Spectralink 87-Series Wi-Fi Security Implementation Guide

Spectralink 87-Series Wi-Fi Security Implementation Guide
Spectralink 87-Series Wireless Telephone
Wi-Fi Security Implementation Guide
721-0013-000 Rev D
November 2014
Spectralink 87-Series Wireless Telephones Wireless Security Implementation Guide
Copyright Notice
В© 2014 Spectralink Corporation All rights reserved. SpectralinkTM, the Spectralink logo and the names
and marks associated with Spectralink’s products are trademarks and/or service marks of Spectralink
Corporation and are common law marks in the United States and various other countries. All other
trademarks are property of their respective owners. No portion hereof may be reproduced or transmitted
in any form or by any means, for any purpose other than the recipient’s personal use, without the express
written permission of Spectralink.
All rights reserved under the International and pan-American Copyright Conventions. No part of this
manual, or the software described herein, may be reproduced or transmitted in any form or by any
means, or translated into another language or format, in whole or in part, without the express written
permission of Spectralink Corporation.
Do not remove (or allow any third party to remove) any product identification, copyright or other notices.
Notice
Spectralink Corporation has prepared this document for use by Spectralink personnel and customers.
The drawings and specifications contained herein are the property of Spectralink and shall be neither
reproduced in whole or in part without the prior written approval of Spectralink, nor be implied to grant any
license to make, use, or sell equipment manufactured in accordance herewith.
Spectralink reserves the right to make changes in specifications and other information contained in this
document without prior notice, and the reader should in all cases consult Spectralink to determine
whether any such changes have been made.
NO REPRESENTATION OR OTHER AFFIRMATION OF FACT CONTAINED IN THIS DOCUMENT
INCLUDING BUT NOT LIMITED TO STATEMENTS REGARDING CAPACITY, RESPONSE-TIME
PERFORMANCE, SUITABILITY FOR USE, OR PERFORMANCE OF PRODUCTS DESCRIBED
HEREIN SHALL BE DEEMED TO BE A WARRANTY BY SPECTRALINK FOR ANY PURPOSE, OR
GIVE RISE TO ANY LIABILITY OF SPECTRALINK WHATSOEVER.
Warranty
The Product Warranty and Software License and Warranty and other support documents are available at
http://support.spectralink.com.
Contact Information
US Location
800-775-5330
European Location
+45 7560 2850
Spectralink Corporation
2560 55th Street
Boulder, CO 80301
Spectralink Europe ApS
Langmarksvej 34
8700 Horsens, Denmark
[email protected]
[email protected]
721-0013-000_D.docx
November 2014
2
Contents
About This Guide ............................................................... 5
Product Support ............................................................................................................... 5
Spectralink References .................................................................................................... 5
Specific Documents ......................................................................................................... 6
Conventions Used In This Document .............................................................................. 7
Icons ............................................................................................................................... 7
Typography ..................................................................................................................... 7
Chapter 1: Wi-Fi Security Overview ........................................ 9
Role of the AP ................................................................................................................... 9
How Secure is CMS? .......................................................................................................10
Certificates .......................................................................................................................10
Types of Certificates .......................................................................................................11
How to get certificates ....................................................................................................11
Other Basic Security Concerns ......................................................................................12
Security method applications ..........................................................................................13
Chapter 2: Tools for Implementing the Wi-Fi Security Method ...... 14
SLIC configuration ..........................................................................................................14
CMS configuration ..........................................................................................................15
Admin menu configuration ..............................................................................................16
Chapter 3: Implementation .................................................. 19
Open Network ..................................................................................................................19
WEP ..................................................................................................................................19
SLIC configuration ..........................................................................................................19
CMS configuration ..........................................................................................................20
Admin settings menu configuration .................................................................................20
WPA/WPA2 PSK ...............................................................................................................22
SLIC configuration ..........................................................................................................22
CMS configuration ..........................................................................................................22
Admin settings configuration...........................................................................................23
802.1x EAP (WPA2 Enterprise) Set up............................................................................25
How to Get Certificates into the Handsets .....................................................................25
Installing generic CA certificates or PAC files .................................................................26
Installing device specific certificates or PAC files............................................................26
Installing Certificates Manually through the Admin Settings Menu ..................................26
PEAP .................................................................................................................................27
721-0013-000_D.docx
November 2014
3
Spectralink 87-Series Wireless Telephones Wireless Security Implementation Guide
SLIC configuration ..........................................................................................................28
CMS configuration ..........................................................................................................28
Admin settings configuration...........................................................................................30
EAP-TLS ...........................................................................................................................32
SLIC configuration ..........................................................................................................32
CMS configuration ..........................................................................................................33
Admin settings configuration...........................................................................................35
EAP-FAST .........................................................................................................................37
SLIC configuration ..........................................................................................................37
CMS configuration ..........................................................................................................38
Admin settings configuration...........................................................................................40
Chapter 4: Certificates........................................................ 42
How to Get Certificates into the Handsets .....................................................................42
Installing generic CA certificates or PAC files .................................................................42
Installing device specific certificates or PAC files............................................................42
Installing Certificates Manually through the Admin Settings Menu ..................................42
Using Device-Specific Certificates and Credentials ......................................................44
Chapter 5: Glossary ........................................................... 45
Appendix A: Products Mentioned in this Document .................. 48
Appendix B: Spectralink Certificates ..................................... 49
721-0013-000_D.docx
November 2014
4
About This Guide
Wi-Fi security prevents unauthorized over-the-air access to network components and the
sensitive data that resides there. The different methods provide a way for the handset to
validate itself against security credentials that are located on an access point or secure server.
Once the handset is recognized, it is allowed to transmit and receive audio and data. The
validation process needs to be fast and seamless so that delays and interruptions are kept to a
minimum.
The wireless security discussion in this document is pertinent to all wireless infrastructure
components, but not all components can accommodate all security methods. Consult the
specific administration guide for each product for exact information. The specific configuration
steps apply only to the Spectralink 87-Series products, also known as PIVOTв„ў by Spectralink.
Admin Tip: Updated document
This document incorporates updates to SLIC, CMS and handset code for the KitKat
Android evolution. Code versions are:
Handset 1.3.x
SLIC 3.3x
CMS 1.3.x
Product Support
Spectralink wants you to have a successful installation. If you have questions please contact the
Customer Support Hotline at 1-800-775-5330.
The hotline is open Monday through Friday, 6 a.m. to 6 p.m. Mountain time.
For Technical Support: mailto:[email protected]
For Knowledge Base: http://support.spectralink.com
For Return Material Authorization: mailto:[email protected]
Spectralink References
All Spectralink documents are available at http://support.spectralink.com.
721-0013-000_D.docx
November 2014
5
Spectralink 87-Series Wireless Telephones Wireless Security Implementation Guide
To go to a specific product page:
Select the Product Category and Product Type from the dropdown lists and then select the
product from the next page. All resources for that particular product are displayed by default
under the All tab. Documents, downloads and other resources are sorted by the date they were
created so the most recently created resource is at the top of the list. You can further sort the
list by the tabs across the top of the list to find exactly what you are looking for. Click the title to
open the link. PIVOT documents are available at http://support.spectralink.com/pivot.
Specific Documents
AP Configuration Guides show you how to correctly configure access points and WLAN
controllers (if applicable) and identify the optimal settings that support Spectralink 87-Series
handsets. The guides can be found at the View Certified page.
Spectralink 87-Series Installation and Configuration Tool Administration Guide The SLIC tool
provides step-by-step instructions for configuring wireless settings required for the handsets to
associate with the wireless LAN.
