz.

802.11 Data Rates, Tx Power, Ranges, and Decibel Tolerances

Table 6-2 lists the Tx power capacities, data rates, ranges in feet and meters, and decibels tolerated by the receiver by 801.11 standard.

Table 6-2 Tx Power, Data Rates, Ranges, and Decibels by Standard 

Standard
Maximum Tx Power 1
Data Rate 2
Range
Receiver Sensitivity
802.11a
 

16 dBm

6 Mbps

604 ft (184 m)

-91 dBm

9 Mbps

604 ft (184 m)

-90 dBm

12 Mbps

551 ft (168 m)

-88 dBm

18 Mbps

545 ft (166 m)

-86 dBm

24 Mbps

512 ft (156 m)

-82 dBm

36 Mbps

420 ft (128 m)

-80 dBm

48 Mbps

322 ft (98 m)

-77 dBm

54 Mbps

289 ft (88 m)

-75 dBm

802.11g
 

16 dBm

6 Mbps

709 ft (216 m)

-91 dBm

9 Mbps

650 ft (198 m)

-90 dBm

12 Mbps

623 ft (190 m)

-87 dBm

18 Mbps

623 ft (190 m)

-86 dBm

24 Mbps

623 ft (190 m)

-82 dBm

36 Mbps

495 ft (151 m)

-80 dBm

48 Mbps

413 ft (126 m)

-77 dBm

54 Mbps

394 ft (120 m)

-76 dBm

802.11b
 

17 dBm

1 Mbps

1,010 ft (308 m)

-96 dBm

2 Mbps

951 ft (290 m)

-85 dBm

5.5 Mbps

919 ft (280 m)

-90 dBm

11 Mbps

902 ft (275 m)

-87 dBm

1 Adjusts dynamically when associating with an AP if the AP client setting is enabled.

2 Advertised rates by the APs are used. If the Restricted Data Rates functionality is enabled in the Cisco Unified Communications Manager Administration phone configuration, then the Traffic Stream Rate Set IE (CCX V4) is used.

2 For more informationa about supported data rates, tx power and rx sensitivity for WLANs, see Cisco Unified IP Phone 9971 Wireless LAN Deployment Guide.


Wireless Modulation Technologies

Wireless communications uses the following modulation technologies for signaling:

Direct-Sequence Spread Spectrum (DSSS)—Prevents interference by spreading the signal over the frequency range or bandwidth. DSSS technology multiplexes chunks of data over several frequencies so that multiple devices can communicate without interference. Each device has a special code that identifies its data packets and all others are ignored. Cisco wireless 802.11b/g products use DSSS technology to support multiple devices on the WLAN.

Orthogonal Frequency Division Multiplexing (OFDM)—Transmits signals by using RF. OFDM is a physical-layer encoding technology that breaks one high-speed data carrier into several lower-speed carriers to transmit in parallel across the RF spectrum. OFDM, when used with 802.11g and 802.11a, can support data rates as high as 54 Mbps.

Table 6-3 provides a comparison of data rates, number of channels, and modulation technologies by standard.

Table 6-3 Data Rates, Number of Channels, and Modulation Technologies by IEEE Standard 

Item
802.11b
802.11g
802.11a

Data Rates

1, 2, 5.5, 11 Mbps

6, 9, 12, 18, 24, 36, 48, 54 Mbps

6, 9, 12, 18, 24, 36, 48, 54 Mbps

Non-overlapping Channels

3 (Japan uses 4)

3

Up to 23

Wireless Modulation

DSSS

OFDM

OFDM


AP, Channel, and Domain Relationships

APs transmit and receive RF signals over channels within the 2.4 GHz or 5 GHz frequency band. To provide a stable wireless environment and reduce channel interference, you must specify non-overlapping channels for each AP. The recommended channels for 802.11b and 802.11g in North America are 1, 6, and 11.


