- Home
- /
- Article
This Help article is for Cisco Wireless Phone 9821 registered to Webex Calling.
Configure DHCP options
You can set the order in which your phone uses the DHCP options. For help with DHCP Options, see DHCP option support.
| 1 |
Access the phone administration web page.
|
| 2 |
Select . |
| 3 |
In the Configuration Profile section, set the DHCP Option To Use parameter. This paramter consists of a series of DHCP options, delimited by commas, used to retrieve firmware and profiles. Perform one of the following:
Default: |
| 4 |
Click Submit All Changes. |
DHCP option support
The following table lists the DHCP options that are supported on Cisco Wireless Phone 9821.
| Network Standard | Description |
|---|---|
| DHCP option 1 | Subnet mask |
| DHCP option 2 | Time offset |
| DHCP option 3 | Router |
| DHCP option 6 | Domain name server |
| DHCP option 15 | Domain name |
| DHCP option 17 | Root path |
| DHCP option 41 | IP address lease time |
| DHCP option 42 | NTP server |
| DHCP option 43 | Vendor-specific information Can be used to provide the SCEP configuration. |
| DHCP option 56 | NTP server |
| DHCP option 60 | Vendor class identifier |
| DHCP option 66 | TFTP server name |
| DHCP option 125 | Vendor-identifying vendor-specific information |
| DHCP option 150 | TFTP server |
| DHCP option 159 | Provisioning server IP |
| DHCP option 160 | Provisioning URL |
Wireless LAN security
Because all WLAN devices that are within range can receive all other WLAN traffic, securing voice communications is critical in WLANs. To ensure that intruders don’t manipulate nor intercept voice traffic, the Cisco SAFE Security architecture supports the phone. For more information about security in networks, see http://www.cisco.com/en/US/netsol/ns744/networking_solutions_program_home.html.
The Cisco Wireless IP telephony solution provides wireless network security that prevents unauthorized sign-ins and compromised communications by using the following authentication methods that the phone supports.
-
Open Authentication: Any wireless device can request authentication in an open system. The AP that receives the request may grant authentication to any requestor or only to requestors that are found on a list of users. Communication between the wireless device and Access Point (AP) could be nonencrypted.
-
Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST) Authentication: This client-server security architecture encrypts EAP transactions within a Transport Level Security (TLS) tunnel between the AP and the RADIUS server, such as Identity Services Engine (ISE).
The TLS tunnel uses Protected Access Credentials (PACs) for authentication between the client (phone) and the RADIUS server. The server sends an Authority ID (AID) to the client (phone), which in turn selects the appropriate PAC. The client (phone) returns a PAC-Opaque to the RADIUS server. The server decrypts the PAC with the primary key. Both endpoints now contain the PAC key and a TLS tunnel is created. EAP-FAST supports automatic PAC provisioning, but you must enable it on the RADIUS server.
In ISE, by default, the PAC expires in one week. If the phone has an expired PAC, authentication with the RADIUS server takes longer while the phone gets a new PAC. To avoid PAC provisioning delays, set the PAC expiration period to 90 days or longer on the ISE or RADIUS server.
-
Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) Authentication: EAP-TLS requires a client certificate for authentication and network access. For wireless EAP-TLS, the client certificate can be MIC or user-installed certificate.
-
Protected Extensible Authentication Protocol (PEAP): Cisco proprietary password-based mutual authentication scheme between the client (phone) and a RADIUS server. The phone can use PEAP for authentication with the wireless network. Both PEAP-MSCHAPV2 and PEAP-GTC authentication methods are supported.
To support PEAP-GTC authentication for Cisco Wireless Phone 9821, configure the necessary policy within the Cisco ISE policy set.
-
Pre-Shared Key (PSK): The phone supports ASCII and hexadecimal (HEX) formats. You must use these formats when setting up a WPA2/SAE Pre-shared key.
ASCII: An ASCII-character string with 8 to 63 characters in length (0-9, lowercase a-z, uppercase A-Z, and special characters). For example,
GREG123567@9ZX&W.HEX: A HEX-character string with 64 hex digits in length (0-9, a-f or A-F).
The following authentication schemes use the RADIUS server to manage authentication keys:
-
WPA2/WPA3: Uses RADIUS server information to generate unique keys for authentication. Because these keys are generated at the centralized RADIUS server, WPA2/WPA3 provides more security than WPA preshared keys that are stored on the AP and phone.
-
Fast Secure Roaming: Uses RADIUS server and a wireless domain server (WDS) information to manage and authenticate keys. The WDS creates a cache of security credentials for FT-enabled client devices for fast and secure reauthentication.
With WPA2/WPA3, encryption keys aren’t entered on the phone, but are automatically derived between the AP and phone. But the EAP username and password that are used for authentication must be entered on each phone.