Spectralink 87-Series Wireless Telephone Deployment Guide The Deployment Guide provides
sequential information for provisioning and deploying the handsets. It covers deployment using
the SLIC tool and CMS as well as manual deployment.
Spectralink 87-Series Wireless Telephone Administration Guide The Admin Guide provides
detailed information about every setting and option available to the administrator on both the
CMS and handset menus. Time-saving shortcuts, troubleshooting tips and other important
maintenance instructions are also found in this document.
Spectralink 87-Series Wireless Telephone Application Installation Guide The Applications Guide
provides detailed information about deploying any type of application, using an app store or
MDM and manual processes for loading applications on the Spectralink 87-Series handset.
721-0013-000_D.docx
November 2014
6
Spectralink 87-Series Wireless Telephones Wireless Security Implementation Guide
Spectralink 87-Series Wireless Telephone User Guide The User Guide provides detailed
information about using the features of the 87-Series handsets.
For information on IP PBX and softswitch vendors, see PIVOT by Spectralink Call Server
Interoperability Guide.
Conventions Used In This Document
Icons
Icons indicate extra information about nearby text.
Note
The Note icon highlights information of interest or important information that will
help you be successful in accomplishing a procedure or understanding a concept.
Admin Tip
This tip advises the administrator of a smarter, more productive or alternative
method of performing an administrator-level task or procedure.
Power User
A Power User Tip is typically reserved for information directed specifically at highlevel users who are familiar with the information or procedure being discussed and
are looking for better or more efficient ways of performing the task. For example,
this might highlight customization of a feature for a specific purpose.
Settings
The Settings icon highlights information to help you zero in on settings you need to
choose for a specific behavior, to enable a specific feature, or access customization
options.
Typography
A few typographic conventions, listed next, are used in this guide to distinguish types of in-text
information.
Convention
Description
Bold
Highlights interface items such as menus, soft keys, file names, and
directories. Also used to represent menu selections and text entry to the
handset.
721-0013-000_D.docx
November 2014
7
Spectralink 87-Series Wireless Telephones Wireless Security Implementation Guide
Convention
Description
Italics
Used to emphasize text, to show example values or inputs, and to show
titles of reference documents available from the Spectralink Support Web
site and other reference sites.
Underlined blue
Used for URL links to external Web pages or documents. If you click on
text in this style, you will be linked to an external document or Web page.
Bright orange text
Used for cross references to other sections within this document. If you
click on text in this style, you will be taken to another part of this
document.
Fixed-width-font
Used for code fragments and parameter names.
This guide also uses a few writing conventions to distinguish conditional information.
Convention
Description
<MACaddress>
Indicates that you must enter information specific to your installation,
handset, or network. For example, when you see <MACaddress>, enter
your handset’s 12-digit MAC address. If you see <installed-directory>,
enter the path to your installation directory.
>
This document assumes that you are familiar with browsers and web
pages and can find your way around with relative ease. We use the
breadcrumbs method to show the sequence of clicks or taps that will get
you to a page that may be deeper in the GUI. E.g. navigate to Settings>
Admin settings> Security> CREDENTIAL STORAGE> Trusted
credentials> User tab. All caps text within breadcrumbs indicates a
section, not a clickable/tapable option.
721-0013-000_D.docx
November 2014
8
Chapter 1: Wi-Fi Security Overview
Wi-Fi security prevents unauthorized over-the-air access to network components and the
sensitive data that resides there. The different methods provide a way for the handset to
validate itself against security credentials that are located on an access point or secure server.
Once the handset is recognized, it is allowed to transmit and receive audio and data. The
validation process needs to be fast and seamless so that delays and interruptions are kept to a
minimum.
Table 1 highlights the correlation between security and audio relating to various Wi-Fi
encryption and authentication techniques, with considerations for configuring the handsets for
the best security and audio.
Table 1: Enterprise Environment Security Trade-Offs
Wireless
Security
Method
Security in
Enterprise
Environments
Audio
Ease of Configuration and Other General Information
WEP
Poor
Excellent
A password entered on the Wi-Fi device must match a
password configured on the AP. Passwords are not
encoded and are easily compromised with hacking
tools readily available on the internet. Not
recommended as WEP has been replaced by more
advanced technology.
WPA
WPA2 PSK
Acceptable to
Good
Excellent to
Good
Similar to WEP in that a passphrase (PSK) entered on
the Wi-Fi device must match a passphrase configured
on the AP. Additional encryption mechanisms are
offered.
802.1x
EAP
Excellent
Excellent to
Poor
Uses a RADIUS (Remote Authentication Dial In User
Service) server that provides authentication through
the use of certificates that validate the RADIUS server
to the handset and can validate the handset to the
server.
The processing requirements of a RADIUS server can
compromise handoffs, so a fast-roaming technique
such as OKC or CCKM is necessary.
Role of the AP
The AP serves as a sort of traffic cop for the wireless LAN. The handsets contain security keys,
certificates, and/or username/password combinations that they present to the AP and the AP
routes the message accordingly. Correct AP configuration is critical to the success of wireless
security. For the Spectralink handsets, certain APs have been validated through the Spectralink
VIEW certification program. These APs have been carefully tested and the workable
721-0013-000_D.docx
November 2014
9
Spectralink 87-Series Wireless Telephones Wireless Security Implementation Guide
configuration is precisely documented. See the Spectralink support website for complete
information. http://support.spectralink.com
How Secure is CMS?
CMS is the Configuration Management Server that is used to administer the 87-Series
handsets. CMS transfers configuration information to the handsets over the air which could
expose the data to unauthorized parties. CMS uses both HTTP and HTTPS protocols. If your
facility uses the HTTPS protocol, you can take advantage of the mutual authentication feature
built into CMS. Mutual authentication is implemented by generating a public key on the CMS
and loading it into the handset using SLIC. This is the “server key” that ensures the handset
recognizes the CMS as genuine. The handset contains a device certificate that is loaded during
manufacturing. The CMS can recognize this key and therefore knows that the handset is
genuine. Once this authentication handshake is complete, the handset and the CMS exchange
information over a secure connection.
Having a secure connection with CMS provides you with a way to set up an extremely secure
Wireless Profile and transmit it to the handset within a secure environment.
HTTPS is set on the handset by 1) setting the https://[IP address] for CMS and 2) using SLIC to
install the CMS key. See Spectralink 87-Series Installation and Configuration Tool
Administration Guide. 3) Encryption for CMS is set at Home> CMS Administrative> Server
Settings> General settings. These three settings are required when using HTTPS to establish
the secure tunnel.
This secure connection is not possible using HTTP.
Certificates
If you are using any of the three 802.1x EAP Methods (also known as WPA2 Enterprise), you
will need to understand certificates. Although the RADIUS server can be configured to not
require certificates, authentication through certificates is a major security function and without
them the “excellent“ rating in the above table becomes “poor”.
Certificates are generated in matching pairs. A “public” certificate can be loaded on all devices
that must authenticate a particular server that holds the corresponding “private” certificate.
Generally speaking, this is how PEAP works. Additionally a device can contain a unique
certificate that is private which is authenticated by a corresponding certificate on a server. When
both the device and the server authenticate each other, you have mutual authentication and this
is how EAP-TLS works.
Caution: Certificate validity
The validity of the certificate is not verified by the handset, SLIC or CMS. Ensure
you have a valid certificate before trying to use it for authentication.