Note In a non controller-based wireless network, it is recommended that you statically configure channels for each AP. If your wireless network uses a controller, use the Auto-RF feature with minimal voice disruption.


For more information about APs, see the "VoIP WLAN Configuration" section.

For more information about AP, channel and domain relationships, see Cisco Unified IP Phone 9971 Wireless LAN Deployment Guide.

WLANs and Roaming

The Cisco Unified IP Phone 9971 supports Cisco Centralized Key Management (CCKM), a centralized key management protocol, and provides a cache of session credentials on the wireless domain server (WDS). APs must register to the WDS for fast roaming to work. CCKM is also supported on the Cisco Unified Wireless LAN Controller alone.

The Cisco Unified IP Phone 9971 supports CCKM with 802.1x+WEP or WPA(TKIP) only. CCKM is not supported with WPA2 or WPA(AES). For details about CCKM, refer to the "Cisco Fast Secure Roaming Application Note" at:
http://www.cisco.com/en/US/products/hw/wireless/ps4570/prod_technical_reference09186a00801c5223.html

Related Topics

Voice QoS in a Wireless Network

VoIP WLAN Configuration

Bluetooth Wireless Technology

The Cisco Unified IP Phone 9951 and 9971 is a qualified Bluetooth wireless device (Qualified Device ID (QDID) 9951 = B015587, 9971 = B015588) and provides voice communication over the same wireless LAN that your computer uses.

For more information about using Bluetooth headsets with your Cisco Unified IP Phone, see the "Using Bluetooth Wireless Headsets" section.

Components of the VoIP Wireless Network

The Cisco Unified IP Phone must interact with several network components in the WLAN to successfully place and receive calls. The following topics describe network components:

Interacting with Cisco Unified Wireless APs

Associating to APs

Voice QoS in a Wireless Network

Interacting with Cisco Unified Communications Manager

Interacting with Cisco Unified Wireless APs

Cisco Unified IP Phones use the same APs as wireless data devices. However, voice traffic over a WLAN requires different equipment configurations and layouts than a WLAN that is used exclusively for data traffic. Data transmission can tolerate a higher level of RF noise, packet loss, and channel contention than voice transmission. Packet loss during voice transmission can cause choppy or broken audio and make the phone call inaudible. Packet errors can also cause blocky or frozen video.

Because the Cisco Unified IP Phone 9971 are desktop and not mobile phones, changes in the local environment can cause phones to roam between access points and can affect the voice and video performance. In contrast, data users remain in one place or occasionally move to another location. The ability to roam while maintaining a call is one of the advantages of wireless voice, so RF coverage needs to include stairwells, elevators, quiet corners outside conference rooms, and passage ways.

To ensure good voice quality and optimal RF signal coverage, you must perform a site survey. The site survey determines settings suitable to wireless voice and assists in the design and layout of the WLAN; for example AP placement, power levels, and channel assignments.

After deploying and using wireless voice, you should continue to perform post installation site surveys. When you add a group of new users, install more equipment, or stack large amounts of inventory, you are changing the wireless environment. A post installation survey verifies that the AP coverage is still adequate for optimal voice communications.


Note There are packet loss during roaming; however, the security mode and the presence of fast roaming depicts how much packet is lost during transmission.


For more information on Voice QoS in a wireless network, see Cisco Unified IP Phone 9971 Wireless LAN Deployment Guide.

Associating to APs

At startup, the Cisco Unified IP Phone scans for APs with SSIDs and encryption types that it recognizes. The phone builds and maintains a list of eligible APs and uses the following variables to determine the best AP.

Received Signal Strength Indicator (RSSI)—Signal strength of available APs within the RF coverage area. The phone attempts to associate with the AP with the highest RSSI value.

Traffic Specification (TSpec)—Calculation of call limits and WLAN load balancing. The TSpec value of each voice stream allows the system to allocate bandwidth to voice devices on a first-come, first-served basis. For more information, see "Voice QoS in a Wireless Network" section.