To help protect voice traffic over the wireless link, the phone supports AES-based encryption for WPA2/WPA3 authentication. AES is a symmetric block cipher standardized by NIST. AES uses a fixed 128-bit block size and supports key sizes of 128 bits, 192 bits, and 256 bits. In Wi-Fi networks, AES is used by cipher suites such as CCMP or GCMP, while authentication is provided separately by PSK, SAE, or 802.1X/EAP, depending on the configured WLAN security mode. The supported cipher suite and key size depend on the phone model and WLAN configuration.
Authentication and encryption schemes are set up within the wireless LAN. VLANs are configured in the network and on the APs and specify different combinations of authentication and encryption. An SSID associates with a VLAN and the particular authentication and encryption scheme. For wireless client devices to authenticate successfully, you must configure the same SSIDs with their authentication and encryption schemes on the APs and on the phone.
Some authentication schemes require specific types of encryption.
When you use WPA2 pre-shared key or SAE, the pre-shared key must be statically set on the phone. These keys must match the keys that are on the AP.
The authentication and encryption schemes in the following table shows the network configuration options for Cisco Wireless Phone 9821 that corresponds to AP configuration.
| FSR Type | Authentication | Key Management | Encryption | Protected Management Frame (PMF) |
|---|---|---|---|---|
| 802.11r (FT) | PSK |
WPA-PSK WPA-PSK-SHA256 FT-PSK | AES | No |
| 802.11r (FT) | WPA3 |
SAE FT-SAE | AES | Yes |
| 802.11r (FT) | EAP-TLS |
WPA-EAP FT-EAP | AES | No |
| 802.11r (FT) | EAP-TLS (WPA3) |
WPA-EAP-SHA256 FT-EAP | AES | Yes |
| 802.11r (FT) | EAP-FAST |
WPA-EAP FT-EAP | AES | No |
| 802.11r (FT) | EAP-FAST (WPA3) |
WPA-EAP-SHA256 FT-EAP | AES | Yes |
| 802.11r (FT) | EAP-PEAP |
WPA-EAP FT-EAP | AES | No |
| 802.11r (FT) | EAP-PEAP (WPA3) |
WPA-EAP-SHA256 FT-EAP | AES | Yes |
| non-FT | Suite-B | WPA-EAP-SUITE-B | GCMP | Yes |
| non-FT | Suite-B-192 | WPA-EAP-SUITE-B-192 | GCMP | Yes |
Set up Wi-Fi profile
You can configure Wi-Fi profiles from the phone administration web page or through a remote device profile resync. Once configured, you can associate these profiles with available wireless networks to establish connectivity. Cisco Wireless Phone 9821 supports a maximum of four configured Wi-Fi profiles.
The profile contains the parameters required for phones to connect to the phone server with Wi-Fi. When you create and use a Wi-Fi profile, you or your users don't need to configure the wireless network for individual phones.
A Wi-Fi profile enables you to prevent or limit changes to the Wi-Fi configuration on the phone by the user.
We recommend that you use a secure profile with encryption enabled protocols to protect keys and passwords when you use a Wi-Fi profile.
When you set up the phones to use the EAP-FAST authentication method in security mode, your users need individual credentials to connect to an access point.
| 1 |
Access the phone web page. |
| 2 |
Select . |
| 3 |
In the section Wi-Fi Profile (n), set the parameters as described in the following table Parameters for Wi-Fi profile. The Wi-Fi profile configuration is also available to the user login.
|
| 4 |
Click Submit All Changes. |
Parameters for Wi-Fi profile
The following table defines the function and usage of each parameter in the Wi-Fi Profile(n) section under the System tab on the phone web page. It also defines the syntax of the string that is added in the phone configuration file (cfg.xml) to configure a parameter.
| Parameter | Description |
|---|---|
| Network Name | Allows you to enter a name for the SSID that will display on the phone.