721-0013-000_D.docx
November 2014
10
Spectralink 87-Series Wireless Telephones Wireless Security Implementation Guide
Types of Certificates
CA certificate:
The client (the handset) uses the CA certificate to verify the CA signature of the server (the
RADIUS server) certificate before establishing a secure connection. This way the handset
knows it’s talking to the correct far side. It is provided by a Certificate Authority (hence CA) or an
IT administrator and must be loaded on the handset during configuration. This type of certificate
is also called a server certificate as it certifies the server. The certificate is usually the same for
every device and is therefore also known as a “public” certificate. Used by PEAP and EAP-TLS.
CA certificates appear under Settings> Admin settings> Security> Trusted Credentials.
Device certificate (called User Certificate by Android):
A device certificate validates the handset to the RADIUS server. Spectralink 87-Series handsets
are shipped with a Spectralink device certificate (a PKS12 file) that can be used by EAP-TLS for
Wi-Fi security. This type of certificate is different for each handset and is therefore also known
as a “private” certificate. It is not listed under Credential Storage as other CA certificates are. It
is found on the handset when setting up a Wi-Fi profile under Settings> Admin settings> WiFi> +> [Security] 802.1x EAP> [EAP method] TLS> [User certificate] Spectralink device
certificate. The Spectralink device certificate uses the handset’s MAC address as its common
name which is also its Identity.
If you are considering using third party user certificates, please see How to get certificates.
PAC file:
The Protected Access Credential (PAC) establishes a TLS tunnel in which client credentials are
verified. The PAC can be either a private certificate—a unique file for each handset—or a public
certificate—a generic file used by every handset. It is provided by an IT administrator and must
be loaded on the handset during configuration. PAC files are managed on the handset under
Settings> Admin settings> Security> PAC FILE STORAGE. EAP-FAST is used with CiscoВ®
products and by a number of other WLAN vendors.
How to get certificates
Exact instructions for obtaining the certificates you need is beyond the scope of this document.
However, Appendix B: Spectralink Certificates provides information about the certificates
provided by Spectralink.
Depending on the security method, two types of certificates may be needed: Server (CA)
certificates and User (device) certificates.
The Server certificate is the same for every device as the public key and it is installed on the
handset using SLIC or CMS or manually downloaded. Its companion private key is installed on
the RADIUS server. Their handshake provides server authentication.
721-0013-000_D.docx
November 2014
11
Spectralink 87-Series Wireless Telephones Wireless Security Implementation Guide
Spectralink 87-Series handsets are shipped with the Spectralink device certificate that has the
common name of the handset’s MAC address which also serves as the default Identity for EAPTLS. The Spectralink Root certificate and Spectralink Issuing Certificate for the device certificate
must be installed as Trusted Certificates on the Radius Server. The Radius Server certificate is
optional but for maximum security – should be installed on the handset.
If a different device/User certificate is desired, one can be generated and loaded into the
handset via USB or some other method. See Installing Certificates Manually through the Admin
Settings Menu. If using a third party user certificate, please see the Caution note below.
Admin Tip: Using third party device certificates
If you plan on using a third party device certificate, you will have to manually load
each different device certificate into each handset via the SD card per standard
Android operation. These third party device certificates are stored in the Android
keystore and are subject to erasure when handsets are reset to factory defaults.
CMS and SLIC are not able to load third party user certificates into handsets.
Caution: Android keystore and Emergency Call limitations
The Android keystore is the Android storage mechanism for storing certificates
securely. It encrypts them by using the user PIN/pattern/password as part of the
encryption key. Therefore the phone must be logged in and connected to the
wireless LAN before a call can be placed. As long as the wireless connection
remains, the feature that enables a user to place an emergency call on a locked
phone can be used. However, the Emergency call feature will not work at phone
startup as the wireless connection is not yet established.
Spectralink device certificates are stored in the Spectralink keystore and are not
subject to this limitation.
Other Basic Security Concerns
Be aware of these basic security considerations while deploying 87-Series handsets.
VLANs Robust, processing-intensive security methods disrupt voice, but not data. Voice and
data traffic can be separated by dividing a physical WLAN into virtual networks (VLANs).
Separate VLANs for data and for voice can alleviate the problem.
MAC filtering APs can be configured to allow or deny access to clients based on clients’ MAC
addresses. This technique can degrade AP performance and should not be used for voice traffic
on a WLAN.
Firewalls Traffic-filtering abilities of firewalls can enhance security, but firewalls create jitter in
audio and are likewise discouraged when deploying wireless telephones.
721-0013-000_D.docx
November 2014
12
Spectralink 87-Series Wireless Telephones Wireless Security Implementation Guide
Quality of Service (QoS) QoS is sometimes disabled to overcome a minor security flaw
inherent in TKIP, a protocol used exclusively in WPA and optionally in WPA2. However,
87-Series handsets and other latency-sensitive devices need QoS, which lets APs prioritize
traffic and optimize the way shared network resources are allocated among different
applications. Without QoS, all applications running on different devices have equal opportunity
to transmit data frames. That works well for web browsers, file transfers, or email, but audio and
video streaming are sensitive to latency increases and throughput reductions, and so require
QoS.
SSID broadcast Some facilities use the ruse of not broadcasting the SSID in the mistaken
belief that it offers a very easy method of security. Possibly this does offer some temporary
modicum of security but it is easily broken. This is not recommended.
Security method applications
While security deployment on a Wi-Fi network can be quite complex (assigning multiple SSIDs
for different security types, or different security for remote users than for office users, or higher
security levels for people in more sensitive positions…), a typical facility simply selects an
optimum security method and applies it to all users.
WPA-PSK/WPA2-PSK is easier to deploy and administer than 802.1x EAP and provides
security that is good but not optimum. Someone outside the company who knows the network
pass key (an ex-employee, for example) could hack into the network.
In the most secure environments provided by WPA2-Enterprise/802.1x EAP, each 87-Series
handset validates the authenticating server and mutual authentication is an option. Furthermore
each handset may have a username and password that are authenticated by a RADIUS server
before the device is allowed on the network. With options permitting both unique credentials and
mutual authentication, EAP-TLS provides the highest security method available.
721-0013-000_D.docx
November 2014
13
Chapter 2: Tools for Implementing the
Wi-Fi Security Method
Thoroughly familiarize yourself with security options and determine which is best for your facility
before attempting to deploy any option.
The 87-Series handsets provide three ways to configure the wireless parameters and the
associated security method.
п‚·
Using the SLIC tool
п‚·
Using the CMS interface
п‚·
Manually through the Admin menus
Security settings for your wireless telephone deployment are generally configured for the entire
enterprise. It is not typical for more than one security method to be deployed in a single facility
for business use. But it is not uncommon to have a separate WEP-secured SSID for public use.
Admin Tip: Configuring a proxy?
While you are setting up an SSID for wireless security, you might also want to
configure a proxy. You will see the proxy option in the screenshots in this
document. Complete instructions can be found in the Spectralink 87-Series
Wireless Telephone Administration Guide.
SLIC configuration
Using the SLIC tool is the recommended method for initially configuring the wireless settings on
the handset. It is easy and fast and not prone to error. But it has a few limitations.
When using SLIC to configure Wi-Fi security settings, you will find that SLIC is not designed to
support user/device certificate or user-specific usernames and password credentials used by
802.1x security methods PEAP or EAP-FAST. If you deploy EAP-TLS, you can use the device
certificate that is factory-loaded for the 87-Series handsets.
721-0013-000_D.docx
November 2014
14
Spectralink 87-Series Wireless Telephones Wireless Security Implementation Guide
Power User
SLIC can configure the specific username and passwords used by 802.1x security
methods PEAP and FAST (WPA2 Enterprise). However, you will need to rerun the
wireless wizard for each handset, entering the unique credentials and downloading
that specific configuration to the handset for each handset.