The Cisco Unified IP Phone associates with the AP with the highest RSSI and lowest channel usage values (QBSS) that have matching SSID and encryption types. To ensure that voice traffic is handled properly, you must configure the correct QoS in the AP.

Related Topics

Security for Voice Communications in WLANs

VoIP WLAN Configuration

Voice QoS in a Wireless Network

Voice traffic on the Wireless LAN, like data traffic, is susceptible to delay, jitter, and packet loss. These issues do not impact the data end user, but have serious implications for a voice call. To ensure that voice traffic receives timely and reliable treatment with low delay and low jitter, you must use Quality of Service (QoS), and use separate virtual LANs (VLANs) for voice and data. By isolating the voice traffic onto a separate VLAN, you can use QoS to provide priority treatment for voice packets when traveling across the network. Also, use a separate VLAN for data traffic, not the default native VLAN which is typically used for all network devices.

You need the following VLANs on the network switches and the APs that support voice connections on the WLAN:

Voice VLAN—Voice traffic to and from the wireless IP phone

Native VLAN—Data traffic to and from other wireless devices

Assign separate SSIDs to the voice and to the data VLANs. If you configure a separate management VLAN in the WLAN, do not associate an SSID with the management VLAN.

By separating the phones into a voice VLAN and marking voice packets with higher QoS, you can ensure that voice traffic gets priority treatment over data traffic resulting in lower packet delay and fewer lost packets.

Unlike wired networks with dedicated bandwidths, wireless LANs consider traffic direction when implementing QoS. Traffic is classified as upstream or downstream from the point of view of the AP as shown in Figure 6-2.

Figure 6-2 Voice Traffic in a Wireless Network

Beginning with Cisco IOS release 12.2(11)JA, Cisco Aironet APs support the contention-based channel access mechanism called Enhanced Distributed Coordination Function (EDCF). The EDCF-type of QoS has up to eight queues for downstream (toward the 802.11b/g clients) QoS. You can allocate the queues based on these options:

QoS or Differentiated Services Code Point (DSCP) settings for the packets

Layer 2 or Layer 3 access lists

VLANs for specific traffic

Dynamic registration of devices

Although you can have up to eight queues on the AP, you should use only two queues for voice traffic to ensure the best possible voice QoS. Place voice (RTP) and signaling (SCCP) traffic in the highest priority queue, and place data traffic in a best-effort queue.Although 802.11b/g EDCF does not guarantee that voice traffic is protected from data traffic, you should get the best statistical results by using this queuing model.


Note The Cisco Unified IP Phone marks the SCCP signaling packets with a DSCP value of 24 (CS3) and RTP packets with DSCP value of 46 (EF).


To improve reliability of voice transmissions in a nondeterministic environment, the Cisco Unified IP Phone supports the IEEE 802.11e industry standard and is Wi-Fi Multimedia (WMM) capable. WMM enables differentiated services for voice, video, best effort data and other traffic. However, in order for these differentiated services to provide sufficient QoS for voice packets, only a certain amount of voice bandwidth can be serviced or admitted on a channel at one time. If the network can handle "N" voice calls with reserved bandwidth, when the amount of voice traffic is increased beyond this limit (to N+1 calls), the quality of all calls suffers.

To help address the problems of VoIP stability and roaming, an initial Call Admission Control (CAC) scheme is required. With CAC, QoS is maintained in a network overload scenario by ensuring that the number of active voice calls does not exceed the configured limits on the AP. The Cisco Unified IP Phone can integrate layer 2 TSpec admission control with layer 3 Cisco Unified Communications Manager admission control (RSVP). During times of network congestion, calling or called parties receive a fast busy indication. The system maintains a small bandwidth reserve so wireless phone clients can roam into a neighboring AP (AP), even when the AP is at "full capacity." After reaching the voice bandwidth limit, the next call is load-balanced to a neighboring AP without affecting the quality of the existing calls on the channel.

