Wireless LANs must follow the Institute of Electrical and Electronics Engineers (IEEE) 802.11 standards that define the protocols that govern all Ethernet-based wireless traffic. The Cisco Unified Wireless IP Phone supports the following standards:

802.11a

Uses the 5 GHz band that provides more channels and improved data rates by using Orthogonal Frequency Division Multiplexing (OFDM) technology. Dynamic Frequency Selection (DFS) and Transmit Power Control (TPC) supports this standard.

802.11b

Specifies the radio frequency (RF) of 2.4 GHz for both transmitting and receiving data at lower data rates (1, 2, 5.5, 11 Mbps). Commonly called the Wi-Fi standard.

802.11d

Enables APs to communicate available radio channels and acceptable power levels. The Cisco Unified Wireless IP Phone always gives precedence to 802.11d to determine which channels and powers to use. If the information is unavailable, then the phone reverts to the locally configured regulatory domain.

802.11e

Supports Quality of Service (QoS).

802.11g

Uses the same unlicensed 2.4 GHz band as 802.11b, but extends the data rates to provide greater performance by using OFDM technology. OFDM is a physical-layer encoding technology for transmitting signals using RF.

802.11h

Supports the 5 GHz spectrum and transmit power management.

802.11i

Specifies security standards.

APs transmit and receive RF signals over channels within the 2.4 GHz or 5 GHz frequency band. To provide a stable wireless environment and reduce channel interference, you must specify nonoverlapping channels for each AP. The recommended 2.4 GHz channels to be used are 1, 6, and 11.

Regulatory domains determine the number of channels that wireless communications can use within the frequency band. Radio Frequency Ranges list the frequency ranges, operating channels, and product numbers for the regulatory domains. The Cisco Unified Wireless IP Phone uses the fourth domain for all other regions in the world. Wireless LANs in the rest of the world use 802.11d to identify band ranges and channels.

Note

In a non-controller-based wireless network, Cisco recommends that you statically configure channels for each AP. If your wireless network uses a controller, use the Auto-RF feature with minimal voice disruption. Some channels may need to be statically configured if there is an intermittent interferer, to avoid disruptions in that area.

The AP coverage area depends on the type of antenna and transmission power. The AP coverage range is from 500 to 1000 feet with effective isotropic radiated power (EIRP) output. To provide effective coverage, APs need a range overlap of approximately 20 percent to allow uninterrupted connections as phone users roam from one AP to another.

Wireless networks use a service set identifier (SSID). The SSID differentiates one WLAN from another, so all APs and all devices attempting to connect to a specific WLAN must use the same SSID. The SSID groups user devices and associates the group with the APs.

For more information about wireless network components and design, see the "Overview: Cisco Unified Wireless Network" at http://www.cisco.com/en/US/solutions/ns175/networking_solutions_products_genericcontent0900aecd80529a5f.html.

Wireless IP phones provide communication mobility to users within the WLAN environment. Unlike cellular phones that have a broad coverage, the coverage area for the wireless IP phone is smaller; therefore, phone users frequently roam from one AP to another. To understand some of the limitations of roaming with wireless IP phones, these examples provide information about the WLAN environment.

Pre-call Roaming

A wireless IP phone user powers up the phone in the office, and the phone associates with the nearby AP. The user leaves the building, moves to another building, and then places a call. The phone associates with a different AP in order to place the call from the new location. If the associated AP is within the same Layer 2 VLAN, the IP address remains the same for the phone. But, if the roaming phone crosses a Layer 3 boundary with DHCP enabled and Layer 3 mobility is not enabled, the phone recognizes that it is no longer in the same subnet. The phone must request a new IP address before it can connect to the network and place the call. If Layer 3 mobility is enabled, the phone does not need to reconnect to the network.

Note	If a user leaves the WLAN coverage area and then comes back into the same WLAN area, the phone must reconnect to the network. Pressing a key on the phone causes the phone to perform immediate scans to find and connect to the network.

Mid-call Roaming

A wireless IP phone user is actively engaged in a call and moves from one building to another. The roaming event occurs when the phone moves into the range of a different AP, and then the phone authenticates and associates with the new AP. The previous AP hands the call over to the new AP while maintaining continuous audio connection without user intervention. As long as the APs are in the same Layer 2 subnet, the wireless IP phone keeps the same IP address and the call continues. As a wireless IP phone roams between APs, it must reauthenticate with each new AP. See Authentication Methods for information about authentication.

If the user is roaming across Layer 2 boundaries, then Layer 3 mobility must be enabled to have seamless roaming, and to preserve an existing call.

If the wireless IP phone user moves from an AP that covers IP Subnet A to an AP that covers IP Subnet B without Layer 3 mobility enabled, the phone no longer has an IP address or gateway that is valid within the new subnet and the call can disconnect.