EAP-TLS cannot be configured by this method as third party user certificates with
unique identities are not supported by SLIC. Only the Spectralink device certificate
can be used for EAP-TLS with SLIC.
Caution: Special character limitations
Sometimes passwords and other text uses special characters that can be
problematic in certain software applications. In the SLIC program, the double
backslash (two backslashes in a row, i.e. \\) functions as an escape character and
therefore does not manage your entry accurately. The ampersand (&) and bracket
characters (<>) are similarly problematic for CMS.
To be on the safe side, do not use these special characters in any fields: \\ & < >
Step through the 87-Series Wireless Wizard until you get to this page:
CMS configuration
You will only use the CMS configuration when the handset is already associated and you need
to change a Wi-Fi profile or add a new one.
721-0013-000_D.docx
November 2014
15
Spectralink 87-Series Wireless Telephones Wireless Security Implementation Guide
Settings: Activating a Wi-Fi Profile
These instructions are for configuring a Wi-Fi profile. To add it to a handset at the
enterprise, group or device level, navigate to Device Management> Configure
Devices> Wireless Profiles and select the new profile from the list.
Navigate to Home> Initial Setup> Wireless Profiles> Add Wireless Profile.
Admin menu configuration
The Admin settings menu allows you to set up a Wi-Fi profile for a single handset. This is
usually done when testing configurations or deploying only a very few handsets.
Admin Tip: Editing an existing Wi-Fi profile
When you need to edit an existing Wi-Fi profile, press and hold the profile name
and then tap Modify network.
To add a new Wi-Fi profile
Navigate to Settings> Admin settings> Wi-Fi> +.
The “+” sign in the lower left allows you to add a new SSID and set up the security requirements
of the Wireless LAN.
721-0013-000_D.docx
November 2014
16
Spectralink 87-Series Wireless Telephones Wireless Security Implementation Guide
Advanced options
Every security method has a Show advanced options setting on the menu. These settings allow
you to set up a different environment for this SSID, if you wish. These settings are only found on
the handset Admin menu. They are not available on SLIC or CMS.
п‚·
Proxy settings
в—‹
None
в—‹
Manual
721-0013-000_D.docx
November 2014
17
Spectralink 87-Series Wireless Telephones Wireless Security Implementation Guide
п‚·
В»
Proxy hostname
В»
Proxy port
В»
Bypass proxy for
DHCP phone can get its address from
в—‹
DHCP
в—‹
Static
В»
IP address
В»
Gateway
В»
Network prefix length
В»
DNS 1
В»
DNS 2
721-0013-000_D.docx
November 2014
18
Chapter 3: Implementation
Open Network
No security method is deployed when you select Open Network.
WEP
The WEP option uses a single password for the entire facility which is set in the AP. The
87-Series handsets use only the first index key which is called either Key 1 or Key 0, depending
on the environment. The passphrase can be 10 or 26 hexidecimal characters.
Admin Tip
Hex characters are 0-9 and a-f.
Note
Key rotation is not supported.
The handset will accept either open or shared key.
Set up the password in the APs.
This same password is entered into the handset by one of the three different methods: SLIC,
CMS or the handset’s Admin menu.
SLIC configuration
When you use the Wireless Wizard for the 87-Series handsets, you will step through the
screens until you come to the Security settings.
1
Select the WEP Security option and click Next.
721-0013-000_D.docx
November 2014
19
Spectralink 87-Series Wireless Telephones Wireless Security Implementation Guide
2
Enter the 10 or 26 character WEP key in the WEP Password field.
3
Click Next to finish the configuration.
CMS configuration
You will only use the CMS configuration when the handset is already associated and you need
to change the Wi-Fi profile or add a new one.
Settings: Activating a Wi-Fi Profile
These instructions are for configuring a Wi-Fi profile. To add it to a handset at the
enterprise, group or device level, navigate to Device Management> Configure
Devices> Wireless Profiles and select the new profile from the list.
1
Click the WEP option and enter the SSID in the SSID field.
2
Enter the 10 or 26 character key in the Password field.
3
Click Save.
Admin settings menu configuration
The Admin settings menu allows you to set up a Wi-Fi profile for a single handset. This is
usually done when testing configurations or deploying only a very few handsets or when
operating in a unique environment.
Note
A Wi-Fi network set up on the handset will not show up on the Wi-Fi Profile list in
the CMS.
721-0013-000_D.docx
November 2014
20
Spectralink 87-Series Wireless Telephones Wireless Security Implementation Guide
1
Tap the WEP option and enter the 10 or 26 character key in the Password field.
2
Tap Save.
721-0013-000_D.docx
November 2014
21
Spectralink 87-Series Wireless Telephones Wireless Security Implementation Guide
WPA/WPA2 PSK
When you configure WPA/WPA2 PSK in the AP, you will determine the encryption algorithm to
be used and that determines if you are using WPA (TPIK) or WPA2 (AES). However, in the
handset’s configuration, all you need to do is enter the Passphrase (8-63 characters) or Hex
Key (64 hexidecimal characters) in the Password field.
п‚·
The Passphrase is 8-63 characters
п‚·
The Hex Key option is 64 hex characters
Set up WPA PSK or WPA2 PSK in the APs.
SLIC configuration
When you use the Wireless Wizard for the 87-Series handsets, you will step through the
screens until you come to the Security settings.
1
Select the WPA-PSK or WPA2-PSK option and click Next. Select either Passphrase or
Hex Key.
2
Enter the 8-63 character Passphrase or 64 character Hex Key in the Passphrase / Hex
Key field. You can paste it into the field instead of typing it in.
3
Click Next to finish the configuration.
CMS configuration
You will only use the CMS configuration when the handset is already associated and you need
to change the Wi-Fi profile or add a new one.
Settings: Activating a Wi-Fi Profile
These instructions are for configuring a Wi-Fi profile. To add it to a handset at the
enterprise, group or device level, navigate to Device Management> Configure
Devices> Wireless Profiles and select the new profile from the list.
721-0013-000_D.docx
November 2014
22
Spectralink 87-Series Wireless Telephones Wireless Security Implementation Guide
1
Select the WPA-PSK or WPA2-PSK option and enter the SSID in the SSID field.
2
Enter the 8-63 character Passphrase or 64 character Hex Key in the Passphrase / Hex
Key field. You can paste it into the field instead of typing it in.
3
Click Save.
Admin settings configuration
The Admin settings menu allows you to set up a Wi-Fi profile for a single handset. This is
usually done when testing configurations or deploying only a very few handsets.
Tap the WPA/WPA2 PSK option and enter the Passphrase or Hex Key in the Password field
and tap Save.
721-0013-000_D.docx
November 2014
23
Spectralink 87-Series Wireless Telephones Wireless Security Implementation Guide
721-0013-000_D.docx
November 2014
24
Spectralink 87-Series Wireless Telephones Wireless Security Implementation Guide
802.1x EAP (WPA2 Enterprise) Set up
In order to deploy 802.11x EAP, you must provision a RADIUS server to provide the
username/password security handshake. The RADIUS server maintains the username and
password for each handset or acquires this information from the LDAP server.
Admin Tip: Fast handoff methods
When using a RADIUS server, you will need to configure a fast handoff method in
the AP in order to assure audio quality. Spectralink 87-Series handsets use either
of two fast-handoff techniques as they roam among APs: CCKM or OKC. CCKM is
used exclusively by Cisco APs. OKC is used by most non-Cisco APs. Consult the
VIEW guide for your AP model for more information.
Three 802.1X EAP options are supported: PEAP, EAP-TLS and EAP-FAST. PEAP and EAPFAST validate user credentials by using the username and password from the RADIUS server.