Multiple profiles can have the same network name with different security
mode. Perform one of the following:
Default: Empty |
| Security Mode | Allows you to select the authentication method that is used to secure access to
the Wi-Fi network. Depending on the method you choose, a password field appears so
that you can provide the credentials that are required to join this Wi-Fi
network. Perform one of the following:
Default: None |
| Wi-Fi User ID | Allows you to enter a user ID for the network profile. This field is available when you set the security mode to Auto, EAP-FAST, or EAP-PEAP. This is a mandatory field and it allows maximum length of 32 alphanumeric characters. Perform one of the following:
Default: Empty |
| Wi-Fi Password | Allows you to enter the password for the specified Wi-Fi User ID. Perform one of the following:
Default: Empty |
| Frequency Band | Allows you to select the wireless signal frequency band that is the WLAN
uses. Perform one of the following:
Default: Auto |
| Certificate Select | Allows you to select a certificate type for certificate initial enrollment and
certificate renewal in the wireless network. This process is only available for
802.1X authentication. Perform one of the following:
Default: Manufacturing installed |
| Control Mode | Controls whether the user is allowed to configure the Wi-Fi profiles. Perform one of the following:
Default: Allow |
| Enable | Controls whether the Wi-Fi profile is enabled. Perform one of the following:
Default: Yes |
| Profile Name | Allows you to enter a name for the profile that will display on the
phone. Perform one of the following:
Default: Profile 1 |
| PSK Passphrase | Allows you to enter the PSK passphrase when the Security Mode is set to
PSK. Perform one of the following:
Default: Allow |
802.1X Authentication for wired networks
Cisco Wireless Phone 9821 supports 802.1X authentication for wired networks. This is typically used during automatic provisioning when the phone is connected to the desktop charger via a supported USB-to-Ethernet adapter.
Support for 802.1X authentication on wired networks requires several components as follows:
-
Cisco IP Phone: The phone initiates the request to access the network. Cisco IP Phones contain an 802.1X supplicant. This supplicant allows network administrators to control the connectivity of IP phones to the LAN switch ports. The current release of the phone 802.1X supplicant uses the EAP-FAST and EAP-TLS options for network authentication.
-
Authentication server: The authentication server and the switch must both be configured with a RADIUS shared secret.
-
Switch: The switch must support 802.1X, so it can act as the authenticator and relay the EAP messages between the phone and the authentication server. After the exchange completes, the switch grants or denies the phone access to the network.
Cisco IP Phones and Cisco Catalyst switches traditionally use Cisco Discovery Protocol (CDP) to identify each other and determine parameters such as VLAN allocation and inline power requirements.
You must perform the following actions to configure 802.1X.
-
Configure CDP/LLDP voice VLAN bypass.
-
Configure the authentication server and the switch before you enable 802.1X authentication for wired networks on the phone.
-
Configure Voice VLAN: Because the 802.1X standard doesn't account for VLANs, you should configure this setting based on the switch support.
- Enabled: If you’re using a switch that supports multidomain authentication, you can configure it to use the voice VLAN.
- Disabled: If the switch doesn’t support multidomain authentication, disable the Voice VLAN and consider assigning the port to the native VLAN.
-
Cisco Wireless Phone 9821 has a different prefix in the PID from that for the other Cisco phones. To enable your phone to pass 802.1X authentication, set the Radius·User-Name parameter to include your Cisco Wireless Phone 9821.
For example, the PID of Cisco Wireless Phone 9821 is WP-9821. You can set Radius·User-Name to
Start with WPorContains WPin both of the following sections: -
Enable 802.1X authentication for wired networks on your phone
Follow these steps to enable 802.1X authentication for wired networks on your phone. Note that 802.1X authentication for Wi-Fi is enabled by default and requires no manual configuration.
| 1 |
Access the Settings |
| 2 |
If prompted, enter the password to access the Settings menu. You can get the password from your administrator. |
| 3 |
Select . |
| 4 |
Highlight Device authentication and press On. |
Enable 802.1X authentication for wired networks on phone web page
When 802.1X authentication for wired networks is enabled, the phone uses 802.1X authentication to request network access from the Ethernet LAN port. When 802.1X authentication for wired networks is disabled, the phone uses Cisco Discovery Protocol (CDP) to acquire VLAN and network access. Note that 802.1X authentication for Wi-Fi is enabled by default and requires no manual configuration.
You can select a certificate (MIC/SUDI or CDC) used for the 802.1X authentication. For more information about CDC, see Custom Device Certificate on Cisco Wireless Phone 9821.
You can view the transaction status and security settings on the phone screen menu. For more information, see Security settings menu on phone.
| 1 |
Enable 802.1X authentication. Select . In the 802.1X Authentication section, set the Enable 802.1X Authentication parameter to Yes. You can also configure this parameter in the configuration file (cfg.xml):
Valid values: Yes|No Default: No |
| 2 |
In the 802.1X Authentication section, select one of the following installed certificates used for the 802.1X authentication from the Certificate Select drop-down list. Value options:
You can also configure this parameter in the configuration file (cfg.xml):
Valid values: Manufacturing installed|Custom installed Default: Manufacturing installed |
| 3 |
Configure the User ID parameter that will be used as the identity for the 802.1X authentication in the wired network. This configuration applies only when you use a Custom Device Certificate (CDC) for wired 802.1X authentication, with Certificate Select set to Custom installed. You can also configure this parameter in the configuration file (cfg.xml):
Valid Values: Maximum of 127 characters Default: Empty This parameter also supports macro expansion variables, see Macro expansion variables for details. If you want to provision the user ID utilizing a combination with DHCP options, see Provisioning of User ID via DHCP option 15. |
| 4 |
Click Submit All Changes. |
Security settings menu on phone
To view the information about the security settings from the phone menu, access the
Settings
app and select . The availability of the information depends on the network settings in your
organization.