Implementing QoS in the connected Ethernet switch is highly desirable to maintain good voice quality. The COS and DSCP values that the Cisco Unified IP Phone sets do not need to be modified.

The DSCP, COS and UP (WMM) markings correctly for the optimum transmission of video frames.


Note The Cisco Unified IP Phone 9971 does not support Video CAC; however, Voice CAC is supported for WLANs.


Related Topics

Authentication Methods

Interacting with Cisco Unified Communications Manager

VoIP WLAN Configuration

Interacting with Cisco Unified Communications Manager

Cisco Unified Communications Manager is the call control component in the network that handles and routes calls for the wireless IP phones. Cisco Unified Communications Manager manages the components of the IP telephony system—the phones, access gateways, and the resources—for such features as call conferencing and route planning. When deploying a Cisco Unified IP Phone on a wireless LAN, you must use Cisco Unified Communications Manager Release 7.1(3) or later and the SIP protocol.

Before Cisco Unified Communications Manager can recognize a phone, the phone must register with Cisco Unified Communications Manager and be configured in the database. For information about setting up phones in Cisco Unified Communications Manager, see the "Configuring Cisco Unified IP Phones in Cisco Unified Communications Manager" section.

You can find more information about configuring Cisco Unified Communications Manager to work with the IP phones and IP devices in the Cisco Unified Communications Manager Administration Guide and Cisco Unified Communications Manager System Guide.

Related Topics

Configuring Cisco Unified IP Phones in Cisco Unified Communications Manager

Security for Voice Communications in WLANs

Because all WLAN devices that are within range can receive all other WLAN traffic, securing voice communications is critical in WLANs. To ensure that voice traffic is not manipulated or intercepted by intruders, the Cisco Unified IP Phone and Cisco Aironet APs are supported in the Cisco SAFE Security architecture. For more information about security in networks, refer to http://www.cisco.com/en/US/netsol/ns744/networking_solutions_program_home.html.

This section contains the following items:

Authentication Methods

Authenticated Key Management

Encryption Methods

Choosing AP Authentication and Encryption Methods

Authentication Methods

The Cisco Wireless IP telephony solution provides wireless network security that prevents unauthorized logins and compromised communications by using the following authentication methods supported by the wireless Cisco Unified IP Phone 9971:

Open Authentication—Any wireless device can request authentication in an open system. The AP that receives the request may grant authentication to any requestor or only to requestors on a list of users. Communication between the wireless device and AP could be non-encrypted or devices can use Wired Equivalent Privacy (WEP) keys to provide security. Devices that are using WEP only attempt to authenticate with an AP that is using WEP.

Shared Key Authentication—The AP sends an unencrypted challenge text string to any device attempting to communicate with the AP. The device that is requesting authentication uses a pre-configured WEP key to encrypt the challenge text and sends it back to the AP. If the challenge text is encrypted correctly, the AP allows the requesting device to authenticate. A device can authenticate only if its WEP key matches the WEP key on the APs.

Shared key authentication can be less secure than open authentication with WEP because someone can monitor the challenges. An intruder can calculate the WEP key by comparing the unencrypted and encrypted challenge text strings.

Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST) Authentication—This client server security architecture encrypts EAP transactions within a Transport Level Security (TLS) tunnel between the AP and the RADIUS server such as the Cisco Access Control Server (ACS).

The TLS tunnel uses Protected Access Credentials (PACs) for authentication between the client (phone) and the RADIUS server. The server sends an Authority ID (AID) to the client (phone), which in turn selects the appropriate PAC. The client (phone) returns a PAC-Opaque to the RADIUS server. The server decrypts the PAC with its master-key. Both endpoints now have the PAC key and a TLS tunnel is created. EAP-FAST supports automatic PAC provisioning, but you must enable it on the RADIUS server.