EAP-TLS validates the user through a user/device certificate. Each method uses certificates in
slightly different ways.
п‚·
PEAP can use a CA (Certifying Authority) certificate, but it is not required.
п‚·
TLS uses two types of certificates. A CA certificate initially validates the RADIUS server
to the handset. A user/device certificate validates the handset to the RADIUS server.
п‚·
EAP-FAST uses a type of certificate called a PAC (Protected Access Credential). The
PAC can be auto-provisioned through SLIC or CMS or manually loaded into the handset.
Note
MSCHAPv2 is supported for PEAP and TLS when enabled on your infrastructure.
How to Get Certificates into the Handsets
Several certificates are pre-loaded on the handset.
п‚·
The Spectralink device certificate
п‚·
Many CA certificates commonly provided to Android devices (view these certificates at
Settings> Admin settings> Security> CREDENTIAL STORAGE> Trusted
credentials> System tab)
721-0013-000_D.docx
November 2014
25
Spectralink 87-Series Wireless Telephones Wireless Security Implementation Guide
Installing generic CA certificates or PAC files
Caution: Certificate validity
The validity of the certificate is not verified by the handset, SLIC or CMS. Ensure
you have a valid certificate before trying to use it for authentication.
For PEAP, TLS and EAP-FAST, generic CA certificates or PAC files are best installed using the
SLIC tool. After you connect to the CMS you can use the CMS to install them. They can also be
installed manually through the Admin settings menu with a USB cable between the handset and
a computer.
Installing device specific certificates or PAC files
Third party User certificates or unique PAC files must be installed manually according to the
process described below. CMS and SLIC do not permit installation of unique files. See Using
Device-Specific Certificates and Credentials for more information and a workaround.
Installing Certificates Manually through the Admin Settings Menu
Third party User certificates, CA certificates and PAC files can be loaded into the handsets via a
USB cable connected to a computer that can access the certificate or PAC file on the computer
using MicrosoftВ® WindowsВ® ExplorerВ®. The computer and handset need to be configured to
recognize each other and the first few steps below will explain how to do this.
1
Procure and load the certificates to a location on the computer where you can navigate
to them using Windows Explorer.
2
Configure the handset. Navigate to Settings> Admin settings> Developer options>
USB debugging and tap to enable. The handset will now permit the computer to
recognize it when the USB cable is connected to the computer.
3
Plug the USB cable into the handset and the computer. Use Windows Explorer to find
the handset model. It will be under Computer and listed by model number. In Windows
8, it is under “Portable Devices”.
Note: Installing a driver
When your computer recognizes the Android device, it may need to install a driver
before the device appears in Window Explorer.
4
On the computer, navigate to the location of the file and use Windows Explorer to drag
the certificate to the handset. The certificate will be in the handset.
5
On the handset navigate to Settings> Admin settings> Security> CREDENTIAL
STORAGE> Install from storage. This will install the Certificate.
721-0013-000_D.docx
November 2014
26
Spectralink 87-Series Wireless Telephones Wireless Security Implementation Guide
6
On the handset, navigate to Settings> Admin settings> Security> CREDENTIAL
STORAGE> Trusted credentials> User tab and display the installed certificate.
Note: Where is the third party user certificate?
If you are manually installing a third party user certificate, it is located in the Android
keystore and cannot be viewed on the Security menu. It is available in the Wi-Fi
area when configuring EAP-TLS. See the User certificate dropdown list to confirm
its availability.
7
Repeat steps 5-7 for a PAC file using the PAC FILE STORAGE area instead of
CREDENTIAL STORAGE.
8
Return to the Wi-Fi menu to install the CA certificate and/or PAC file.
Removing CA certificate and PAC files
п‚·
Remove a CA certificate: On the handset, navigate to Settings> Admin settings>
Security> CREDENTIAL STORAGE> Trusted credentials> User tab and display the
installed Certificate. Scroll down to the Disable button. Tap the Disable button.
п‚·
Remove all PAC files: On the handset, navigate to Settings> Admin settings>
Security> PAC FILE STORAGE> Clear PAC files. Tap Clear PAC Files to remove.
Single PAC files cannot be displayed or removed.
п‚·
Remove all credentials: On the handset, navigate to Settings> Admin settings>
Security> CREDENTIAL STORAGE> Clear credentials. Tap Clear credentials and
confirm the popup.
Removing User certificates
Once you install a user cert there is no way to remove without doing a restore to defaults or
removing all credentials per bullet 3 above.
Note: Spectralink device certificate cannot be removed
The manufacturer-installed Spectralink device certificate cannot be removed from
the handset. A restore to defaults will not remove the Spectralink device certificate.
Third party User certificates will be removed.
PEAP
PEAP requires a username and password but does not require a CA certificate. Be aware that
not using a certificate for server authentication is much less secure.
721-0013-000_D.docx
November 2014
27
Spectralink 87-Series Wireless Telephones Wireless Security Implementation Guide
SLIC configuration
If using PEAP with SLIC you must set up a generic username and password on the RADIUS
server. Unique usernames and/or passwords are not supported. If using unique usernames or
passwords, these must be loaded manually. See below. For a workaround see Using DeviceSpecific Certificates and Credentials.
When you use the Wireless Wizard for the 87-Series handsets, you will step through the
screens until you come to the Security settings.
1
Select the PEAP option and click Next.
2
Browse to the CA Certificate file, load it and click Validate Certificate. This field may be
left empty if a CA Certificate is not being used but this is a less secure method of
authentication. Click Validate Certificate to move to the next screen.
3
Enter the Username and Password that are stored on the RADIUS server. PEAP can
use the same username and password for every handset. Individual usernames or
passwords are not supported by SLIC. For a workaround see Using Device-Specific
Certificates and Credentials.
4
Click Next to finish the configuration.
CMS configuration
You will only use the CMS configuration when the handset is already associated and you need
to change the Wi-Fi profile or add a new one. Wi-Fi profile configuration is done on an
721-0013-000_D.docx
November 2014
28
Spectralink 87-Series Wireless Telephones Wireless Security Implementation Guide
enterprise-wide level and therefore unique passwords and user certificates are not supported for
PEAP. All PEAP identities and passwords must be generic.
Settings: Activating a Wi-Fi Profile
These instructions are for configuring a Wi-Fi profile. To add it to a handset at the
enterprise, group or device level, navigate to Device Management> Configure
Devices> Wireless Profiles and select the new profile from the list.
1
Select the WPA2-Enterprise option and enter the SSID in the SSID field and select
PEAP for the EAP Method.
2
The EAP Identity and the Password are the generic Username and Password that are
stored on the RADIUS server. Enter the Username and Password that are stored on the
RADIUS server.
3
Enter the CA certificate. You may select one from the dropdown list if the CA certificate
is already loaded into the CMS. Otherwise, you can add a new CA certificate by clicking
the green “+”.
721-0013-000_D.docx
November 2014
29
Spectralink 87-Series Wireless Telephones Wireless Security Implementation Guide
a
Name the certificate so you can easily identify it.
b
Select the certificate type. This page is used for entering CA Certificates, PAC files
and other types of certificates that are required by some Applications.
c
Add a short description, if desired.
d
Browse to the file and load it.
e
Click Save.
4
Return to the PEAP page and load the certificate you just created.
5
Click Save.
Admin settings configuration
The Admin settings menu allows you to set up a Wi-Fi profile for a single handset. This is
usually done when testing configurations, when deploying only a very few handsets or when
loading device-specific User Certificates, PAC files, Usernames or Passwords.