Layer 3 Roaming

Layer 3 roaming is available with Cisco autonomous and unified deployments. With unified deployments, Layer 3 roaming can be performed using intercontroller roaming or, if AP groups are used, to enable Layer 3 roaming.

Layer 3 roaming with Cisco Unified Access Points is accomplished by controllers that use dynamic interface tunneling and requires Layer 3 mobility to be enabled. Clients that roam across controllers and VLANS can keep their IP address when using the same SSID.

Fast and Secure Roaming

Cisco Centralized Key Management (CCKM) enables authenticated client devices to roam securely from one AP to another without any perceptible delay during reassociation. With the support of the CCKM protocol, the wireless IP phone negotiates the handoff from one AP to another easily. During the roaming process, the phone scans for the nearby APs, determines which AP can provide the best service, and then reassociates with the new AP. When implementing stronger authentication methods, such as WPA2 and EAP, the number of information exchanges increases and causes more delay during roaming. To avoid delays, use CCKM.

CCKM, a centralized key management protocol, provides a cache of session credentials on the Cisco Unified Wireless LAN Controller or a Wireless Domain Server (WDS). As the phone roams from one AP to the next, CCKM compresses the number of message exchanges during roaming by providing a primary key stored on the WDS for the AP to use. The reassociation exchange is reduced to two messages, thereby reducing the off-network or audio gap time.

For details about CCKM, see the "Cisco Fast Secure Roaming Application Note" at:

http://www.cisco.com/en/US/products/hw/wireless/ps4570/prod_technical_reference09186a00801c5223.html

Note	In dual-band WLANs, it is possible to roam between 2.4 GHz bands (802.11b/g) and 5 GHz bands (802.11a). The phone moves out of range of one AP using one band and into the range of another that has the same SSID but is using a different band.

Bluetooth enables low-bandwidth wireless connections within a range of 30 feet (10 meters). The best performance is in the 3- to 6-foot (1- to 2-meter) range. Bluetooth wireless technology operates in the 2.4 GHz band, which is the same as the 802.11b/g band. Because of potential interference issues, we recommend that you:

• Use 802.11a, which operates in the 5 GHz band

• Reduce the proximity to other 802.11b/g devices, Bluetooth devices, microwave ovens, and large metal objects

Wireless IP phones use the same APs as wireless data devices. However, voice traffic over a WLAN requires different equipment configurations and layouts than a WLAN that is used exclusively for data traffic. Data transmission can tolerate a higher level of RF noise, packet loss, and channel contention than voice transmission. Packet loss during voice transmission can cause choppy or broken audio and make the phone call inaudible.

Wireless IP Phones users are mobile and often roam across a campus or between floors in a building while connected to a call. In contrast, data users remain in one place or occasionally move to another location. The ability to roam while maintaining a call is one of the advantages of wireless voice, so RF coverage needs to include stairwells, elevators, quiet corners outside conference rooms, passageways and so on.

To ensure good voice quality and optimal RF signal coverage, you must perform a site survey. The site survey determines the AP platform and antenna type, AP placement, channel assignments and transmit power levels that are required for the deployment.

After you deploy and use wireless voice, you should continue to perform postinstallation site surveys. When you add a group of new users, install more equipment, or stack large amounts of inventory, you are changing the wireless environment. A postinstallation survey verifies that the AP coverage remains adequate for optimal voice communications.

Voice traffic on the Wireless LAN, like data traffic, is susceptible to delay, jitter, and packet loss. These issues do not impact the data end user, but have serious implications for a voice call. To ensure that voice traffic receives timely and reliable treatment with low delay and low jitter, you must use Quality of Service (QoS), and use separate virtual LANs (VLANs) for voice and data. By isolating the voice traffic onto a separate VLAN, you can use QoS to provide priority treatment for voice packets when traveling across the network. Also, use a separate VLAN for data traffic, not the default native VLAN that is typically used for all network devices.

You typically need at least three VLANs on the network switches and the APs that support voice connections on the WLAN. These VLANs are:

Voice VLAN

Voice traffic to and from the wireless IP phone

Data VLAN

Data traffic to and from the wireless PC

Native VLAN

Data traffic to and from other wireless infrastructure devices

Assign an SSID to the voice VLAN and a different SSID to the data VLAN. If you configure a separate management VLAN in the WLAN, do not associate an SSID with the management VLAN.

By separating the phones into a voice VLAN and marking voice packets with higher QoS, you can ensure that voice traffic gets priority treatment over data traffic, resulting in lower packet delay and fewer lost packets.

Unlike wired networks with dedicated bandwidths, wireless LANs consider traffic direction when implementing QoS. Traffic is classified as upstream or downstream from the point of view of the AP as shown in the following figure.