Note In the Cisco ACS, by default, the PAC expires in one week. If the phone has an expired PAC, authentication with the RADIUS server takes longer while the phone gets a new PAC. To avoid the PAC provisioning delays, set the PAC expiration period to 90 days or longer on the ACS or RADIUS server.


Light Extensible Authentication Protocol (LEAP)—Cisco proprietary password-based mutual authentication scheme between the client (phone) and a RADIUS server. Cisco Unified IP Phone can use LEAP for authentication with the wireless network.

Auto (AKM)—Selects the 802.11 Authentication mechanism automatically from the configuration information exhibited by the AP. WPA-PSK or WPA.

Authenticated Key Management

The following authentication schemes use the RADIUS server to manage authentication keys:

WPA/WPA2Uses information on a RADIUS server to generate unique keys for authentication. Because these keys are generated at the centralized RADIUS server, WPA/WPA2 provides more security than WPA pre-shared keys that are stored on the AP and phone.

Cisco Centralized Key Management (CCKM)Uses information on a RADIUS server and a wireless domain server (WDS) to manage and authenticate keys. The WDS creates a cache of security credentials for CCKM-enabled client devices for fast and secure reauthentication.

With WPA/WPA2 and CCKM, encryption keys are not entered on the phone, but are automatically derived between the AP and phone. But the EAP username and password that are used for authentication must be entered on each phone.


Note CCKM is only supported with WPA(TKIP) and 802.1x(WEP).


Encryption Methods

To ensure that voice traffic is secure, the Cisco Unified IP Phone supports WEP, TKIP, and Advanced Encryption Standards (AES) for encryption. When using these mechanisms for encryption, both the signaling Skinny Client Control Protocol (SCCP) packets and voice Real-Time Transport Protocol (RTP) packets are encrypted between the AP and the Cisco Unified IP Phone.

WEP—When using WEP in the wireless network, authentication happens at the AP by using open or shared-key authentication. The WEP key that is setup on the phone must match the WEP key that is configured at the AP for successful connections. The Cisco Unified IP Phone supports WEP keys that use 40-bit encryption or a 128-bit encryption and remain static on the phone and AP.

EAP and CCKM authentication can use WEP keys for encryption. The RADIUS server manages the WEP key and passes a unique key to the AP after authentication for encrypting all voice packets; consequently, these WEP keys can change with each authentication.

TKIP—WPA and CCKM use TKIP encryption that has several improvements over WEP. TKIP provides per-packet key ciphering and longer initialization vectors (IVs) that strengthen encryption. In addition, a message integrity check (MIC) ensures that encrypted packets are not being altered. TKIP removes the predictability of WEP that helps intruders decipher the WEP key.

AES—An encryption method used for WPA2 authentication. This national standard for encryption uses a symmetrical algorithm that has the same key for encryption and decryption. AES uses Cipher Blocking Chain (CBC) encryption of 128 bits in size, supporting key sizes of 128, 192 and 256 bits, as a minimum. The Cisco Unified IP Phone supports a key size of 256 bits.


Note The Cisco Unified IP Phone does not support Cisco Key Integrity Protocol (CKIP) with CMIC.


Choosing AP Authentication and Encryption Methods

Authentication and encryption schemes are setup within the wireless LAN. VLANs are configured in the network and on the APs and specify different combinations of authentication and encryption. An SSID is associated with a VLAN and its particular authentication and encryption scheme. In order for wireless client devices to authenticate successfully, you must configure the same SSIDs with their authentication and encryption schemes on the APs and on the Cisco Unified IP Phone.

Some authentication schemes require specific types of encryption. With Open authentication, you have the option to use static WEP for encryption for added security. But if you are using Shared Key authentication, you must set static WEP for encryption, and you must configure a WEP key on the phone.

When using Authenticated Key Management (AKM) for the Cisco Unified IP Phone, several choices for both authentication and encryption can be set up on the APs with different SSIDs. When the phone attempts to authenticate, it chooses the AP that advertises the authentication and encryption scheme that the phone can support. Auto (AKM) mode can authenticate by using WPA, WPA2, WPA Pre-shared key, or CCKM.