|
Parameters |
Options |
Default |
Description |
|---|---|---|---|
|
Device authentication |
On Off |
Off |
Enables or disables 802.1X authentication on the phone. The parameter setting can be kept after the phone's Out-Of-Box (OOB) registration. |
|
Transaction status | Disabled |
Displays the state of 802.1X authentication. The state can be (not limited to):
| |
|
Protocol | None |
Displays the EAP method that is used for 802.1X authentication. The protocol can be EAP-FAST or EAP-TLS. | |
|
User certificate type |
Manufacturing installed Custom installed |
Manufacturing installed |
Selects the certificate for the 802.1X authentication during the initial enrollment and certificate renewal.
This parameter appears on the phone only when Device authentication is enabled. |
Change the user and admin passwords
Upon initial registration with a call control system or following a factory reset, you must configure both user and administrator passwords when first accessing the phone administration web page. You may update these credentials at any time to maintain device security.
Valid password rules include the following:
- The password must contain at least 8 to 127 characters.
- A combination (three out of the four types) of capital letter, small lower letter, number, and special character.
- Space is not allowed.
| 1 |
Access the phone administration web page. |
| 2 |
Select . |
| 3 |
(Optional) In the System Configuration section, set the Display Password Warnings parameter to Yes, and then click Submit All Changes. You can also enable the parameters in the phone configuration file
(cfg.xml).
Default: Yes Options: Yes|No If the parameter is set to No, the password warning doesn't appear on the phone screen. |
| 4 |
Locate the parameter User Password or Admin Password, and click Change Password next to the parameter. |
| 5 |
Enter the current user password in the Old Password field. |
| 6 |
Enter a new password in the New Password field. If the new password doesn't meet the valid password rules, the setting will be denied. |
| 7 |
Click Submit. The message After you set the user password, this parameter displays the following in the phone configuration XML file (cfg.xml):
|
Set the minimum TLS version for client and server
By default, the minimum TLS version for client and server is 1.2. This means that the client and server accept to establish connections with TLS 1.2 or above. The supported maximum version of TLS for client and server is 1.3. When configured, the minimum TLS version will be used for negotiation between the TLS client and TLS server.
You can set the minimum version of TLS for client and server respectively, such as 1.1, 1.2, or 1.3.
Before you begin
Make sure that the TLS server supports the minimum TLS version configured. You can consult with the administrator of the call control system.
| 1 |
Access the phone administration web page. |
| 2 |
Select . |
| 3 |
In the section Security Settings, configure the parameter TLS Client Min Version.
You can also configure this parameter in the configuration file (cfg.xml): <TLS_Client_Min_Version ua="na">TLS 1.2</TLS_Client_Min_Version>
Allowed values: TLS 1.1, TLS1.2, and TLS 1.3. Default: TLS 1.2 |
| 4 |
In the section Security Settings, configure the parameter TLS Server Min Version. Webex Calling doesn't support TLS 1.1.
You can also configure this parameter in the configuration file (cfg.xml): <TLS_Server_Min_Version ua="na">TLS 1.2</TLS_Server_Min_Version>
Allowed values: TLS 1.1, TLS1.2, and TLS 1.3. Default: TLS 1.2 |
| 5 |
Click Submit All Changes. |
Enable client-Initiated mode for media plane security negotiations
To protect media sessions, you can configure the phone to initiate media plane security negotiations with the server. The security mechanism follows the standards stated in RFC 3329 and its extension draft Security Mechanism Names for Media (See https://tools.ietf.org/html/draft-dawes-sipcore-mediasec-parameter-08#ref-2). The transport of negotiations between the phone and the server can use SIP protocol over UDP, TCP, and TLS. You can limit that media plane security negotiation is applied only when the signaling transport protocol is TLS.
| Parameter | Description |
|---|---|
|
MediaSec Request |
Specifies whether the phone initiates media plane security negotiations with the server. Perform one of the following:
Allowed values: Yes|No
Default: No |
|
MediaSec Over TLS Only |
Specifies the signaling transport protocol over which media plane security negotiation is applied. Before setting this field to Yes, ensure that the signaling transport protocol is TLS. Perform one of the following:
Allowed values: Yes|No
Default: No |
| 1 |
Access the phone administration web page. |
| 2 |
Select . |
| 3 |
In the SIP Settings section, set the MediaSec Request and MediaSec Over TLS Only fields as defined in the above table. |
| 4 |
Click Submit All Changes. |