Settings
If you are using a CA certificate, it must be loaded into the handset before
continuing with the Wi-Fi configuration. See Installing Certificates Manually through
the Admin Settings Menu.
1
Tap the 802.1x EAP option and select PEAP as the EAP Method.
721-0013-000_D.docx
November 2014
30
Spectralink 87-Series Wireless Telephones Wireless Security Implementation Guide
2
If you are using a CA Certificate file, tap the dropdown and select it. Leave this field
blank if you are not using a CA certificate.
3
The Identity and the Password are the generic or specific Username and Password that
are stored on the RADIUS server. Enter the Username and Password that are stored on
the RADIUS server.
4
Tap Save.
721-0013-000_D.docx
November 2014
31
Spectralink 87-Series Wireless Telephones Wireless Security Implementation Guide
EAP-TLS
SLIC configuration
Spectralink recommends: Use SLIC to configure EAP-TLS
Configuring complex security options require the controlled environment and
secure transmission that SLIC provides. Manual configuration will quickly become
tedious if any number of handsets are being configured. CMS configuration
requires that the handsets already have some less secure security method
configured in order to associate with the wireless LAN. It is possible but not
recommended. Use SLIC to configure EAP-TLS to ensure best security from the
beginning.
If using EAP-TLS with SLIC you may use the device certificate in the handset by leaving the
identity field blank or you may enter a generic identity if permitted by your RADIUS server.
Using a generic identity allows the RADIUS server to use the installed device certificate on the
handset but the non-specific identity creates security flaws. Spectralink does not recommend
using non-specific identities.
If using a third party user certificate, configuring EAP-TLS must be done manually on each
handset. SLIC and CMS do not support third party user certificates.
When you use the Wireless Wizard for the 87-Series handsets, you will step through the
screens until you come to the Security settings.
1
Select the EAP-TLS option and click Next.
2
Browse to the CA Certificate file, load it and click Validate Certificate. This field may be
left empty if a CA Certificate is not being used, but this would not be usual or
recommended for EAP-TLS as the RADIUS server would not be authenticated by the
handset and the secure tunnel created by mutual authentication would not be
established. Click Validate Certificate to move to the next screen.
721-0013-000_D.docx
November 2014
32
Spectralink 87-Series Wireless Telephones Wireless Security Implementation Guide
3
You have two choices for the TLS Identity field:
в—‹
Leave the field blank to use the Device certificate’s common name as the identity.
в—‹
Enter a generic identity if the RADIUS server permits one. A generic identity also
uses the Spectralink device certificate.
Spectralink recommends: Use the device certificate
For the most secure data transmission between the handset and the RADIUS
server, use the device certificate installed when the handset was manufactured and
the corresponding certificate (provided by Spectralink) on the RADIUS server. For
more information see Certificates and Using Device-Specific Certificates and
Credentials.
4
Click Next to finish the configuration.
CMS configuration
You will only use the CMS configuration when the handset is already associated and you need
to change the Wi-Fi profile or add a new one. Wi-Fi profile configuration is done on an
enterprise-wide level and individual EAP identities cannot be configured here. The EAP Identity
field should be left blank when the device certificate provided with the handsets is used. This
field will be populated by the MAC address of the handset when the configuration is downloaded
to the handset.
Settings: Activating a Wi-Fi Profile
These instructions are for configuring a Wi-Fi profile. To add it to a handset at the
enterprise, group or device level, navigate to Device Management> Configure
Devices> Wireless Profiles and select the new profile from the list.
1
Select the WPA2-Enterprise option and enter the SSID in the SSID field and select EAPTLS for the EAP Method.
721-0013-000_D.docx
November 2014
33
Spectralink 87-Series Wireless Telephones Wireless Security Implementation Guide
2
The EAP Identity should be left blank if you are using the Spectralink device certificate. If
your RADIUS server permits a generic identity, you may enter it here. This identity will
appear in the handsets’ Identity field for this Wi-Fi profile.
Caution: Insecure setting
Using a generic identity for EAP-TLS is considerably less secure than accepting
and using the default MAC address as the identity. EAP-TLS is the most secure WiFi method when handset authentication depends upon unique certificates and
identities for each handset.
3
Select or add the CA certificate. This is the certificate that authenticates the RADIUS
server. You may select one from the dropdown list if the CA certificate is already loaded
into the CMS. Otherwise, you can add a new CA certificate by clicking the green “+”.
If adding a new CA certificate:
721-0013-000_D.docx
November 2014
34
Spectralink 87-Series Wireless Telephones Wireless Security Implementation Guide
a
Name the certificate so you can easily identify it.
b
Select the certificate type. This page is used for entering CA Certificates, PAC files
and other types of certificates that are required by some Applications.
c
Add a short description, if desired.
d
Browse to the file and load it.
e
Click Save.
4
Return to the EAP-TLS page and load the certificate you just created.
5
Click Save.
Admin settings configuration
The Admin settings menu allows you to set up a Wi-Fi profile for a single handset. This is
usually done when testing configurations, when deploying only a very few handsets or when
loading device-specific User Certificates, PAC files, Usernames or Passwords.
Settings
If you are using a CA certificates, it must be loaded into the handset before
continuing with the Wi-Fi configuration. See Installing Certificates Manually through
the Admin Settings Menu.
Settings
If User/device certificates are being used, the corresponding certificate must be
loaded on the RADIUS server.
1
Tap the 802.1x EAP option and select TLS as the EAP Method.
721-0013-000_D.docx
November 2014
35
Spectralink 87-Series Wireless Telephones Wireless Security Implementation Guide
2
The CA certificate authenticates the RADIUS server to the handset. If you are using a
CA Certificate file, tap the dropdown and select it. Leave this field blank if you are not
using a CA certificate. The CA certificate may need to be loaded first. See How to Get
Certificates into the Handsets for more information.
3
Select the User certificate from the dropdown list. The Spectralink device certificate is
selected by default. If you enter a generic identity, you will use the Spectralink device
certificate. If a third party user certificate is desired and has been loaded, select it. See
Installing device specific certificates or PAC files for more information.
4
The Identity is the MAC address of the handset by default. If a different identity is
required for your installation, such as a generic identity or a unique identity required by a
third party user certificate, enter it here.
Spectralink recommends: Use a CA certificate and a unique identity
Using a generic Identity or not installing a CA certificate to allow the handset to
authenticate the RADIUS server is not recommended as mutual authentication will
not occur and the secure tunnel will not be established.
5
Tap Save.
721-0013-000_D.docx
November 2014
36
Spectralink 87-Series Wireless Telephones Wireless Security Implementation Guide
EAP-FAST
EAP-FAST is used by products of Cisco, its creator, and by a growing number of other WLAN
vendors. It uses a PAC file, which is similar to a certificate.
SLIC configuration
When you use the Wireless Wizard for the 87-Series handsets, you will step through the
screens until you come to the Security settings.
1
Select the EAP-FAST option and click Next. You will get the In-Band Provisioning page.
В»
If using In-Band Provisioning where the PAC file is automatically provisioned,
click that option and click Next to finish the configuration.
В»
If manually providing the PAC file, click that option and click Next.
2
Browse to the PAC file, load it and click Validate Certificate.
3
The PAC file password page will appear.
721-0013-000_D.docx
November 2014
37
Spectralink 87-Series Wireless Telephones Wireless Security Implementation Guide
4
Enter the PAC file password that was used to create the PAC file on the RADIUS server.
Click Next.
5
Enter the generic Username and Password that are stored on the RADIUS server. EAPFAST uses the same username and password for every handset. They are not
individually assigned and the same set works for all handsets. For a workaround see
Using Device-Specific Certificates and Credentials.
6
Click Next to finish the configuration.