NoteWhen using WPA Pre-shared key or WPA2 Pre-shared key, the pre-shared key must be statically set on the phone. These keys must match the keys configured on the AP.

When using Auto (AKM), encryption options are automatically configured for WPA, WPA2, WPA Pre-shared key, WPA2 Pre-shared key, or CCKM.

In AKM mode, the phone will authenticate with LEAP if it is configured with WPA, WPA2, or CCKM key management, or if 802.1x is used.

The Cisco Unified IP Phone does not support auto EAP negotiation; to use EAP-FAST mode, you must specify it.


Table 6-4 provides a list of authentication and encryption schemes that are configured on the Cisco Aironet APs that the Cisco Unified IP Phone supports. The table shows the network configuration option for the phone that corresponds to the AP configuration.

Table 6-4 Authentication and Encryption Schemes 

Cisco AP Configuration
Cisco Unified IP Phone Configuration
Authentication
Key
Management
Common Encryption
Authentication

Open

 

None

Open

Open (Static WEP)

 

WEP

Open+WEP

Shared key (Static WEP)

 

WEP

Shared+WEP

LEAP

802.1x

Optional CCKM

WEP

LEAP or Auto (AKM)

LEAP

WPA

WPA with Optional CCKM

TKIP

LEAP or Auto (AKM)

LEAP
WPA2

WPA2

AES

LEAP or Auto (AKM)

EAP-FAST

802.1x

Optional CCKM

WEP

EAP-FAST

EAP-FAST with WPA

WPA
Optional CCKM

TKIP

EAP-FAST

EAP-FAST with WPA2

WPA2

AES

EAP-FAST

WPA-PSK

WPA-PSK

TKIP

Auto (AKM)

WPA2-PSK

WAP2-PSK

AES

Auto (AKM)


For additional information about Cisco WLAN Security, refer to http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_brochure09186a00801f7d0b.html

For more information about configuring authentication and encryption schemes on APs, refer to the Cisco Aironet Configuration Guide for your model and release under the following URL:

http://www.cisco.com/cisco/web/psa/configure.html?mode=prod&level0=278875243

Related Topics

Interacting with Cisco Unified Wireless APs

Authentication Methods

Encryption Methods

Interacting with Cisco Unified Communications Manager

Components of the VoIP Wireless Network

VoIP WLAN Configuration

VoIP WLAN Configuration

This section provides configuration guidelines for deploying Cisco Unified IP Phones in the WLAN and includes these topics:

Supported Access Points

Supported APs and Modes

Supported Antennas

Supported Access Points

The wireless Cisco Unified IP Phone 9971 is supported on both the Cisco autonomous and unified solutions. Minimum and recommended versions are:

Cisco IOS Access Points (Autonomous)

Minimum = 12.3(8)JEA2 or later

Recommended = 12.4(10b)JA3 or later (does not apply to Cisco Aironet Series 1100, 1140, 1200, or 1230)

Cisco Unified Wireless LAN Controller

Minimum = 5.1.163.0 or later

Recommended = 5.2.193.0 or later

Supported APs and Modes

Table 6-5 lists the modes that are supported by each Cisco Access Point.

Table 6-5 Supported APs and Modes 

AP Models
802.11b
802.11g
802.11a
Autonomous Mode
Unified
Mode

Cisco Aironet 500 Series

Yes

Yes

No

Yes

Yes

Cisco Aironet 1100 Series

Yes

Yes

No

Yes

Yes

Cisco Aironet 1130 AG Series

Yes

Yes

Yes

Yes

Yes

Cisco Aironet 1140 Series

Yes

Yes

Yes

Yes

Yes

Cisco Aironet 1200 Series

Yes

Yes

Optional

Yes

Yes

Cisco Aironet 1230 AG Series

Yes

Yes

Yes

Yes

Yes

Cisco Aironet 1240 AG Series

Yes

Yes

Yes

Yes

Yes

Cisco Aironet 1250 Series

Yes

Yes

Yes

Yes

Yes

Cisco Aironet 1300 Series

Yes

Yes

No

Yes

Yes



Note Voice over the Wireless LAN (VoWLAN) via Outdoor MESH technology (Cisco 1500 series) is not supported in the Cisco Unified IP Phone 9971.


