We currently have a separate PSK SSID for our wireless Cisco phones. We are migrating them to our WPA2 secure SSID. We had 2 options for this. We could either use MSCHAPv2 with a preconfigured service account per department, or use EAP-TLS using the MIC (Manufacturer's Installed Certificate) on the phone. We currently use the MIC with EAP-TLS on our wired Cisco phones with mac auth for the older models that do not support EAP-TLS.
For the wired phones, our RADIUS server just needed to trust the Cisco certificate chain. For the wireless phones, the phone needs to trust the RADUS certificate chain. This involves uploading certificates through the phone web UI, We are choosing to use MSCHAPv2 with service accounts. The Cisco 802.1X DIG is at http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html Bruce Osborne Network Engineer - Wireless Team IT Network Services (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Legge, Jeffry [mailto:[email protected]] Sent: Thursday, May 8, 2014 12:39 PM Subject: Wifi Phone on Separate SSID` I currently have a separate SSID for wireless cisco phones. I am thinking about using my wpa2 secure SSID for them. Anybody got any caveats or suggestions? Jeff Legge Network Services Radford University (540)-831-7727 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
