Cisco wireless IP phones (7921G and 7925G) with C5210 and 3825i AP's

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered
We are slowly migrating from a Cisco wireless environment to an Extreme solution - but are keeping our Cisco wireless IP phones. In the past we had a *ton* of problems with these phones losing voice (randomly) and especially while roaming. This was resolved when I created a new SSID with all the right settings several years ago. But now, I am having a hard time reproducing these settings on the new Extreme side.

Here are my pains. Cisco says to:
  • Use WPA, but do NOT require PSK. Apparently roaming with PSK is just bad news as the re-auth to each AP takes too long when roaming and can break up the conversation.
  • Use EAP-FAST for authentication, since your non-PSK security is a bit weak.
Problems are:
  • If I use WPA (and not PSK) I am forced into using 802.1x. Which is fine by me. I have set up RADIUS on a Windows box and I am pointing to that. There, I have created the same username/password as is configured for the Cisco AP's. But then, when I go to test it, there is only a username field and no password. It seems that this is expected (there is a GTAC KB on this). If I check the logs on the Windows side when running the test, it appears to be working (user is found, but fails due to missing password).
  • What is the equivalent to EAP-FAST on the Extreme side? From what I can see, this is a protocol that Cisco made up! I guess the goal is to require authentication, but make sure it's a quick moving process. My choices on the phone are: Open, Open+WEP, Shared+WEP, LEAP, EAP-FAST, PEAP, and Autok (AKM).
I think what I may end up doing is creating a new SSID for these phones. Because it's probably not a good idea to have a phone trying to roam from a Cisco AP to an Extreme AP in the middle of a phone call (while migrating). The Cisco phones can hold up to four different profiles, and it will use whichever one that works.

Is there a list of settings that someone can recommend for these when it comes to privacy and authentication settings for these phones?

Thanks!!
Photo of Steve Ballantyne

Steve Ballantyne

  • 5,566 Points 5k badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Ostrovsky, Yury

Ostrovsky, Yury, Employee

  • 3,050 Points 3k badge 2x thumb
Hello Steve . First of all , we do support EAP-FAST as well as any other EAP type of protocols . The only protocol we do not support is LEAP , which is proprietary Cisco old one which is banned long time ago by WiFi Alliance . 
Saying that , using 802.1X with the Voice need to be tested by you well with your particular voice client before the deployment. First question I would ask - is that phone (Cisco) support OKC and/or 802.11r ? If not , then I would not recommend to use 802.1X type of authentication , since any transition between new BSSID's (AP's) will take from 200ms and up (all depends on your Radius infrastructure) and will affect the voice quality. Using PSK is quite typical for the voice deployment since it does not involve the Radius infrastructure , and usually takes less then 40ms for the roaming . So the question is why Cisco not recommending to use PSK? Is that only the security concern?Also , make sure you do not using WEP , TKIP since it will limit the AP rates to legacy 54Mbs.
(Edited)
Photo of Steve Ballantyne

Steve Ballantyne

  • 5,566 Points 5k badge 2x thumb
Hello Yury, thanks for that quick response.

How would I know which EAP that the AP/phone is using? It seems that regardless of what I chose on the phone, the result is always "connection failed". That message doesn't help much. These phones run a Linux kernel underneath. So perhaps I can hook up a USB cable and do some debugging or verbose logging.

The phones do not seem to support OKC or 802.11r.

I think I lied about the PSK thing. I must have remembered that wrong. Cisco said to avoid TKIP, but that PSK would be acceptable if WPA2/aes was not an option. Here is that article.

This is a real apples to oranges comparison. There is really no reason to believe I will have any of the same old problems with these phones and Extreme AP's with completely different settings.

Also - I am not crazy about these Cisco 79xx phones. They cost a small fortune. They are not sealed well. And they cannot be easily cleaned in a clinical environment.  I would like to pursue some other options. But they would have to be supported by middle-ware software that we use to push alarms and alerts to the phone for our nursing staff. The Ascom phones look really appearing for healthcare, because they are sealed so well. But if anyone wants to suggest a model or brand, you are welcome to. :-)

EDIT: I meant to add that I have a non-medical floor with 5 Cisco access points. This might be a good floor to switch out with Extreme AP's as they do not carry the IP phones on this floor. That would allow me to walk around and do some testing without causing any problems for my nurses.
(Edited)
Photo of Ostrovsky, Yury

Ostrovsky, Yury, Employee

  • 3,050 Points 3k badge 2x thumb
Yes , Ascom is a very good choice . In fact we do partnering with them in terms of interoperability:testing a major wireless releases for interop by Ascom and our engineers .
Ok , lets go back to your Cisco problem . First of all : try to identify - what you were using before with your old Wireless deployment . Was it 802.1X? Does not matter if its FAST or any other EAP protocol (LEAP is the exclusion- will not work with us for sure!) , our AP will bypass any type of EAP, the protocol conversation is between the Phone and Radius server, our Controller/AP does not really care . If you were using 802.1X , on Extreme COntroller all you need is :
1.Add Radius server with shared secret under VNS-->Global-->Authentication-->Radius Server , then on WLAN Service under Auth&Acct choose 802.1X type , add the Radius server in the list , and that's it
2. On your Radius server (is it FreeRadius , IAS , CiscoACS etc?) don't forget to add Extreme Controller IP address as NAS (client), with the same shared secret .
Then it should just work.
Again , since those phones do not support any Fast Roaming standards , its not the best idea to use 802.1X at all , and I would rither check the option of WPA2-PSK (passphrase) , or just MAC-auth (which is not really secure).
To see what your phone currently configured for , you should be able just from the phone menu itself. You can also check your old wireless deployment configuration - what was configured there for the voice SSID .
Photo of Steve Ballantyne

Steve Ballantyne

  • 5,566 Points 5k badge 2x thumb
Hello Yury,

I set up a new SSID today to put my Cisco wireless phones onto. I struggled to get Cisco's lousy "batch deployment utility" to work correctly (don't even get me started). But once I got the SSID and settings out to my phones, it all started working well.

I went with WPA2 (unchecked WPA v1) with PSK. The settings on the phone are really strange. For authentication I had Open, Open+WEP, and some other options. But not WPA in any fashion. The only option that works is "Auto (AKM)" where you let the phone pick what it thinks is best. And I guess we are assuming that it would pick WPA2 over WEP, any day (not that you would use both?). Anyway, those settings seem dumb to me.

I did some testing with some wireless phones. At first it seemed I was getting strange distortion (like a high pitched tea kettle far off in the distance). This ended up being the wireless phones themselves causing interference. When I moved them away from each other, or away from the phone on my desk - the noise went away.

Another issue I had was one-way voice when calling from a wireless phone on my CIsco AP's to a wireless phone on my Extreme AP. Going into the Topology and enabling an allow Multicast on 0.0.0.0/0 seemed to correct this problem. I never had any trouble calling a wired IP phone from the wireless phone.

I still need to check roaming (from one Extreme AP to another - NOT from Cisco to Extreme). I plan on doing this later this week or next week when I can swap out all of the AP's on a particular medical floor (about six AP's in all).

Thanks for the advice!