Beginning with Cisco IOS release 12.2(11)JA, Cisco Aironet APs support the contention-based channel access mechanism called Enhanced Distributed Coordination Function (EDCF). The EDCF-type of QoS has up to eight queues for downstream (toward the 802.11b/g clients) QoS. You can allocate the queues based on these options:

• Differentiated Services Code Point (DSCP) settings for the packets

• Layer 2 or Layer 3 access lists

• VLANs for specific traffic

Different traffic types are sent to different priority queues. The following are the queues:

• Best Effort (BE) = 0, 3

• Background (BK) = 1, 2

• Video (VI) = 4, 5

• Video (VO) = 6, 7

Call Control (SCCP) is sent on UP4 (VI) and voice is sent as UP6 (VO).

Although 802.11b/g EDCF does not guarantee that voice traffic is protected from data traffic, you should get the best statistical results by using this queuing model.

Note	The Cisco Unified Wireless IP Phone marks the call control packets with a DSCP value of 24 and voice packets with DSCP value of 46.

To improve reliability of voice transmissions in a nondeterministic environment, the Cisco Unified Wireless IP Phone supports the IEEE 802.11e industry standard and is Wi-Fi Multimedia (WMM) capable. WMM enables differentiated services for voice, video, best effort data and other traffic. However, in order for these differentiated services to provide sufficient QoS for voice packets, only a certain amount of voice bandwidth can be serviced or admitted on a channel at one time. If the network can handle "N" voice calls with reserved bandwidth, when the amount of voice traffic is increased beyond this limit (to N+1 calls), the quality of all calls suffers.

To help address the problems of VoIP stability and roaming, an initial Call Admission Control (CAC) scheme is required. With CAC, QoS is maintained in a network overload scenario by ensuring that the number of active voice calls does not exceed the configured limits on the AP. The Cisco Unified Wireless IP Phone can integrate layer 2 TSpec admission control with layer 3 Cisco Unified Communications Manager admission control (RSVP). During times of network congestion, calling or called parties receive a Network Busy message. The system maintains a small bandwidth reserve so that wireless phone clients can roam into a neighboring AP, even when the AP is at full capacity. After the AP reaches the voice bandwidth limit, the next call is load-balanced to a neighboring AP without affecting the quality of the existing calls on the channel.

Implementing QoS in the connected Ethernet switch is highly desirable to maintain good voice quality. The COS and DSCP values that the Cisco Unified Wireless IP Phone sets do not need to be modified. To configure QoS correctly on the AP, see Cisco Unified Wireless IP Phone 7925 and 7926 Series Deployment Guide.

Cisco Unified Communications Manager is the call control component in the network that handles and routes calls for the wireless IP phones. Cisco Unified Communications Manager manages the components of the IP telephony system—the phones, access gateways, and the resources—for such features as call conferencing and route planning. When deploying the Cisco Unified Wireless IP Phone 7925G, 7925G-EX, and 7926G, you must use Cisco Unified Communications Manager Release 4.3 and later, and SCCP.

Before Cisco Unified Communications Manager can recognize a phone, the phone must register with Cisco Unified Communications Manager and be configured in the database.

You can find more information about configuring Cisco Unified Communications Manager to work with the IP phones and IP devices in the Cisco Unified Communications Manager Administration Guide and Cisco Unified Communications Manager System Guide.

The Cisco Wireless IP telephony solution provides wireless network security that prevents unauthorized logins and compromised communications by using the following authentication methods:

Open Authentication

Any wireless device can request authentication in an open system. The AP that receives the request may grant authentication to any requestor or only to requestors on a list of users. Communication between the wireless device and AP could be nonencrypted.

Open Authentication with WEP

This is similar to Open Authentication in the preceding bullet, except with improved security. Communication between the wireless device and AP use Wired Equivalent Privacy (WEP) keys to provide security.

Shared Key Authentication

The AP sends an unencrypted challenge text string to any device attempting to communicate with the AP. The device that requests authentication uses a preconfigured WEP key to encrypt the challenge text and sends the encrypted challenge text back to the AP. If the challenge text is encrypted correctly, the AP allows the requesting device to authenticate. A device can authenticate only if its WEP key matches the WEP key on the APs.

Shared key authentication can be less secure than open authentication with WEP because someone can monitor the challenges. An intruder can calculate the WEP key by comparing the unencrypted and encrypted challenge text strings.

Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST) Authentication

This client server security architecture encrypts EAP transactions within a Transport Level Security (TLS) tunnel between the AP and the RADIUS server such as the Cisco Access Control Server (ACS).

The TLS tunnel uses Protected Access Credentials (PAC) for authentication between the client (phone) and the RADIUS server. The server sends an Authority ID (AID) to the client (phone), which in turn selects the appropriate PAC. The client (phone) returns a PAC-Opaque to the RADIUS server. The server decrypts the PAC with its primary key. The server and client now have the PAC key and a TLS tunnel is created. EAP-FAST supports automatic PAC provisioning, but you must enable it on the RADIUS server.

Note	In the Cisco ACS, by default, the PAC expires in one week. If the phone has an expired PAC, authentication with the RADIUS server takes longer while the phone gets a new PAC. To avoid the PAC provisioning delays, set the PAC expiration period to 90 days or longer on the ACS or RADIUS server.

Extended Authentication Protocol Transport Level Security (EAP-TLS) Authentication

EAP-TLS/RFC 2716 uses the TLS protocol (RFC 2246), which is the latest IETF version of the SSL security protocol. TLS provides a way to use certificates for both user and server authentication, and for dynamic session key generation.

Microsoft Windows XP provides support for 802.1x, allowing EAP authentication protocols (including EAP-TLS) to be used for authentication. The authentication used in EAP-TLS is mutual: the server authenticates the user and the user authenticates the server. Mutual authentication is required in a WLAN. EAP-TLS provides excellent security but requires client certificate management.

EAP-TLS uses Public Key Infrastructure (PKI) with the following conditions:

• A Wireless LAN client (user machine) requires a valid certificate to authenticate to the WLAN network.

• An authentication server (typically a RADIUS server) requires a server certificate to validate its identity to the clients.

• A Certificate Authority (CA) server infrastructure issues certificates to the authentication server and the clients.

Protected Extensible Authentication Protocol (PEAP) Authentication

PEAP uses server-side public key certificates to authenticate clients by creating an encrypted SSL/TLS tunnel between the client and the authentication server. This functionality is disabled by default and you enable it using Cisco Unified Communications Manager Administration.

The Cisco Unified Wireless IP Phone can optionally validate the server certificate during the authentication over an 802.11 wireless link.

Lightweight Extensible Authentication Protocol (LEAP)

Cisco proprietary password-based mutual authentication scheme between the client (phone) and a RADIUS server. Cisco Unified Wireless IP Phones can use LEAP for authentication with the wireless network.

Auto (AKM)

Selects the 802.11 Authentication mechanism automatically from the configuration information exhibited by the AP. Supports WPA/WPA2-PSK or LEAP with 802.1x+WEP or WPA/WPA2.

This section describes the following concepts:

• Authenticated Key Management

• Encryption Methods

The following authentication schemes use the RADIUS server to manage authentication keys:

Wi-Fi Protected Access (WPA)

Uses information on a RADIUS server to generate unique keys for authentication. Because these keys are generated at the centralized RADIUS server and are not saved on the phone or AP, WPA provides more security than WPA Pre-Shared Key (WPA PSK). WPA2 provides more security than WPA.

Cisco Centralized Key Management (CCKM)

Uses information on a RADIUS server and a wireless domain server (WDS) to manage and authenticate keys. The WDS creates a cache of security credentials for CCKM-enabled client devices for fast and secure reauthentication.

With WPA and CCKM, encryption keys are not entered on the phone, but are automatically derived between the AP and phone. The EAP username and password that are used for authentication must be entered on each phone.

Authenticated key management supports WPA/WPA2-PSK and WPA/WPA2/802.1x+WEP utilizing LEAP for the EAP type. CCKM can optionally be used with WPA/WPA2/802.1x+WEP mode.

To ensure that voice traffic is secure, the Cisco Unified Wireless IP Phone supports WEP, TKIP, and Advanced Encryption Standards (AES) for encryption. When using these mechanisms for encryption, both the signaling Skinny Client Control Protocol (SCCP) packets and voice Real-Time Transport Protocol (RTP) packets are encrypted between the AP and the wireless IP phone.

WEP

When using WEP in the wireless network, authentication happens at the AP by using open or shared-key authentication. The WEP key that is set up on the phone must match the WEP key that is configured at the AP for successful connections. The Cisco Unified Wireless IP Phone supports WEP keys that use 40-bit encryption or a 128-bit encryption and remain static on the phone and AP.

EAP and CCKM authentication can use WEP keys for encryption. The RADIUS server manages the WEP key and passes a unique key to the AP after authentication for encrypting all voice packets; consequently, these WEP keys can change with each authentication.

Temporal Key Integrity Protocol (TKIP)

WPA uses TKIP encryption that has several improvements over WEP. TKIP provides per-packet key ciphering and longer initialization vectors (IVs) that strengthen encryption. In addition, a message integrity check (MIC) ensures that encrypted packets are not being altered. TKIP removes the predictability of WEP that helps intruders decipher the WEP key.

AES

An encryption method used for WPA2 authentication. This national standard for encryption uses a symmetrical algorithm that has the same key for encryption and decryption. AES uses Cipher Blocking Chain (CBC) encryption of 128 bits in size, supporting key sizes of 128, 192, and 256 bits, as a minimum.