CMS configuration
You will only use the CMS configuration when the handset is already associated and you need
to change the Wi-Fi profile or add a new one. Wi-Fi profile configuration is done on an
enterprise-wide level and therefore unique passwords and user certificates are not supported.
All EAP identities, passwords and CA certificates must be generic.
Settings: Activating a Wi-Fi Profile
These instructions are for configuring a Wi-Fi profile. To add it to a handset at the
enterprise, group or device level, navigate to Device Management> Configure
Devices> Wireless Profiles and select the new profile from the list.
1
Select the WPA2-Enterprise option and enter the SSID in the SSID field and select EAPFAST for the Phase II field.
721-0013-000_D.docx
November 2014
38
Spectralink 87-Series Wireless Telephones Wireless Security Implementation Guide
2
The EAP Identity and the Password are the Username and Password that is stored on
the RADIUS server. Enter the Username and Password that is stored on the RADIUS
server.
3
Enter the PAC file. You may select one from the dropdown list if the PAC file is already
loaded into the CMS. Otherwise, you can add a new PAC file by clicking the green “+”.
a
Name the certificate so you can easily identify it.
b
Select the certificate type. This page is used for entering CA Certificates, PAC files
and other types of certificates that are required by some Applications.
721-0013-000_D.docx
November 2014
39
Spectralink 87-Series Wireless Telephones Wireless Security Implementation Guide
c
Add a short description, if desired.
d
Enter the PAC password that was used to create the PAC file on the RADIUS server.
e
Browse to the file and load it.
f
Click Save.
4
Return to the FAST page and load the PAC file you just created.
5
Click Save.
Admin settings configuration
The Admin settings menu allows you to set up a Wi-Fi profile for a single handset. This is
usually done when testing configurations, when deploying only a very few handsets or when
loading device-specific User Certificates, PAC files, Usernames or Passwords.
Settings
If you are using a PAC file and manual provisioning, it must be loaded into the
handset before continuing with the Wi-Fi configuration. See Installing Certificates
Manually through the Admin Settings Menu.
1
Tap the 802.1x EAP option and select FAST as the EAP Method.
2
Select the type of PAC provisioning: In-band provisioning or Manually provided PAC file.
3
If you are using a manually provided PAC file, select it from the dropdown list and enter
the PAC file password.
721-0013-000_D.docx
November 2014
40
Spectralink 87-Series Wireless Telephones Wireless Security Implementation Guide
4
For either type of provisioning, the Identity and Password must be entered. The Identity
and the Password are the generic or specific Username and Password that are stored
on the RADIUS server.
5
Tap Save.
721-0013-000_D.docx
November 2014
41
Chapter 4: Certificates
How to Get Certificates into the Handsets
Only the Spectralink device certificate is provided with the handset from the factory. Other
certificates must be loaded into the handsets before they can provide security.
Installing generic CA certificates or PAC files
For PEAP, TLS and EAP-FAST, generic CA certificates and PAC files are best installed using
the SLIC tool. After you connect to the CMS you can use the CMS to install them. They can also
be installed manually through the Admin settings menu with a USB cable between the handset
and a computer.
Installing device specific certificates or PAC files
User Certificates or unique PAC files must be installed manually according to the process
described below. CMS and SLIC do not permit installation of unique files. See Using DeviceSpecific Certificates and Credentials for more information and a workaround.
Installing Certificates Manually through the Admin Settings Menu
Certificates and PAC files can be loaded into the handsets via a USB cable connected to a
computer that can access the certificate or PAC file on the computer using Microsoft Windows
Explorer. The computer and handset need to be configured to recognize each other and the first
few steps below will explain how to do this.
1
Procure and load the certificates to a location on the computer where you can navigate
to them using Windows Explorer.
2
Configure the handset. Navigate to Settings> Admin settings> Developer options>
USB debugging and tap to enable. The handset will now permit the computer to
recognize it when the USB cable is connected to the computer.
3
Plug the USB cable into the handset and the computer. Use Windows Explorer to find
the handset model. It will be under Computer and listed by model number. In Windows
8, it is under “Portable Devices”.
Note: Installing a driver
When your computer recognizes the Android device, it may need to install a driver
before the device appears in Window Explorer.
721-0013-000_D.docx
November 2014
42
Spectralink 87-Series Wireless Telephones Wireless Security Implementation Guide
4
On the computer, navigate to the location of the CA certificate and use Windows
Explorer to drag the certificate to the handset. The Certificate will be in the handset.
Admin Tip: Alternate method
If you have trouble using Windows Explorer, use an adb push command instead.
Exact instructions for using adb is beyond the scope of this document. Information
can be found on the Android developer’s website.
5
On the handset navigate to Settings> Admin settings> Security> CREDENTIAL
STORAGE> Install from storage. This will install the Certificate.
6
On the handset, navigate to Settings> Admin settings> Security> CREDENTIAL
STORAGE> Trusted credentials> User tab and display the installed Certificate.
7
Repeat steps 5-7 for a PAC file using the PAC FILE STORAGE area instead of
CREDENTIAL STORAGE.
8
Return to the Wi-Fi menu to install the CA certificate and/or PAC file.
Removing CA certificate and PAC files
1
Remove a CA certificate: On the handset, navigate to Settings> Admin settings>
Security> CREDENTIAL STORAGE> Trusted credentials> User tab and display the
installed Certificate. Scroll down to the Disable button. Tap the Disable button.
2
Remove all PAC files: On the handset, navigate to Settings> Admin settings>
Security> PAC FILE STORAGE> Clear PAC files. Tap Clear PAC Files to remove.
Single PAC files cannot be displayed or removed.
721-0013-000_D.docx
November 2014
43
Spectralink 87-Series Wireless Telephones Wireless Security Implementation Guide
Using Device-Specific Certificates and Credentials
The highest level of wireless security is achieved by using device-specific certificates and
credentials. 802.1x security methods all allow you to use device-specific credentials— devicespecific username/password credentials supported by an LDAP server and validated by the
RADIUS server. EAP-TLS additionally supports mutual authentication which requires a
user/device certificate on the handset which is authenticated by the comparable key on the
RADIUS server.
When using SLIC and CMS to configure Wi-Fi security settings, you will find that only generic
usernames and passwords are supported as of this writing. These tools cannot yet support
user-specific usernames and passwords.
Power User: 802.1x security methods PEAP and FAST (WPA2 Enterprise)
SLIC configures the same username and password for each handset. If you want
to configure the specific username and passwords sometimes used with 802.1x
security methods PEAP and FAST (WPA2 Enterprise), you will need to rerun the
wireless wizard for each handset, entering the unique credentials and downloading
that specific configuration to the handset for each handset. EAP-TLS cannot be
configured by this method as unique user certificates are not supported by SLIC.
On the CMS, Wireless Profiles are configured at an Enterprise level. Different SSIDs can be
assigned to different handsets and groups of handsets. Device level granularity for certificates
and credentials is supported for EAP-TLS only.
SLIC is a secure method for loading certificates onto handsets as it occurs with a hard
connection. If any OTA transmission of any credentials or certificates occurs, it should be done
through an AP that does not broadcast beyond the physically secure environment.
Establishing the physically secure environment and generating the certificates or credentials is
beyond the scope of this document or standard installation procedures. However, knowing how
to securely load these security settings through a manual method is necessary to ensuring that
the handsets are deployed according to the most strict security requirements.
See this website for a basic primer:
http://networklessons.com/wireless/eap-tls-certificates-for-wireless-on-android/
Be aware that the website primer uses “None” for Phase 2 authentication, but our setup uses
MSCHAPV2 for Phase 2 authentication.
