Wireless Configuration

Table Of Contents

Wireless Configuration

Overview

Cisco Unified Wireless IP Phone 7920 Configuration

Cisco Aironet 1200 Access Point Configuration File

Cisco Access Control Server for LEAP Configuration

Wireless Configuration

---

This chapter provides an overview of how the Cisco Aironet Access Point (AP) 1200, the Cisco Unified Wireless IP Phone 7920, and the Cisco Secure Access Control Server (ACS) were configured for Cisco Unified Communications Release 5.0 for IP telephony. These devices were set up for wireless operation between IP phone devices registered to Cisco Unified CallManager or to Cisco Unified CallManager Express.

The tested configuration was designed to provides wireless interoperability with other devices in a deployment, including Cisco Unified IP Phone models 7911G, 7941G, 7961G, 7970G, and 7971G, and video endpoints. This configuration supports:

•Calls between Cisco Unified Wireless IP Phone 7920 devices

•Calls between the Cisco Unified Wireless IP Phone 7920 and other Cisco Unified IP Phone 79xx models

•Intercluster and intracluster Cisco Unified CallManager, Cisco Unified CallManager Express, SRST, and Cisco CRS sites.

This chapter does not include detailed installation and configuration instructions. Rather, it is intended to provide you with guidance as you set up wireless devices in your IP telephony solution.

This chapter includes the following sections:

•Overview

•Cisco Unified Wireless IP Phone 7920 Configuration

•Cisco Aironet 1200 Access Point Configuration File

•Cisco Access Control Server for LEAP Configuration

Overview

The wireless portion of the testing for Cisco Unified Communications Release 5.0 for IP telephony was configured based on the recommendations and configurations that are described in Table 10-1.

Table 10-1 Wireless Configuration Related Documentation 

Document	Reference
Cisco Unified Wireless IP Phone 7920 Design and Deployment Guide	http://www.cisco.com/en/US/products/hw/ phones/ps379/products_implementation_design _guide_book09186a00802a029a.html
Cisco AVVID Wireless LAN Design	http://www.cisco.com/application/pdf/en/us/ guest/netsol/ns178/c649/ccmigration _09186a00800d67eb.pdf
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points	http://www.cisco.com/en/US/products/hw/ wireless/ps4570/products_configuration_guide _book09186a00801ea410.html
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points, 12.2(15)JA	http://www.cisco.com/en/US/partner/products/ hw/wireless/ps4570/products_configuration _guide_book09186a00801ea410.html
Cisco Unified Wireless IP Phone 7920 Administration Guide	http://www.cisco.com/en/US/products/hw/ phones/ps379/products_administration_guide _book09186a0080183c50.html
Cisco Unified Wireless IP Phone 7920 Deployment Recommendations	http://www.cisco.com/en/US/products/hw/ phones/ps379/products_white _paper0900aecd800f6d97.shtml
Cisco Unified Wireless IP Phone 7920 for Cisco Unified CallManager	http://www.cisco.com/en/US/products/hw/ phones/ps379/products_user_guide _book09186a00802358c6.html
Configuring the Cisco Unified Wireless IP Phone 7920 with WEP Keys, VLANs, and LEAP	http://www.cisco.com/en/US/products/sw/ voicesw/ps556/products_configuration _example09186a00801a90d3.shtml
Wireless Virtual LAN Deployment Guide	http://www.cisco.com/en/US/products/hw/ wireless/ps430/prod_technical _reference09186a00801444a1.html

The Cisco Unified Communications Release 5.0 testing for IP telephony used a centralized Cisco Secure ACS with LEAP-compliant RADUIS authentication for all users of the Cisco Unified Wireless IP Phone 7920 and the Cisco Aironet AP 1200. In addition, a Cisco Aironet AP 1200 was configured as the backup LEAP authentication local RADIUS server to be used if the WAN connection to the ACS becomes lost.

LEAP allows devices such as the Cisco Aironet AP 1200 and the Cisco Unified Wireless IP Phone 7920 to be mutually authenticated based on username and password. Upon authentication, a dynamic key is used between the Cisco Unified Wireless IP Phone 7920 and the Cisco Aironet AP 1200 to encrypt signaling (SCCP) and media (RTP) streams between these devices. The Cisco Unified Wireless IP Phone 7920 supports static WEP and EAP-Cisco (LEAP) for data encryption and authentication. 802.1x/LEAP was used with a central Cisco Secure ACS.