Third-party access points are not supported since there is no interoperability testing with these access points. However, if the access point supports the key features and follows the standards, the Cisco Unified Wireless IP Phone will be compliant.

Wi-Fi compliant APs that are manufactured by third-party vendors will support the Cisco Unified Wireless IP Phone 9971, but might not support key features such as Wi-Fi MultiMedia (WMM), Unscheduled Auto Power Save Delivery (U-APSD), Traffic Specification (TSPEC), QoS Basic Service Set (QBSS), Dynamic Transmit Power Control (DTPC), or proxy ARP.

Supported Antennas

Some Cisco Access Points require or allow external antennas. Refer to the following URL for the list of supported antennas and how these external antennas should be mounted.

http://www.cisco.com/en/US/prod/collateral/wireless/ps7183/ps469/product_data_sheet09186a008008883b.html


Note The Cisco Aironet Series 1130 and 1140 access points must be mounted on the ceiling because they have omni-directional antennas.


Configuring Wireless LAN

Ensure that the Wi-Fi coverage in the location where the wireless is deplyoed, is suitable for transmitting video and voice packets.

If the Wi-Fi connectivity for voice and video has been enabled for the Cisco Unified IP Phone 9971, you have to authenticate the Wi-Fi network using the Wlan Sign in application within your applications menu.

To enable, to go to Applications > Administrator Settings > Network Setup > WLAN Setup > WLAN Sign in Access and enable WLAN network.

To change the username/password must go to Applications > Administrator Settings.

For complete configuration information, see the Cisco Unified IP Phone 9971 Wireless LAN Deployment Guide at this location:
http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/9971_9951_8961/7_1_3/english/deployment/guide/9971dply.pdf

The Cisco Unified IP Phone 9971 Wireless LAN Deployment Guide includes the following configuration information:

Configuring the wireless network

Configuring the wireless LAN in Cisco Unified Communications Manager administration

Configuring the wireless LAN on the Cisco Unified IP Phone 9971

Summary of Configuring the Wireless LAN in Cisco Unified Communications Manager Administration

In Cisco Unified Communications Manager administration, you must enable a parameter called "Wi-Fi" for the wireless Cisco Unified IP Phone 9971. This can be done in one of the following locations in Cisco Unified Communications Manager administration:

To enable wireless LAN on a specific phone, select the enable setting for the Wi-Fi parameter in the Product Specific Configuration Layout section (Device > Phone) for the specific phone, and check the Override Common Settings check box.

To enable wireless LAN for a group of phones, select the enable setting for the Wi-Fi parameter on a Common Phone Profile Configuration window (Device > Device Settings > Common Phone Profile), check the Override Common Settings check box, then associate the phone (Device > Phone page) with that common phone profile.

To enable wireless LAN for all WLAN-capable phones in your network, select the enable setting for the Wi-Fi parameter on the Enterprise Phone Configuration window (System > Enterprise Phone Configuration), and check the Override Common Settings check box.


Note On the Phone Configuration window in Cisco Unified Communications Manager administration (Device > Phone), when you configure the MAC address, use the wired-line MAC address. The wireless MAC address is not used for Cisco Unified Communications Manager registration.


Summary of Configuring the Wireless LAN on the Cisco Unified IP Phone

Before the phone can connect to the WLAN, you must configure the network profile for the phone with the appropriate WLAN settings. You can use the Network Setup menu on the phone to access the WLAN Setup submenu and set up the WLAN configuration. For instructions, see "WLAN Setup Menu" section.