Thanks Jason, I knew beforehand that my answer was not completely right. My point was to make a discussion that would be remembered :D I have learned also to configure those things you read about and see them fail/work is very valuable, cause the logs sometimes gives you a usable feedback. I am not confused. But the documentation can be confusing, especially some of them are from 2004 like the latter one you posted below.
A good exract from your earlier post Jason: 802.1x Authentication Configuration Requirement for Autonomous Access Points If you use an autonomous access point (AP), you must configure the SSID for open + eap and network-eap authentication if using LEAP, EAP-FAST, PEAP, or EAP-TLS. *Firmware 1.3(1) or earlier, network-eap is required (for Cisco Unified Wireless IP Phone 7925G and 7921G) *Firmware 1.3(2) or later, open eap is required (for Cisco Unified Wireless IP Phone 7925G and 7921G) So accordign to this for 7921. The need for open eap and/or network-eap depends on your phone firmware. Regards. Kristjan p.s While exploring this I also remembered one more thing. The CCKM + WPA2 support for the 7921. It may work on a single AP but roaming fails. This is a known issue with firmware prior 1.3(4) . So you have to be WPA TKIP if you want roam to work. If you have firmware 1.3(4) on your 7921 you can configure WPA2 and roaming shold work. This is also just a phone firmware issue it seems. So if somebody asks me to configure the most secure option for 7921. I would check the firmware. This document shows and reccomends to use TKIP and say that WPA2 is not supported by the 7921: http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/vowlan/41dg/vowlan_ch10.html#wp1045851 its the 4.1 voice over wlan design guide. But this is a more recent firmware release notes: http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/7925g/firmware/1_3_4/english/release/notes/792x_134.html#wp200672 Full CCKM Support Cisco Centralized Key Management (CCKM) reduces the amount of delay time by centralizing the key management, which reduces the number of key exchanges. To optimize secure roaming, CCKM can be enabled while in WPA or WPA2 mode. Prior to this firmware release, CCKM was not supported when WPA2/AES was selected; this required a full re-authentication when roaming between access points, and could result in loss of audio during the roam. Now that CCKM is supported when WPA2/AES is selected, the full re-authentication is no longer required and roaming to a new access point should not result in any perceptible loss of audio. Firmware 1.3(4) provides full CCKM support of all WPA versions. regards. Kristjan From: Jason Boyers [mailto:[email protected]] Sent: 18. febrúar 2011 02:26 To: Kristján Ólafur Eðvarðsson Cc: [email protected] Subject: Re: [CCIE Wireless] 3. Re: Autonomous AP Eap-fast with 7921 phone (Brendon Hwang) Kristjan Don't confuse the EAP authentication method (LEAP, EAP-FAST) with the 802.11 authentication algorithm required prior to EAP taking place. Look at http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801bd035.shtml#NetEAP. There is also a bit more information at http://pluscom.ru/cisco_product/cc/td/doc/product/wireless/airo1200/accsspts/techref/eapfast/eapfast.htm (search for 802.11 authentication algorithm). Here it adds the use of EAP-FAST with Network-EAP. While LEAP will tend to require the use of network-EAP, it will depend on the client connecting. Also, note that the WLC solution (which supports LEAP) does not, to my knowledge, have a place to set the 802.11 authentication algorithm to Network-EAP. Hope this didn't make things more confusing. Also, that is a true statement about using EAP-FAST with local RADIUS for Cisco clients (APs and bridges.) LEAP must be allowed so that it can be offered. If not, the AP won't offer EAP-FAST as an EAP authentication algorithm. Jason Boyers - CCIE #26024 (Wireless) Technical Instructor - IPexpert, Inc. Mailto: [email protected]<mailto:[email protected]> 2011/2/17 Kristján Ólafur Eðvarðsson <[email protected]<mailto:[email protected]>> 3. Re: Autonomous AP Eap-fast with 7921 phone (Brendon Hwang) Kara and Brendon, I don´t agree. EAP-FAST requires only open eap network-eap is only left on for legacy LEAP. This is for the phone and clients using EAP-FAST, it is open standard. Test it ! and then beleive ! :) unless for Root to WGB schenario. The leap needs to be open for net negotiation to work. The negotiation goes something like Root: "do you support LEAP ?" Bridge: "Yes I do, but can we speak EAP-FAST?" Root: "sure we can..." regards. Kristjan ------------------------------ Message: 3 Date: Thu, 17 Feb 2011 18:06:15 +1100 From: Brendon Hwang <[email protected]<mailto:[email protected]>> To: "Kara Muessig (kmuessig)" <[email protected]<mailto:[email protected]>>, <[email protected]<mailto:[email protected]>> Subject: Re: [CCIE Wireless] Autonomous AP Eap-fast with 7921 phone Message-ID: <c98312ab.698c%[email protected]<mailto:c98312ab.698c%[email protected]>> Content-Type: text/plain; charset="us-ascii" Hi Kara, That is correct. Use both open eap and network-eap. I remember if you configure network-eap only then you get an warning msg that said you should enable open eap as well for eap-fast. Cheers, Brendon From: "Kara Muessig (kmuessig)" <[email protected]<mailto:[email protected]>> Date: Wed, 16 Feb 2011 20:33:39 -0800 To: <[email protected]<mailto:[email protected]>> Subject: [CCIE Wireless] Autonomous AP Eap-fast with 7921 phone Hi all, I just wanted to verify that when configuring a 7921 to connect to an autonomous AP with EAP-FAST that you had to use Network EAP along with Open EAP. I guess the phone is similar to a Cisco WGB where you have to use both open and network eap to use eap-fast?? Thoughts? Thanks, Kara Muessig CONSULTING SYSTEMS ENGINEER.SALES Wireless South Team [email protected]<mailto:[email protected]> <mailto:[email protected]<mailto:[email protected]>> Phone: 512-791-2870 Cisco.com <http://www.cisco.com> Think before you print. This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message. For corporate legal information go to: http://www.cisco.com/web/about/doing_business/legal/cri/index.html <http://www.cisco.com/web/about/doing_business/legal/cri/index.html> _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com<http://www.ipexpert.com> -------------- next part -------------- An HTML attachment was scrubbed... URL: </archives/ccie_wireless/attachments/20110217/f9ee5191/attachment.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 18944 bytes Desc: not available URL: </archives/ccie_wireless/attachments/20110217/f9ee5191/attachment.jpg> -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.gif Type: image/gif Size: 87 bytes Desc: not available URL: </archives/ccie_wireless/attachments/20110217/f9ee5191/attachment.gif> ------------------------------ _______________________________________________ CCIE_Wireless mailing list [email protected]<mailto:[email protected]> http://onlinestudylist.com/cgi-bin/mailman/listinfo/ccie_wireless End of CCIE_Wireless Digest, Vol 23, Issue 18 ********************************************* _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com<http://www.ipexpert.com>
<<inline: image002.png>>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