The wireless configuration followed these guidelines:

•To ensure the best voice quality, VAD was disabled for the Cisco Unified Wireless IP Phone 7920. VAD is a Cisco Unified CallManager parameter that applies to all phones registered to a specific cluster.

•The Cisco Aironet AP 1200s were configured to support 802.11b WANs.

•No more than 15 802.11b users were used for any single Cisco Aironet AP 1200. The recommended maximum number of users is 20 to 25.

•No more than two VLANs were used per Cisco Aironet AP 1200. Each wireless VLAN was represented with a unique SSID name.

•Distance between Cisco Aironet AP 1200 devices can cause throughput variations for clients based on distance from the Cisco Aironet AP 1200. Cisco recommends that you limit the Cisco Aironet AP 1200 data rate to the higher data rates of 11 Mbps for 802.11b.

•The number of Cisco Aironet AP 1200s that you will require depends on your coverage and throughput requirements.

•EAP-Cisco (Network EAP or LEAP) was used as the security mechanism.

•The Cisco Secure ACS local database was used to store the username and password.

Cisco Unified Wireless IP Phone 7920 Configuration

The Cisco Unified Wireless IP Phone 7920 was implemented with Open and LEAP authentication types. WEP encryption was not configured or used. The phones were installed and configured as described in the Cisco Unified Wireless IP Phone 7920 documentation. For detailed information about installing, configuring, and administering the Cisco Unified Wireless IP Phone 7920, see the phone documentation listed in Table 10-1.

Cisco Aironet 1200 Access Point Configuration File

This section shows a configuration file that is recommended for the Cisco Aironet AP 1200 wireless deployment. This example includes settings for the Cisco Secure ACS and the local RADIUS server hosts. In this way, this Cisco Aironet AP 1200 can be used as a backup LEAP authentication sever when the Cisco Secure ACS is unavailable.

For related information, see the Access Point documentation listed in Table 10-1.

version 12.2 

no service pad 

service timestamps debug datetime msec 

service timestamps log datetime msec 

service password-encryption 

! 

hostname ap 

! 

enable secret 5 $1$ZyA5$VTX31sQLnZ2cZnBnGhX6v/ 

! 

username Cisco password 7 00271A150754

clock timezone U -8 

clock summer-time U recurring 

ip subnet-zero 

! 

aaa new-model 

! 

aaa group server radius rad_eap 

! 

aaa group server radius rad_mac 

! 

aaa group server radius rad_acct 

! 

aaa group server radius rad_admin 

! 

aaa group server tacacs+ tac_admin 

! 

aaa group server radius rad_pmip 

! 

aaa group server radius dummy 

! 

aaa authentication login eap_methods group rad_eap 

aaa authentication login mac_methods local 

aaa authorization exec default local 

aaa authorization ipmobile default group rad_pmip 

aaa accounting network acct_methods start-stop group rad_acct 

aaa session-id common 

dot11 phone 

dot11 arp-cache 

! 

policy-map data 

class class-default 

set cos 1 

policy-map management 

class class-default 

set cos 7 

policy-map voice 

class class-default 

set cos 6 

! 

bridge irb 

! 

interface Dot11Radio0 

no ip address 

no ip route-cache 

! 

encryption vlan 1 key 1 size 128bit 7 C6BDD88611D089948782B58DA1E4 transmit-key 

encryption vlan 1 mode wep mandatory 

! 

encryption vlan 2 key 1 size 128bit 7 9FD518A21653687A4251AEE12308 transmit-key 

encryption vlan 2 mode wep mandatory 

! 

encryption vlan 3 key 1 size 128bit 7 09E1230C15B678330C1A84143960 transmit-key 

encryption vlan 3 mode wep mandatory 

! 

ssid data 

vlan 2 

authentication open 

! 

ssid voice 

vlan 3 

authentication open 

! 

speed basic-11.0 

rts threshold 2312 

power local 20 

power client 20 

channel 2437 

station-role root 

! 

interface Dot11Radio0.1 

encapsulation dot1Q 1 native 

no ip route-cache 

service-policy input management 

service-policy output management 

bridge-group 1 

bridge-group 1 subscriber-loop-control 

bridge-group 1 block-unknown-source 

no bridge-group 1 source-learning 

no bridge-group 1 unicast-flooding 

bridge-group 1 spanning-disabled 

! 

interface Dot11Radio0.2 

encapsulation dot1Q 2 

no ip route-cache 

service-policy input data 

service-policy output data 

bridge-group 2 

bridge-group 2 subscriber-loop-control 

bridge-group 2 block-unknown-source 

no bridge-group 2 source-learning 

no bridge-group 2 unicast-flooding 

bridge-group 2 spanning-disabled 

! 

interface Dot11Radio0.3 

encapsulation dot1Q 3 

no ip route-cache 

service-policy input voice 

service-policy output voice 

bridge-group 3 

bridge-group 3 subscriber-loop-control 

bridge-group 3 block-unknown-source 

no bridge-group 3 source-learning 

no bridge-group 3 unicast-flooding 

bridge-group 3 spanning-disabled 

! 

interface FastEthernet0 

no ip address 

no ip route-cache 

duplex auto 

speed auto 

ntp broadcast client 

! 

interface FastEthernet0.1 

encapsulation dot1Q 1 native 

no ip route-cache 

bridge-group 1 

no bridge-group 1 source-learning 

bridge-group 1 spanning-disabled 

! 

interface FastEthernet0.2 

encapsulation dot1Q 2 

no ip route-cache 

bridge-group 2 

no bridge-group 2 source-learning 

bridge-group 2 spanning-disabled 

! 

interface FastEthernet0.3 

encapsulation dot1Q 3 

no ip route-cache 

bridge-group 3 

no bridge-group 3 source-learning 

bridge-group 3 spanning-disabled 

! 

interface BVI1 

ip address 10.0.0.5 255.255.255.0 

no ip route-cache 

! 

ip default-gateway 10.0.0.1 

ip http server 

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag 

/ivory/1100 

ip http authentication local 

ip radius source-interface BVI1 

! 

radius-server attribute 32 include-in-access-req format %h 

radius-server authorization permit missing Service-Type 

radius-server vsa send accounting 

bridge 1 route ip 

! 

line con 0 

line vty 5 15 

! 

ntp clock-period 2860645 

ntp server 10.0.0.1 

end 

Cisco Access Control Server for LEAP Configuration

The Cisco Secure ACS was configured for LEAP authentication using RADIUS (Cisco Aironet). The local CiscoSecure user database was used.

The ACSs were installed and configured as described in the Cisco Secure ACS documentation, which is available at this URL:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/ps5340/index.html

For a detailed step-by-step configuration example, also see Configuring the Cisco Unified Wireless IP Phone 7920 with WEP Keys, VLANs and LEAP (Table 10-1 provides a link to this document.)

To include LEAP functionality for the access point, include the following lines in the configuration shown in the "Cisco Aironet 1200 Access Point Configuration File" section:

143645292A50737C750D64637B3153375B2200010F75052F564935017D03010507

user cisco9 nthash 7

06512D076F185C4E5035462859560E0A75701564014355302027050B0104755E52

user cisco10 nthash 7

091A185F3A5635375C5D510B080178606D75315746565707017C700059534A300E

user cisco11 nthash 7

05535129716F6A5B4C563645582A220B73017E17117B4254435025020B0A70765B

user cisco12 nthash 7

0147275678592059071B68583D5346425E2D530809067A6A6D0445574454250408

user cisco13 nthash 7

0479532759721F6D2B4C2135405228507F08717C17630646534F5424007A7B000D

!

radius-server host 10.0.0.30 auth-port 1645 acct-port 1646 key 7

110A1016141D5A5E57

radius-server host 10.0.0.61 auth-port 1812 acct-port 1813 key 7

045802150C2E1D1C5A

radius-server deadtime 10

radius-server authorization permit missing Service-Type

bridge 1 route ip

!

line con 0

password 7 082F43400C

line vty 0 4

exec-timeout 60 0

password 7 045504080A

line vty 5 15

exec-timeout 60 0

password 7 000A1C0801

!

end