721-0013-000_D.docx
November 2014
44
Chapter 5: Glossary
п‚·
AAA Authentication, Authorization and Accounting (see RADIUS).
п‚·
AES Advanced Encryption Standard is a cipher (encryption algorithm) used by WPA2
that uses the same key to encrypt and decrypt data. (see CCMP)
п‚·
AP Access Point is a receive-transmit device that facilitates data flow among wireless
devices like the 87-Series handset in Wi-Fi networks.
п‚·
CA Certificate Authorities, used in 802.1x EAP security, issue digital certificates to
establish a defined relationship of trust between the certificate creator (root CA) and the
certificate users. Public CAs such as Verisign issue certificates to many enterprises, and
some large enterprises create and issue certificates of their own, for exclusive use within
the enterprise. In either case, the trust relationship is verified by validating the contents
of all of the certificates in the certificate chain up to the root CA. The CA certificate is
critical to defining the certificate path and usage restrictions for all end entity certificates
issued for use in the PKI (see PKI).
п‚·
CCKM Cisco Centralized Key Management is a fast-roaming handoff technique (a
proprietary version of OKC) used by Cisco APs that can reduce the need for a RADIUS
server by authenticating the client without perceptible delay in voice or other timesensitive applications. (see OKC and RADIUS)
п‚·
CCMP Counter-mode with Cipher-block-chaining Message-authentication-code
Protocol (or Counter-Mode with CBC-MAC Protocol) is an encryption protocol used by
AES for WPA2. AES/CCMP supersedes TKIP. CCMP uses CCM that combines CTR
(Counter) for data confidentiality and CBC-MAC for authentication and integrity.
п‚·
EAP Extensible Authentication Protocol is an authentication framework used in WPA2Enterprise (aka 802.1x EAP) that lets each protocol determine how to encapsulate
messages. Some 40 EAP Methods have been defined. Two of those methods—EAPFAST (using a PAC and proposed by Cisco to replace LEAP) and PEAPv0 with
MSCHAPv2—are among the two most common and are supported by the 87-Series
handsets. PEAPv0 uses a server-side CA certificate, and EAP-FAST requires a PAC
file, which is similar. (see CA and PAC).
п‚·
EAP-TLS the key exchange between the handset and the server is protected via an
encrypted TLS Tunnel. (see TLS)
п‚·
FAST Flexible Authentication via Secure Tunneling was developed as a lightweight
implementation by Cisco Systems. EAP-FAST uses a Protected Access Credential
(PAC) to establish a TLS tunnel in which client credentials are verified. Use of server
certificates is optional in EAP-FAST.
п‚·
MSCHAPv2 is the Microsoft version of the Challenge-Handshake Authentication
Protocol or CHAP. It is used as an authentication option with RADIUS servers and is the
main authentication option of the Protected Extensible Authentication Protocol (PEAP).
721-0013-000_D.docx
November 2014
45
Spectralink 87-Series Wireless Telephones Wireless Security Implementation Guide
п‚·
OKC Opportunistic Key Caching “opportunistically” shares cached PMKs with other
APs so that as a client roams a PMK is already present on the target AP, and the client
simply references the PMK ID in the reassociation request frame. This limits the
involvement of the RADIUS server that can inherently retard the hand-off process. (see
CCKM and RADIUS.)
п‚·
PAC Protected Access Credential, used in EAP-FAST, creates a TLS tunnel to verify
client credentials.
п‚·
PEAP with MSCHAPv2 Protected EAP with Microsoft’s Challenge Handshake
Authentication Protocol (version 2) is the most common form of PEAP and the only one
supported by Cisco. (see EAP)
п‚·
PKI Public Key Infrastructure is an arrangement that binds public keys with respective
user identities by means of a certificate authority (CA). The user identity must be unique
within each CA domain. The binding is established through the registration and issuance
process, which, depending on the level of assurance the binding has, may be carried out
by software at a CA, or under human supervision. (see CA)
п‚·
PMK Pairwise Master Key the shared secret key used in the WPA2 PSK protocol
which supports a wireless encryption session utilizing TKIP or CCMP (based on AES)
encryption
п‚·
PSK Pre-Shared Key is a secret shared by two parties on a secure channel and is
used in WEP and WPA-Personal standards so that all APs and their clients share the
same key (a secret password or passphrase or hex string). Security from PSK can be
effective (if it remains secret) or ineffective (if the PSK becomes known by hackers).
WPA-PSK is superseded by WPA-EAP in enterprise environments. (see EAP)
п‚·
QoS Quality of Service lets APs prioritize traffic and optimize the way shared network
resources are allocated among different applications. QoS is vital in deploying 87-Series
handsets, giving audio a high priority to avoid latency and lost packets. (see TKIP)
п‚·
RADIUS Remote Authentication Dial In User Service is a protocol used by a server to
provide AAA functionality. A RADIUS server, especially if located in a remote location,
can drastically slow down the handoff process, causing a loss of audio as an 87-Series
handset moves among APs, a problem that is overcome with OKC or CCKM.
п‚·
TKIP Temporal Key Integrity Protocol is a security protocol used in WPA to supersede
WEP and was superseded in turn by AES/CCMP used in WPA2. WPA uses TKIP, while
WPA2 can use TKIP (for WPA2-Personal) or AES/CCMP (for WPA2-Enterprise). TKIP
dynamically generates a new key for each packet (unlike the WEP key that remains
static for the entire network), but has security flaws that can be overcome by disabling
QoS and by using long, hard-to-hack, easy-to-remember passwords such as
“!LovePar!$!n7he$pr!ng7!me.” But QoS is required for audio, video, and other latencysensitive applications, making TKIP a poor security choice when deploying the 87-Series
handset in a large enterprise setting.
721-0013-000_D.docx
November 2014
46
Spectralink 87-Series Wireless Telephones Wireless Security Implementation Guide
п‚·
TLS Transport Layer Security is a network protocol that supersedes Secure Sockets
Layer (SSL). With TLS, both sides of the security handshake use a certificate to
authenticate the identity of the other. The server certificate is used by the handset to
authenticate the server and the private or device certificate on the handset is used by
the server to authenticate the handset.
п‚·
WEP Wired Equivalent Privacy is the first IEEE wireless LAN security standard, now
easily hacked and being phased out. A WEP key is a 10-, 26-, or 58-hex-digit security
code (e.g. 1B657D8FE3) chosen by the administrator and set on each Wi-Fi network
device to allow devices to exchange encoded messages with each other while hiding the
contents of the messages from easy viewing by outsiders. (see TKIP)
п‚·
WPA Wi-Fi Protected Access is a set of security standards newer and better than
WEP. (Technically, WPA is a certification rather than a standard.) WPA2 using
CCMP/AES encryption instead of TKIP is very secure. A WPA and WPA2 network can
operate either in Personal mode, using a single network password (PSK), or in
Enterprise mode (using a different password for each user).
721-0013-000_D.docx
November 2014
47
Appendix A: Products Mentioned in this
Document
Cisco and Cisco Systems are registered trademarks of Cisco Systems, Inc. and/or its affiliates
in the United States and certain other countries.
Microsoft, Windows and Windows Explorer are either registered trademarks or trademarks of
Microsoft Corporation in the United States and/or other countries.
721-0013-000_D.docx
November 2014
48
Appendix B: Spectralink Certificates
Spectralink CA certificates can be obtained from:
http://pki.spectralink.com/aia/Spectralink%20Issuing%20CA.crt
http://pki.spectralink.com/aia/Spectralink%20Root%20CA.crt
721-0013-000_D.docx
November 2014
49
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement