Cisco 8821 Manual Download Page 150 | Manualshive

Page: 150 / 202

background image

Cisco Wireless IP Phone 8821 and 8821-EX Wireless LAN Deployment Guide

150

•

Prior to selecting

Import

, browse to the template to be applied and enter the

Encryption Key

that was specified during

the template export process previously.

•

The Cisco Wireless IP Phone 8821 and 8821-EX will need to be restarted after the template is uploaded.

Certificate Management

As of the 11.0(2) release for the Cisco Wireless IP Phone 8821 and 8821-EX, X.509 digital certificates can be utilized for EAP-
TLS or to enable Server Validation when using PEAP-GTC or PEAP-MSCHAPV2.
A User Certificate can be installed either automatically via Simple Certificate Enrollment Protocol (SCEP) or manually via the
phone’s admin webpage interface (

https://x.x.x.x:8443

).

A Server Certificate can be installed either automatically via Simple Certificate Enrollment Protocol (SCEP), manually via the
phone’s admin webpage interface (

https://x.x.x.x:8443)

, or via TFTP download.

The TFTP download method can help when the RADIUS servers are issued certificates from a different CA chain than the CA
chain used for issuing client certificates or if wanting to quickly enable Server Validation for PEAP.
To install a Server Certificate via the TFTP download method, rename the Root CA certificate to

WLANRootCA.cer

then

copy it to the CUCM TFTP servers and restart the TFTP service for those CUCM servers.

Only 1 certificate per type is allowed; 1 user certificate and 1 server certificate.
Once a certificate is installed, Server Validation is automatically enabled if configured for EAP-TLS, PEAP-GTC, or PEAP-
MSCHAPV2.
Microsoft® Certificate Authority (CA) servers are recommended. Other CA server types may not be completely interoperable
with the Cisco Wireless IP Phone 8821 and 8821-EX.
Both DER and Base-64 (PEM) encoding are acceptable for the client and server certificates.
Certificates with a key size of 1024, 2048, and 4096 are supported.
Ensure the client and server certificates are signed using either the SHA-1 or SHA-256 algorithm, as the SHA-3 signature
algorithms are not supported.
Ensure Client Authentication is listed in the Enhanced Key Usage section of the user certificate details.

Manual Installation

For out of box (factory reset) manual installation, the admin webpage interface is

Enabled

, the username is fixed to

admin

, and

the password is temporarily set to

Cisco

.

The temporary password will no longer be available once the phone registers to Cisco Unified Communications Manager.
The admin webpage interface will be

Disabled

on the phone once it registers to Cisco Unified Communications Manager

regardless if it contains support for the

Web

Admin

and

Admin

Password

options.

«
...
148
149
150
151
152
...
»

Summary of Contents for 8821

Page 1: ...n office environment to nurses and doctors in a healthcare environment to associates working in the warehouse on the sales floor or in a call center Staff nurses doctors educators and IT personnel can be easily reached when mobile This guide provides information and guidance to help the network administrator deploy the Cisco Wireless IP Phone 8821 and 8821 EX in a wireless LAN environment ...

Page 2: ...Cisco Wireless IP Phone 8821 and 8821 EX Wireless LAN Deployment Guide 2 Revision History Date Comments 08 24 16 11 0 2 Release 10 08 16 11 0 2 SR2 Release 02 07 17 11 0 3 Release ...

Page 3: ...30 Extensible Authentication Protocol Flexible Authentication via Secure Tunneling EAP FAST 31 Extensible Authentication Protocol Transport Layer Security EAP TLS 32 Protected Extensible Authentication Protocol PEAP 34 EAP and User Database Compatibility 34 Quality of Service QoS 35 Call Admission Control CAC 35 Traffic Classification TCLAS 36 QoS Basic Service Set QBSS 36 Wired QoS 37 Roaming 38 ...

Page 4: ...cations Manager 107 Device Pools 107 Phone Button Templates 108 Security Profiles 108 SIP Profiles 110 Common Settings 113 QoS Parameters 113 G 722 and iSAC Advertisement 114 Audio Bit Rates 114 Wireless LAN Profiles 115 Cisco Unified Communications Manager Express 124 Product Specific Configuration Options 128 Configuring the Cisco Wireless IP Phone 8821 and 8821 EX 138 Wi Fi Profile Configuratio...

Page 5: ...LAN Deployment Guide 5 WLAN Diagnostics 192 Restoring Factory Defaults 193 Phone Webpages 194 Device Information 194 Network Setup 195 Streaming Statistics 196 Device Logs 197 Capturing a Screenshot of the Phone Display 199 Additional Documentation 200 ...

Page 6: ...e the optimizations that Cisco has implemented in the Cisco Wireless IP Phone 8821 and 8821 EX the use of unlicensed spectrum means that uninterrupted communication can not be guaranteed and there may be the possibility of voice gaps of up to several seconds during conversations Adherence to these deployment guidelines will reduce the likelihood of these voice gaps being present but there is alway...

Page 7: ...re is a 20 30 overlap of adjacent access points at that signal level This ensures that the Cisco Wireless IP Phone 8821 and 8821 EX always have adequate signal and can hold a signal long enough in order to roam seamlessly where signal based triggers are utilized vs packet loss triggers Also need to ensure that the upstream signal from the Cisco Wireless IP Phone 8821 and 8821 EX meets the access p...

Page 8: ...s the Cisco Wireless IP Phone 8821 and 8821 EX are to utilize the fast track method utilizing the Cisco Unified IP Phone 9971 as the reference model use 7975 as reference model if needing softkey template support With release 11 0 and later of Cisco Unified Communications Manager Express the Cisco IP Phone 8821 and 8821 EX can utilize the Cisco IP Phone 8861 as the reference model http www cisco c...

Page 9: ... Cisco AP3600 when the internal 802 11a b g n radio is utilized however is not supported if the 802 11ac module AIR RM3000AC for the Cisco AP3600 is installed The table below lists the modes that are supported by each Cisco Access Point Cisco AP Series 802 11a 802 11b 802 11g 802 11n 802 11ac Lightweight Autonomous 600 Yes Yes Yes Yes No Yes No ...

Page 10: ... Yes Yes 1140 Yes Yes Yes Yes No Yes Yes 1240 Yes Yes Yes No No Yes Yes 1250 Yes Yes Yes Yes No Yes Yes 1260 Yes Yes Yes Yes No Yes Yes 1600 Yes Yes Yes Yes No Yes Yes 1700 Yes Yes Yes Yes Yes Yes Yes 1810 Yes Yes Yes Yes Yes Yes No 1810W Yes Yes Yes Yes Yes Yes No 1830 Yes Yes Yes Yes Yes Yes No 1850 Yes Yes Yes Yes Yes Yes No 2600 Yes Yes Yes Yes No Yes Yes 2700 Yes Yes Yes Yes Yes Yes Yes 2800 ...

Page 11: ...g in MESH mode No support for 3rd party access points as there are no interoperability tests performed for 3rd party access points However the user should have basic functionality when connected to a Wi Fi compliant access point Some of the key features are the following 5 GHz 802 11a n ac Wi Fi Protected Access v2 WPA2 AES Wi Fi Multimedia WMM Traffic Specification TSPEC Traffic Classification TC...

Page 12: ...series positioning_statement_c07 565470 html Note Cisco Access Points with integrated internal antennas other than the W series are to be mounted on the ceiling as they have omni directional antennas and are not designed to be wall mounted Protocols Supported voice and wireless LAN protocols include the following 802 11a b d e g h i n r ac Wi Fi MultiMedia WMM Traffic Specification TSPEC Traffic C...

Page 13: ...MCS 3 OFDM 16 QAM 83 dBm 90 Mbps MCS 4 OFDM 16 QAM 79 dBm 120 Mbps MCS 5 OFDM 64 QAM 75 dBm 135 Mbps MCS 6 OFDM 64 QAM 73 dBm 150 Mbps MCS 7 OFDM 64 QAM 72 dBm 5 GHz 802 11ac VHT20 Data Rate Modulation Receiver Sensitivity Max Tx Power 12 dBm Depends on region 7 Mbps MCS 0 OFDM BPSK 93 dBm 14 Mbps MCS 1 OFDM QPSK 90 dBm 21 Mbps MCS 2 OFDM QPSK 87 dBm 29 Mbps MCS 3 OFDM 16 QAM 84 dBm 43 Mbps MCS 4 ...

Page 14: ...ulation Receiver Sensitivity Max Tx Power 13 dBm Depends on region 7 Mbps MCS 0 OFDM BPSK 95 dBm 14 Mbps MCS 1 OFDM QPSK 92 dBm 21 Mbps MCS 2 OFDM QPSK 90 dBm 29 Mbps MCS 3 OFDM 16 QAM 87 dBm 43 Mbps MCS 4 OFDM 16 QAM 83 dBm 58 Mbps MCS 5 OFDM 64 QAM 78 dBm 65 Mbps MCS 6 OFDM 64 QAM 77 dBm 72 Mbps MCS 7 OFDM 64 QAM 75 dBm 180 Mbps MCS 8 OFDM 256 QAM 67 dBm 200 Mbps MCS 9 OFDM 256 QAM 66 dBm 5 GHz ...

Page 15: ...enabled The Cisco Wireless IP Phone 8821 and 8821 EX will passively scan DFS channels first before engaging in active scans of those channels If 802 11d is not enabled then the Cisco Wireless IP Phone 8821 and 8821 EX can attempt to connect to the access point using reduced transmit power Below are the countries and their 802 11d codes that are supported by the Cisco Wireless IP Phone 8821 and 882...

Page 16: ...h utilizes the 2 4 GHz frequency just like 802 11b g n and many other devices e g microwave ovens cordless phones etc so the Bluetooth quality can potentially be interfered with due to using this unlicensed frequency Bluetooth Profiles The Cisco Wireless IP Phone 8821 and 8821 EX support the following Bluetooth profiles Hands Free Profile HFP With Bluetooth Hands Free Profile HFP support the follo...

Page 17: ...zing 2 4 GHz but also due to the above limitations Languages The Cisco Wireless IP Phone 8821 and 8821 EX currently support the following languages The corresponding locale package must be installed to enable support for that language English is the default language on the phone Download the locale packages from the Localization page at the following URL http software cisco com download navigator ...

Page 18: ...tems intended for use in potentially explosive atmospheres must comply with ATEX Directive 94 9 EC Areas classified into zones must be protected from effective sources of ignition Locations where explosive gas atmospheres are likely to be present are divided into IEC EU defined Zones Class I Zone 0 1 2 for locations with flammable gases or vapors and Class II Zone 20 21 22 for locations with combu...

Page 19: ...n mode is designed for Cisco Wireless IP Phone 8821 and 8821 EX users that roam occasionally and require more idle battery life than Continuous scan mode can offer Single AP scan mode is designed for Cisco Wireless IP Phone 8821 and 8821 EX users that do not roam and require maximum idle battery life Proxy ARP For optimal idle battery life it is recommended to utilize an access point that supports...

Page 20: ...IP Phone 8821 and 8821 EX will utilize active mode when on call but still use U APSD when in idle Only disable On Call Power Save for troubleshooting purposes Phone Care The Cisco Wireless IP Phone 8821 and 8821 EX are designed to provide protection from dust liquid splashes and moisture For standard cleaning can use a soft moist cloth to wipe the phone For thorough cleaning we recommend using Cav...

Page 21: ...ly the 3rd party accessories listed below are certified for use with the Cisco Wireless IP Phone 8821 and 8821 EX Headsets Apple www apple com Jabra www jabra com Plantronics www plantronics com Sennheiser www sennheiser com USB to Ethernet Dongles Apple USB 2 0 Ethernet Adapter www apple com Belkin B2B048 USB 3 0 Gigabit Ethernet Adapter www belkin com D Link DUB E100 USB 2 0 Fast Ethernet Adapte...

Page 22: ... intermittent interferer then the access point or access points serving that area may need to have a channel statically assigned The Cisco Wireless IP Phone 8821 and 8821 EX support Dynamic Frequency Selection DFS and Transmit Power Control TPC from 802 11h which are required when using channels operating at 5 260 5 720 GHz which are 15 of the 24 possible channels Need to ensure there is at least ...

Page 23: ...isable use of that channel or channels in the wireless LAN The presence of an access point on a non DFS channel can help minimize voice interruptions In case of radar activity have at least one access point per area that uses a non DFS channel UNII 1 This ensures that a channel is available when an access point s radio is in its hold off period while scanning for a new usable channel A UNII 3 chan...

Page 24: ...with adjacent channels when deploying the Cisco Wireless IP Phone 8821 and 8821 EX in an 802 11b g n environment which allows for seamless roaming Using an overlapping channel set such as 1 5 9 13 is not a supported configuration Below is a sample 2 4 GHz wireless LAN deployment Signal Strength and Coverage To ensure acceptable voice quality the Cisco Wireless IP Phone 8821 and 8821 EX should alwa...

Page 25: ... only applications do not provide coverage for some areas where VoWLAN service is necessary such as elevators stairways and outside corridors Microwave ovens 2 4 GHz cordless phones Bluetooth devices or other electronic equipment operating in the 2 4 GHz band will interfere with the Wireless LAN Microwave ovens operate on 2450 MHz which is between channels 8 and 9 of 802 11b g n Some microwaves ar...

Page 26: ...Cisco Wireless IP Phone 8821 and 8821 EX Wireless LAN Deployment Guide 26 The Cisco Unified Network Control System NCS can be utilized to verify signal strength and coverage ...

Page 27: ...lowing 802 11 Mode Mandatory Data Rates Supported Data Rates Disabled Data Rates 802 11a n ac 12 Mbps 18 54 Mbps VHT MCS 1 MCS 9 6 9 Mbps VHT MCS 0 802 11a n 12 Mbps 18 54 Mbps HT MCS 1 MCS 7 HT MCS 8 MCS 23 6 9 Mbps HT MCS 0 802 11g n 12 Mbps 18 54 Mbps HT MCS 1 MCS 7 HT MCS 8 MCS 23 1 2 5 5 6 9 11 Mbps HT MCS 0 802 11b g n 11 Mbps 12 54 Mbps HT MCS 1 MCS 7 HT MCS 8 MCS 23 1 2 5 5 6 9 Mbps HT MCS...

Page 28: ...sed in some areas other than the W series then it is recommended to mount those access points on the ceiling as they have omni directional antennas and are not designed to be wall mounted Frequency Band As always it is recommended to use 5 GHz Use of 2 4 GHz especially when 802 11b rates are enabled may not work well For the 5 GHz channel set it is recommended to use a 8 or 12 channel plan only di...

Page 29: ...hile another part bounces off an obstruction then goes on to the destination As a result part of the signal encounters delay and travels a longer path to the destination which creates signal energy loss When the different waveforms combine they cause distortion and affect the decoding capability of the receiver as the signal quality is poor Multipath can exist in environments where there are refle...

Page 30: ...uthentication WPA2 and WPA 802 1x authentication WPA2 PSK and WPA PSK Pre Shared key EAP FAST Extensible Authentication Protocol Flexible Authentication via Secure Tunneling EAP TLS Extensible Authentication Protocol Transport Layer Security PEAP GTC Protected Extensible Authentication Protocol Generic Token Card PEAP MSCHAPv2 Protected Extensible Authentication Protocol Microsoft Challenge Handsh...

Page 31: ...rvice RADIUS server such as the Cisco Access Control Server ACS or Cisco Identity Services Engine ISE The TLS tunnel uses Protected Access Credentials PACs for authentication between the client the Cisco Wireless IP Phone 8821 and 8821 EX and the RADIUS server The server sends an Authority ID AID to the client which in turn selects the appropriate PAC The client returns a PAC Opaque to the RADIUS ...

Page 32: ...ng is disabled When it is time to renew the PAC then authenticated in band PAC provisioning will be used so ensure that Allow authenticated in band PAC provisioning is enabled Ensure that the Cisco Wireless IP Phone 8821 and 8821 EX has connected to the network during the grace period to ensure it can use its existing PAC created either using the active or retired master key in order to get issued...

Page 33: ...ire a user account to be created on the authentication server matching the common name of the certificate imported into the Cisco Wireless IP Phone 8821 or 8821 EX It is recommended to use a complex password for this user account and that EAP TLS is the only EAP type enabled on the RADIUS server ...

Page 34: ...thentication server can be validated via importing a certificate into the Cisco Wireless IP Phone 8821 and 8821 EX For more information on Cisco Secure Access Control System ACS and Cisco Identity Services Engine ISE refer to the following links http www cisco com c en us products security secure access control system datasheet listing html http www cisco com c en us products security identity ser...

Page 35: ...tion about TCP and UDP ports used by the Cisco Wireless IP Phone 8821 and 8821 EX and the Cisco Unified Communications Manager refer to the Cisco Unified Communications Manager TCP and UDP Port Usage document at this URL http www cisco com c en us td docs voice_ip_comm cucm port 10_0_1 CUCM_BK_T537717B_00_tcp port usage guide 100 html Call Admission Control CAC Call Admission Control can be enable...

Page 36: ... set the UP User Priority value The previous method of classification depends upon preservation of DSCP value throughout the network where the DSCP value maps to a particular queue BE BK VI VO However the DSCP values are not always preserved as this can be viewed as a security risk Using port based QoS policies is inadequate for CAPWAP based wireless LAN solutions as all data packets use the same ...

Page 37: ...ccess Points mls qos interface X mls qos trust dscp If utilizing Cisco Meraki MS Switches reference the Cisco Meraki MS Switch VoIP Deployment Guide https meraki cisco com lib pdf meraki_whitepaper_msvoip pdf Note When using the Cisco Wireless LAN Controller DSCP trust must be implemented or must trust the UDP data ports used by the Cisco Wireless LAN Controller CAPWAP UDP 5246 and 5247 on all int...

Page 38: ...igger for the majority of roams should be due to meeting the required RSSI differential based on the current RSSI which results in seamless roaming no voice interruptions For seamless roaming to occur the Cisco Wireless IP Phone 8821 and 8821 EX must be associated to an access point for at least 3 seconds otherwise roams can occur based on packet loss max tx retransmissions or missed beacons Roami...

Page 39: ...target access point can not be retained when a roaming event occurs The Cisco Wireless IP Phone 8821 and 8821 EX support 802 11r FT with WPA2 PSK or WPA2 and CCKM with WPA2 or WPA FSR Type Authentication Key Management Encryption 802 11r FT PSK WPA2 AES 802 11r FT EAP FAST WPA2 AES 802 11r FT EAP TLS WPA2 AES 802 11r FT PEAP GTC WPA2 AES 802 11r FT PEAP MSCHAPv2 WPA2 AES CCKM EAP FAST WPA2 WPA AES...

Page 40: ...n mode is enabled then the Cisco Wireless IP Phone 8821 and 8821 EX will also be continuously scanning When in idle with Auto scan mode scans will only occur when the pre defined RSSI threshold is held for the pre defined duration Continuous scan mode is recommended for environments where frequent roams occur or where smaller cells pico cells exist Continuous scan mode can also help with location ...

Page 41: ...int Dynamic Transmit Power Control DTPC should be enabled DTPC prevents one way audio when RF traffic is heard in one direction only If the access point does not support DTPC then the Cisco Wireless IP Phone 8821 and 8821 EX will use the highest available transmit power depending on the current channel and data rate The access point s radio transmit power should not have a transmit power greater t...

Page 42: ...ery feature which can be used to reduce the amount of multicast traffic on the wireless LAN when not necessary Ensure that IGMP snooping is also enabled on all switches Note If using Coexistence where 802 11b g n and Bluetooth are being used simultaneously then multicast voice is not supported Configuring the Cisco Wireless LAN Cisco Wireless LAN Controller and Lightweight Access Points When confi...

Page 43: ...cess Points with CleanAir technology Configure Multicast Direct Feature as necessary Set the 802 1p tag to 5 for the Platinum QoS profile 802 11 Network Settings It is recommended to have the Cisco Wireless IP Phone 8821 and 8821 EX operate on the 5 GHz band only due to have many channels available and not as many interferers as the 2 4 GHz band has If wanting to use 5 GHz ensure the 802 11a n ac ...

Page 44: ...work performance is improved Ensure DTPC Support is enabled If using Cisco 802 11n capable Access Points ensure ClientLink is enabled With the current releases Maximum Allowed Clients can be configured Recommended to set 12 Mbps as the mandatory basic rate and 18 Mbps and higher as supported optional rates assuming that there will not be any 802 11b only clients that will connect to the wireless L...

Page 45: ... s web interface and is only configurable via command line With releases 7 2 103 0 and later use the following commands to enable the beamforming feature globally for all access points or for individual access point radios Cisco Controller config 802 11a beamforming global enable Cisco Controller config 802 11a beamforming ap ap_name enable Cisco Controller config 802 11b beamforming global enable...

Page 46: ...ower settings Configure the access point transmit power level assignment method for either 5 or 2 4 GHz depending on which frequency band is to be utilized If using automatic power level assignment a maximum and minimum power level can be specified If using 5 GHz it is recommended to enable up to 12 channels only to avoid any potential delay of access point discovery due to having to scan many cha...

Page 47: ... 40 MHz or 80 MHz if using Cisco 802 11ac Access Points It is recommended to utilize the same channel width for all access points If using 2 4 GHz only channels 1 6 and 11 should be enabled in the DCA list It is recommended to configure the 2 4 GHz channel for 20 MHz even if using Cisco 802 11n Access Points capable of 40 MHz due to the limited number of channels available in 2 4 GHz ...

Page 48: ...ss points enabled can be enabled for Auto RF and workaround the access points that are statically configured This may be necessary if there is an intermittent interferer present in an area The 5 GHz channel width can be configured for 20 MHz or 40 MHz if using Cisco 802 11n Access Points and 20 MHz 40 MHz or 80 MHz if using Cisco 802 11ac Access Points It is recommended to use channel bonding only...

Page 49: ...nd roaming is managed independently by the phone itself EDCA Parameters Set the EDCA profile for Voice Optimized and disable Low Latency MAC for either 5 or 2 4 GHz depending on which frequency band is to be utilized Low Latency MAC LLM reduces the number of retransmissions to 2 3 per packet depending on the access point platform so it can cause issues if multiple data rates are enabled LLM is not...

Page 50: ... be enabled simultaneously Channel Announcement and Channel Quiet Mode should be enabled High Throughput 802 11n ac The 802 11n data rates can be configured per radio 2 4 GHz and 5 GHz 802 11ac data rates are applicable to 5 GHz only Ensure that WMM is enabled and WPA2 AES is configured in order to utilize 802 11n ac data rates The Cisco Wireless IP Phone 8821 and 8821 EX support HT MCS 0 MCS 7 an...

Page 51: ... acknowledgements It is recommended to adjust the A MPDU and A MSDU settings to the following to optimize the experience with the Cisco Wireless IP Phone 8821 and 8821 EX A MSDU User Priority 1 2 Enabled User Priority 0 3 4 5 6 7 Disabled A MPDU User Priority 0 3 4 5 Enabled User Priority 1 2 6 7 Disabled In the 7 0 116 0 release for the Cisco Wireless LAN Controller the default A MPDU and A MSDU ...

Page 52: ...ble config 802 11a 11nSupport a mpdu tx priority 6 disable config 802 11a 11nSupport a mpdu tx priority 7 disable In order to configure the 2 4 GHz settings the 802 11b g network will need to be disabled first then re enabled after the changes are complete config 802 11b 11nSupport a msdu tx priority 1 enable config 802 11b 11nSupport a msdu tx priority 2 enable config 802 11b 11nSupport a msdu tx...

Page 53: ...bled Priority 6 Disabled Priority 7 Disabled A MPDU Tx Priority 0 Enabled Priority 1 Disabled Priority 2 Disabled Priority 3 Enabled Priority 4 Enabled Priority 5 Enabled Priority 6 Disabled Priority 7 Disabled CleanAir CleanAir should be Enabled when utilizing Cisco Access Points with CleanAir technology in order to detect any existing interferers ...

Page 54: ...Cisco Wireless IP Phone 8821 and 8821 EX Wireless LAN Deployment Guide 54 ...

Page 55: ...ireless IP Phone 8821 and 8821 EX operate on the 5 GHz band only due to have many channels available and not as many interferers as the 2 4 GHz band has Ensure that the selected SSID is not utilized by any other wireless LANs as that could lead to failures when powering on or during roaming especially if a different security type is utilized To utilize 802 11r FT for fast secure roaming check the ...

Page 56: ... enabled if wanting to utilize the same SSID for various type of voice clients where some clients do not support 802 11r FT depending on whether 802 1x or PSK is being utilized To utilize CCKM for fast secure roaming enable WPA2 policy with AES encryption and 802 1x CCKM for authenticated key management type ...

Page 57: ...n WMM clients existing in the WLAN it is recommended to put those clients on another WLAN If non other WMM clients must utilize the same SSID as the Cisco Wireless IP Phone 8821 and 8821 EX then ensure the WMM policy is set to Allowed Enabling WMM will enable the 802 11e version of QBSS There are also the 7920 Client CAC and 7920 AP CAC options where 7920 Client CAC will enable Cisco version 1 and...

Page 58: ... be tuned to defer scanning for certain queues as well as the scan defer time If using best effort applications frequently e g VPN etc or if DSCP values for priority applications e g voice video call control are not preserved to the access point then is recommended to enable the lower priority queues 0 3 along with the higher priority queues 4 7 to defer off channel scanning as well as potentially...

Page 59: ...ps can be created to specify which WLANs SSIDs are to be enabled and which interface they should be mapped to as well as what RF Profile parameters should be used for the access points assigned to the AP Group On the WLANs tab select the desired SSIDs and interfaces to map to then select Add ...

Page 60: ...then select Apply If changes are made after access points have joined the AP Group then those access points will reboot once those changes are made On the APs tab select the desired access points then select Add APs Those access points will then reboot Controller Settings Ensure the Cisco Wireless LAN Controller hostname is configured correctly ...

Page 61: ...o Wireless LAN Controller Configure the desired AP multicast mode If utilizing multicast then Enable Global Multicast Mode and Enable IGMP Snooping should be enabled If utilizing layer 3 mobility then Symmetric Mobility Tunneling should be Enabled In the recent versions Symmetric Mobility Tunneling is enabled by default and non configurable ...

Page 62: ...requency band is to be utilized The maximum bandwidth default setting for voice is 75 where 6 of that bandwidth is reserved for roaming clients Roaming clients are not limited to using the reserved roaming bandwidth but roaming bandwidth is to reserve some bandwidth for roaming clients in case all other bandwidth is utilized If CAC is to be enabled will want to ensure Load based CAC is enabled Loa...

Page 63: ...he Cisco Unified Communications Manager If the client uses UDP for SIP then the access point will snoop the SIP packets when media session snooping is enabled on the WLAN and will sent a 486 busy message to the client which in turn can be interpreted as a Network Busy message and the client could either roam to another access point or simply terminate the call setup for that session The Cisco Wire...

Page 64: ... CAC mode Enabled Voice tspec inactivity timeout Disabled Video AC Admission control ACM Disabled Voice Stream Size 84000 Voice Max Streams 2 Video max RF bandwidth 25 Video reserved roaming bandwidth 6 The voice stream size and voice max streams values can be adjusted as necessary by using the following command Cisco Controller config 802 11a cac voice stream size 84000 max streams 2 Ensure QoS i...

Page 65: ...iles RF Profiles can be created to specify which frequency bands data rates RRM settings etc a group of access points should use It is recommended to have the SSID used by the Cisco Wireless IP Phone and 8821 and 8821 EX to be applied to 5 GHz radios only RF Profiles are applied to an AP group once created When creating an RF Profile the RF Profile Name and Radio Policy must be defined Select 802 ...

Page 66: ... and 18 Mbps and higher as Supported however some environments may require 6 Mbps to be enabled as a mandatory basic rate On the RRM tab the Maximum Power Level Assignment and Minimum Power Level Assignment settings as well as other TPC and Coverage Hole Detection settings can be configured On the High Density tab Maximum Clients and Multicast Data Rates can be configured ...

Page 67: ...All access points configured for FlexConnect mode need to be added to a FlexConnect Group If utilizing CCKM then seamless roams can only occur when roaming to access points within the same FlexConnect Group Multicast Direct In the Media Stream settings Multicast Direct feature should be enabled ...

Page 68: ...ure is enabled then there will be an option to enable Multicast Direct in the QoS menu of the WLAN configuration QoS Profiles Configure the four QoS profiles Platinum Gold Silver Bronze by selecting 802 1p as the protocol type and set the 802 1p tag for each profile Platinum 5 Gold 4 Silver 2 Bronze 1 ...

Page 69: ...Cisco Wireless IP Phone 8821 and 8821 EX Wireless LAN Deployment Guide 69 ...

Page 70: ...Cisco Wireless IP Phone 8821 and 8821 EX Wireless LAN Deployment Guide 70 ...

Page 71: ...Cisco Wireless IP Phone 8821 and 8821 EX Wireless LAN Deployment Guide 71 ...

Page 72: ...ings in the Cisco Wireless LAN Controller are configured per the information below To view the EAP configuration on the Cisco Wireless LAN Controller telnet or SSH to the controller and enter the following command Cisco Controller show advanced eap EAP Identity Request Timeout seconds 30 EAP Identity Request Max Retries 2 EAP Key Index for Dynamic WEP 0 EAP Max Login Ignore Identity Response enabl...

Page 73: ...k fine but is still recommended to set those values to 400 and 4 respectively The EAPOL Key Timeout should not exceed 1 second 1000 milliseconds To change the EAPOL Key Timeout on the Cisco Wireless LAN Controller telnet or SSH to the controller and enter the following command Cisco Controller config advanced eap eapol key timeout 400 To change the EAPOL Key Max Retries Timeout on the Cisco Wirele...

Page 74: ... timestamp tolerance to 5000 ms to optimize the Cisco Wireless IP Phone 8821 and 8821 EX roaming experience Cisco Controller config wlan security wpa akm cckm timestamp tolerance tolerance Allow CCKM IE time stamp tolerance 1000 to 5000 milliseconds Default tolerance 1000 msecs Use the following command to configure the CCKM timestamp tolerance per Cisco recommendations Cisco Controller config wla...

Page 75: ...om the drop down menu Select Wireless for Network type then click Create Cisco Meraki access points can be claimed either by specifying the serial number or order number Once claimed those Cisco Meraki access points will then be listed in the available inventory Cisco Meraki access points can be claimed either by selecting Claim on the Create network or Organization Configure Inventory pages Acces...

Page 76: ...ment Guide 76 Once claimed Cisco Meraki access points can be added to the desired wireless network via the Organization Configure Inventory page Access points can also be added to a wireless network by selecting Add APs on the Wireless Monitor Access points page ...

Page 77: ...pable Cisco Wireless LAN endpoints already then that WLAN can be utilized To set the SSID name select Rename To enable the SSID select Enabled from the drop down menu On the Wireless Configure Access control page select WPA2 Enterprise to enable 802 1x authentication The Cisco Meraki authentication server or an external RADIUS server can be utilized when selecting WPA2 Enterprise The Cisco Meraki ...

Page 78: ...RADIUS server then a user account must be created on the Network wide Configure Users page which the Cisco Wireless IP Phone 8821 and 8821 EX will be configured to use for 802 1x authentication Note Cisco Meraki access points do not support EAP FAST On the Wireless Configure Access control page recommend to enable Bridge mode where the Cisco Wireless IP Phone 8821 and 8821 EX will obtain DHCP from...

Page 79: ...d to enable 802 1q trunking Interface GigabitEthernet X switchport trunk encapsulation dot1q switchport mode trunk mls qos trust dscp On the Wireless Configure Access control page the frequency band for the SSID to be used by the Cisco Wireless IP Phone 8821 and 8821 EX can be configured as necessary It is recommended to select 5 GHz band only to have the Cisco Wireless IP Phone 8821 and 8821 EX o...

Page 80: ...ty to Disabled Radio Settings On the Wireless Configure Radio settings page configure what radio transmit power and channel settings to use For the Radio power setting it is recommended to select Enable power reduction on nearby APs as co channel interference can be potentially reduced If wanting to use maximum radio power then select Always use 100 power Can select whether to enable use of DFS ch...

Page 81: ...el and transmit power When Auto is selected for 2 4 GHz channels only channels 1 6 and 11 will be utilized Configure the access point transmit power level assignment method for either 5 or 2 4 GHz depending on which frequency band is to be utilized Individual access points can be configured with static channel and transmit power for either 5 or 2 4 GHz radios which may be necessary if there is an ...

Page 82: ...pe traffic on this SSID has been applied then select Create a new rule to define Traffic shaping rules By default Cisco Meraki access points currently tag voice frames marked with DSCP EF 46 as WMM UP 5 instead of WMM UP 6 and call control frames marked with DSCP CS3 24 as WMM UP 3 instead of WMM UP 4 Note Cisco Meraki access points do not support Call Admission Control Traffic Specification TSPEC...

Page 83: ...TPC Configure Quality of Service QoS Set the WMM Policy to Required Ensure Aironet Extensions is Enabled Disable Public Secure Packet Forwarding PSPF Set IGMP Snooping to Enabled 802 11 Network Settings It is recommended to have the Cisco Wireless IP Phone 8821 and 8821 EX operate on the 5 GHz band only due to have many channels available and not as many interferers as the 2 4 GHz band has If want...

Page 84: ...ss points can be configured to override the global setting to use dynamic channel and transmit power assignment for either 5 or 2 4 GHz depending on which frequency band is to be utilized Other access points enabled can be enabled for Auto RF and workaround the access points that are statically configured This may be necessary if there is an intermittent interferer present in an area The 5 GHz cha...

Page 85: ...Cisco Wireless IP Phone 8821 and 8821 EX Wireless LAN Deployment Guide 85 ...

Page 86: ...ps as the mandatory basic rate and 18 Mbps and higher as supported optional rates assuming that there will not be any 802 11b only clients that will connect to the wireless LAN however some environments may require 6 Mbps to be enabled as a mandatory basic rate If 802 11b clients exist then 11 Mbps should be set as the mandatory basic rate and 12 Mbps and higher as supported optional ...

Page 87: ...wever if there is an existing SSID configured to support voice capable Cisco Wireless LAN endpoints already then that WLAN can be utilized instead The SSID to be used by the Cisco Wireless IP Phone 8821 and 8821 EX can be configured to only apply to a certain 802 11 radio type e g 802 11a only Enable WPA2 key management Ensure either 11r or CCKM is enabled where 11r is recommended ...

Page 88: ...Cisco Wireless IP Phone 8821 and 8821 EX Wireless LAN Deployment Guide 88 ...

Page 89: ...t wireless voice and data into separate VLANs Ensure that Public Secure Packet Forwarding PSPF is not enabled for the voice VLAN as this will prevent clients from communicating directly when associated to the same access point If PSPF is enabled then the result will be no way audio ...

Page 90: ...Cisco Wireless IP Phone 8821 and 8821 EX Wireless LAN Deployment Guide 90 Ensure AES is selected for encryption type ...

Page 91: ...Cisco Wireless IP Phone 8821 and 8821 EX Wireless LAN Deployment Guide 91 Configure the RADIUS servers to be used for authentication and accounting ...

Page 92: ...should be utilized in the Cisco Autonomous Access Point environment which is also required for fast secure roaming Select one access point to be the primary WDS server and another to be the backup WDS server Configure the primary WDS server with the highest priority e g 255 and the backup WDS server with a lower priority e g 254 ...

Page 93: ...t protocol therefore should use a dedicated native VLAN for Cisco Autonomous Access Points For the native VLAN it is recommended to not use VLAN 1 to ensure that IAPP packets are exchanged successfully Port security should be disabled on switch ports that Cisco Autonomous Access Points are directly connected to Server groups for Wireless Domain Services must be defined ...

Page 94: ...infrastructure authentication If not using local RADIUS for infrastructure authentication then need to ensure that all access points with Wireless Domain Services enabled are configured in the RADIUS server Then define the server group to be used for client authentication Will need to ensure that all access points with Wireless Domain Services enabled are configured in the RADIUS server ...

Page 95: ...tion enable all authentication protocols Create a Network Access Server entry for the local access point Define the user account in which access points will be configured for to authenticate to the Wireless Domain Services enabled access point Configure local RADIUS on each access point participating in Wireless Domain Services ...

Page 96: ...ervices then all access points including those serving as WDS servers need to be configured to be able to authenticate to the WDS servers Enable Participate in SWAN Infrastructure If using a single WDS server then can specify the IP address of the WDS server otherwise enable Auto Discovery Enter the Username and Password to be used to authenticate to the WDS server ...

Page 97: ...he WDS server can check WDS Status to see the WDS server state as well as how many access points are registered to the WDS server Call Admission Control CAC Load based CAC and support for multiple streams are not present on the Cisco Autonomous Access Points therefore it is not recommended to enable CAC on Cisco Autonomous Access points ...

Page 98: ...ission must be unblocked on the SSID as well In recent releases the admission is unblocked by default dot11 ssid voice vlan 3 authentication open eap eap_methods authentication network eap eap_methods authentication key management wpa version 2 dot11r admit traffic QoS Policies Configure the following QoS policy on the Cisco Autonomous Access Point to enable DSCP to CoS WMM UP mapping This allows ...

Page 99: ...EX Wireless LAN Deployment Guide 99 To enable QBSS select Enable and check Dot11e If Dot11e is checked then both CCA versions 802 11e and Cisco version 2 will be enabled Ensure IGMP Snooping is enabled Ensure Wi Fi MultiMedia WMM is enabled ...

Page 100: ...n then use the defaults where 5 5 6 11 12 and 24 Mbps are enabled as nominal rates for 802 11b g 6 12 and 24 Mbps enabled for 802 11a and 6 5 13 and 26 Mbps enabled for 802 11n If the Stream feature is enabled ensure that only voice packets are being put into the voice queue Signaling packets SIP should be put into a separate queue This can be ensured by setting up a QoS policy mapping the DSCP to...

Page 101: ... Power Management Proxy ARP can optimize idle battery life by answering any ARP requests on behalf of the phone To enable Proxy ARP set Client ARP Caching to Enable Also ensure that Forward ARP Requests to Radio Interfaces When Not All Client IP Addresses Are Known is checked ...

Page 102: ...admin aaa group server radius rad_pmip aaa group server radius dummy aaa group server radius WDS server name 10 9 0 9 aaa group server radius Clients server name 10 0 0 20 aaa authentication login default local aaa authentication login eap_methods group rad_eap aaa authentication login mac_methods local aaa authentication login method_WDS group WDS aaa authentication login method_Clients group Cli...

Page 103: ...65 642D4365 72746966 69636174 652D3637 32383734 33323430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 CB155DD1 3421B13F CD121F42 7A62D9F5 38EBC966 4420F38A 38DFAFF2 D43CD3B9 5F5A1B75 7910F9F5 6E9EDEF4 730942C7 17DC4CBC E5AE3E49 0AF79419 0BEF34BC 5DCEB4E2 FF2978CB C34D5AEE ED1DFB58 C7BF6592 61C1AD25 3EF87205 15EA58C2 0A5E2B15 7F08FAEA 5DA2BFA7 95E56C60 22C229C7 024A91D7 A4FEB50B 5...

Page 104: ...idge group 1 spanning disabled bridge group 1 block unknown source no bridge group 1 source learning no bridge group 1 unicast flooding interface Dot11Radio1 no ip address encryption vlan 2 mode ciphers aes ccm encryption vlan 3 mode ciphers aes ccm ssid data ssid voice antenna gain 0 peakdetect dfs band 3 block stbc mbssid speed basic 12 0 18 0 24 0 36 0 48 0 54 0 m0 m1 m2 m3 m4 m5 m6 m7 m8 m9 m1...

Page 105: ...idge group 3 block unknown source no bridge group 3 source learning no bridge group 3 unicast flooding service policy input Voice interface Dot11Radio1 10 encapsulation dot1Q 10 native bridge group 1 bridge group 1 subscriber loop control bridge group 1 spanning disabled bridge group 1 block unknown source no bridge group 1 source learning no bridge group 1 unicast flooding interface GigabitEthern...

Page 106: ...adius server local nas 10 9 0 9 key 7 REMOVED user wds nthash 7 REMOVED radius server attribute 32 include in access req format h radius server 10 0 0 20 address ipv4 10 0 0 20 auth port 1812 acct port 1813 key 7 REMOVED radius server 10 9 0 9 address ipv4 10 9 0 9 auth port 1812 acct port 1813 key 7 REMOVED access list 111 permit tcp any any neq telnet bridge 1 route ip wlccp ap username wds pass...

Page 107: ...dress The wireless LAN MAC address of the Cisco Wireless IP Phone 8821 or 8821 EX can be found by navigating to Settings Phone information Model information Device Pools When creating a new Cisco Wireless IP Phone 8821 or 8821 EX a Device Pool must be configured The device pool defines common settings e g Cisco Unified Communications Manager Group etc roaming sensitive settings e g Date Time Group...

Page 108: ... IP Phone 8821 or 8821 EX a Phone Button Template must be configured Custom phone button templates can be created with the option for many different features which can then be applied on a device or group level Security Profiles When creating a new Cisco Wireless IP Phone 8821 or 8821 EX a Device Security Profile must be configured ...

Page 109: ... enabled The Certificate Authority Proxy Function CAPF must be operational in order to utilize a Locally Signed Certificate LSC with a security profile The Cisco Wireless IP Phone 8821 and 8821 EX have a Manufacturing Installed Certificate MIC which can be utilized with a security profile as well The default device security profile is the model specific Standard SIP Non Secure Profile which does n...

Page 110: ...rofile for the Cisco Wireless IP Phone 8821 and 8821 EX do no use the Standard SIP Profile To create a custom SIP Profile for the Cisco Wireless IP Phone 8821 or 8821 EX use the Standard SIP Profile as the reference template Copy the Standard SIP Profile then change the following parameters Time Register Delta seconds 30 Time Keep Alive Expires seconds 300 Time Subscribe Expires seconds 300 Time S...

Page 111: ...Cisco Wireless IP Phone 8821 and 8821 EX Wireless LAN Deployment Guide 111 Custom 8821 SIP Profile ...

Page 112: ...Cisco Wireless IP Phone 8821 and 8821 EX Wireless LAN Deployment Guide 112 ...

Page 113: ... individual phone level Bluetooth is enabled by default for the Cisco Wireless IP Phone 8821 and 8821 EX Override common settings can be enabled at either configuration level QoS Parameters The DSCP values to be used for SIP communications phone configuration and phone based services to be used by the phone are defined in the Cisco Unified Communications Manager s Enterprise Parameters ...

Page 114: ...bled at the enterprise phone common phone profile or individual phone level by setting Advertise G 722 and iSAC Codecs to Disabled Audio Bit Rates The audio and video bit rate can be configured by creating or editing existing Regions in the Cisco Unified Communications Manager It is recommended to select G 722 or G 711 for the audio codec By default the video call bit rate is set to 384 Kbps For t...

Page 115: ... and later EAP TLS support is included Use the following guidelines to configure a Wireless LAN profile within Cisco Unified Communications Manager to then apply to a Cisco Wireless IP Phone 8821 or 8821 EX Prior to creating a Wireless LAN Profile and associating it to a Cisco Wireless IP Phone 8821 and 8821 EX the Cisco Wireless IP Phone 8821 and 8821 EX should be configured to utilize a security...

Page 116: ...to enable TFTP encryption for that Cisco Wireless IP Phone 8821 and 8821 EX configuration files Select the configured security profile from the Device Security Profile drop down menu To create a Wireless LAN Profile navigate to Device Device Settings Wireless LAN Profile within the Cisco Unified Communications Manager s Administration interface From the Wireless LAN Profile page select Add New ...

Page 117: ...Wireless LAN Profile can then be created where the Name Description Wireless Settings SSID Frequency Band User Modifiable and Authentication Settings are specified Below are Wireless LAN Profile defaults Frequency Band Auto User Modifiable Allowed Authentication Method EAP FAST ...

Page 118: ...figured Select the desired User Modifiable option Allowed The user has the capability to change any Wireless LAN settings e g Enable Disable SSID Frequency Band Authentication Method Username and Password PSK Passphrase WEP Key locally on the endpoint Disallowed The user is unable to change any Wireless LAN settings Restricted The user is only able to change certain Wireless LAN settings e g Usern...

Page 119: ... channels 2 4 GHz Operates on 2 4 GHz channels only 5 GHz Operates on 5 GHz channels only Select the desired Authentication Method option If EAP FAST PEAP MSCHAPv2 or PEAP GTC is selected then the option to enter shared credentials Username and Password is available If Provide Shared Credentials is not checked then the Username and Password will need to be configured locally on the Cisco Wireless ...

Page 120: ...acturing Installed Certificate or User Installed If PSK is selected to utilize Pre Shared Key authentication then a PSK Passphrase must be entered The PSK Passphrase must be in one of the following formats 8 63 ASCII character string 64 HEX character string A Password Description can optionally be entered If WEP is selected to utilize static WEP Wired Equivalent Privacy authentication then a WEP K...

Page 121: ...nce the Wireless LAN Profile configuration is complete The Cisco Wireless IP Phone 8821 and 8821 EX do not support the Network Access Profile option To create a Wireless LAN Profile Group navigate to Device Device Settings Wireless LAN Profile Group within the Cisco Unified Communications Manager s Administration interface From the Wireless LAN Profile Group page select Add New ...

Page 122: ...or an individual Cisco Wireless IP Phone 8821 and 8821 EX To apply a Wireless LAN Profile Group to a device pool navigate to System Device Pool within the Cisco Unified Communications Manager s Administration interface Create a Device Pool as necessary and put the desired Cisco Wireless IP Phone 8821 and 8821 EX into this Device Pool Once the Device Pool has been created configure the Wireless LAN...

Page 123: ...ified Communications Manager s Administration interface Navigate to the desired Cisco Wireless IP Phone 8821 and 8821 EX configure the Wireless LAN Profile Group then select Save Once the Wireless LAN Profile Group has been applied to the individual Cisco Wireless IP Phone 8821 and 8821 EX select Apply Config for the Cisco Wireless IP Phone 8821 and 8821 EX to download the Wireless LAN Profile Gro...

Page 124: ...ied Communications Manager Express version 15 6 service timestamps debug datetime msec service timestamps log datetime msec service password encryption hostname CME boot start marker boot system flash c2900 universalk9 mz SPA 156 1 T0a bin boot end marker aqm register fnf logging buffered 51200 warnings aaa new model aaa authentication login default local aaa authorization exec default local aaa s...

Page 125: ...003 81810011 2DB8EA5C 2D588D18 1CB78EE2 0FBAE777 716B441C 9389C987 612BBBEA 7B9E30CB 4BAF41A7 0F0DB51D E4F45FB2 F8A139B3 70DF1E94 A7EE4F81 B08E3F21 C0743E56 59D42988 D7FAB957 FADBBFE0 A77F404F 634BDD93 87559D1D CCA93BCA 87899A98 C151CF62 EF183C8E CB2C9DFC 71F45AE0 92A26FBF CBA7FA2B F9C5DB6D EEC936 quit voice card 0 voice service voip no ip address trusted authenticate allow connections h323 to sip...

Page 126: ...1F9 session transport tcp type 8821 number 1 dn 2 dtmf relay rtp nte username 8821 2 password REMOVED codec g711ulaw no vad license udi pid CISCO2901 K9 sn REMOVED username REMOVED privilege 15 password 7 REMOVED redundancy interface Embedded Service Engine0 0 no ip address shutdown interface GigabitEthernet0 0 ip address 10 0 0 10 255 255 255 0 duplex auto speed auto interface GigabitEthernet0 1 ...

Page 127: ...only mgcp behavior comedia role none mgcp behavior comedia check media src disable mgcp behavior comedia sdp force disable mgcp profile default sip ua timers connection aging 20 gatekeeper shutdown telephony service max ephones 25 max dn 25 ip source address 10 0 0 10 port 2000 url authentication http 10 0 0 10 CCMCIP authenticate asp cnf file perphone olsontimezone America New_York version 2010o ...

Page 128: ...e 8821 and 8821 EX For a description of these options click at the top of the configuration page Product specific configuration options can be configured in bulk via the Bulk Admin Tool if using Cisco Unified Communications Manager Some of the product specific configuration options can be configured on an enterprise phone common phone profile or individual phone configuration level Cisco Wireless ...

Page 129: ...Access is enabled you can change the phone configuration ring type etc on the phone When Settings Access is disabled configuration changes are not allowed When Settings Access is Restricted you can only change user preferences Web Access This parameter specifies whether the phone will accept connections from a web browser or other HTTP client Disabling the web server functionality of the phone wil...

Page 130: ...l If Single AP is selected then the phone does not scan except when first powered on or when the connection is lost Application URL This parameter specifies the URL which the phone utilizes for application services including Push To Talk PTT Application Button Activation Timer This parameters specifies the amount of time one must hold down the Application Button to activate the application specifi...

Page 131: ...the remote party hears The volume should be in the range of 0 to 100 with 0 being less than 66dBM and 100 being 4dBM The default value is 10dBM or 50 Recording Tone Duration This parameter specifies the length of time in milliseconds for which the recording tone is inserted in the audio stream The default for this parameter is set to the value in the Network locale file for this field The valid ra...

Page 132: ...a local server to be used for firmware upgrades which can assist in reducing install times particularly for upgrades over a WAN Enter the hostname or the IP address using standard IP addressing format of the server The indicated server must be running TFTP services and have the load file in the TFTP path If the load file is not found the load will not install The phone will not be redirected to th...

Page 133: ...ise G 722 Codec Disabled this phone will not advertise G 722 support and Enabled this phone will advertise G 722 support Detect Unified CM Connection Failure This parameter determines the sensitivity that the phone has for detecting a connection failure to Cisco Unified Communications Manager Unified CM which is the first step before device failover to a backup Unified CM SRST occurs Valid values ...

Page 134: ...erAndHeadset false Disabled true Enabled Settings Access settingsAccess 0 Disabled 1 Enabled 2 Restricted Web Access webAccess 0 Enabled 1 Disabled HTTPS Server webProtocol 0 http and https Enabled 1 https only Web Admin webAdmin 0 Disabled 1 Enabled Admin Password adminPassword 8 to 127 character string Bluetooth bluetooth 0 Disabled 1 Enabled WLAN Profile 1 Prompt Mode promptMode1 0 Disabled 1 E...

Page 135: ...ging 0 Disabled 1 Enabled Background Image defaultWallpaperFile Up to 64 character string Home Screen homeScreen 0 Application View 1 Line View Local Contacts Access accessContacts 0 Disabled 1 Enabled 2 Read Only Favorites Access accessFavorites 0 Disabled 1 Enabled 2 Read Only Voicemail Access accessVoicemail 0 Disabled 1 Enabled Applications Access accessApps 0 Disabled 1 Enabled Recording Tone...

Page 136: ...ing Locale RingLocale 0 Default 1 Japan TLS Resumption Timer TLSResumptionTimer 0 3600 Default 3600 FIPS Mode fipsMode 0 Disabled 1 Enabled Record Call Log From Shared Line logCallFromSharedLine 0 Disabled 1 Enabled Minimum Ring Volume minimumRingVolume 0 Silent 1 Volume Level 1 2 Volume Level 2 3 Volume Level 3 4 Volume Level 4 5 Volume Level 5 6 Volume Level 6 7 Volume Level 7 8 Volume Level 8 9...

Page 137: ... Root CA Fingerprint SHA256 or SHA1 wlanRootCaFingerprint Up to 95 character string Console Access ConsoleAccess 0 Enabled 1 Disabled Gratuitous ARP garp 0 Enabled 1 Disabled Show All Calls On Primary Line allCallsOnPrimary 0 Disabled 1 Enabled Advertise G 722 and iSAC Codecs g722CodecSupport 0 Use System Default 1 Disabled 2 Enabled Detect Unified CM Connection Failure detectCMConnectionFailure 0...

Page 138: ...g it to the CUCM Wired 802 1x authentication and DHCP snooping features are not supported when using the USB to Ethernet dongle so need to ensure the switchport is configured properly Use of a supported USB to Ethernet dongle is for initial provisioning purposes only and not to convert the Cisco Wireless IP Phone 8821 or 8821 EX to a wired IP phone Voice calls over Ethernet are not supported The f...

Page 139: ...delines to configure the Wi Fi Profiles via the local keypad Use the 5 way navigation button to navigate to Settings Wi Fi then select the desired profile to configure Up to 4 Wi Fi profiles can be configured Then select either Profile name Network configuration or WLAN configuration using the 5 way navigation button ...

Page 140: ...aults to Profile 1 Profile 2 Profile 3 Profile 4 Select WLAN configuration to configure the WLAN parameters including SSID Security mode 802 11 mode and On call power save Press the 5 way navigation s middle button to toggle an option and to enter edit mode Only Profile 1 is Enabled by default Only Profile 1 s SSID defaults to cisco others are null All profiles default to Security mode None 802 11...

Page 141: ... changes or Cancel under to dismiss the changes Below lists the available security modes supported and the key management and encryption types that can be used for each mode Security Mode 802 1x Type Key Management Encryption None N A None None WEP N A Static WEP PSK N A WPA2 WPA AES TKIP EAP FAST EAP FAST WPA2 WPA AES TKIP EAP TLS EAP TLS WPA2 WPA AES TKIP ...

Page 142: ...anges or Cancel to dismiss the changes To utilize WEP security set Security mode WEP then enter the 40 104 or 64 128 ASCII or HEX WEP key Only key index 1 is supported so will want to ensure that only key index 1 is configured on the access point Select Save to save the changes or Cancel to dismiss the changes Key Style Key Size Characters ASCII 40 64 bit 5 ASCII 104 128 bit 13 HEX 40 64 bit 10 0 ...

Page 143: ...To utilize EAP FAST PEAP GTC or PEAP MSCHAPv2 set the Security mode accordingly then the User ID and Password must be configured The root CA certificate of the CA chain that issues the RADIUS server certificates can optionally be installed either manually via the admin webpage or via SCEP if wanting to use PEAP with server validation Server validation is automatically enabled once a server certifi...

Page 144: ...electing EAP TLS as the security mode then must configure the type of user certificate to use If User installed is selected then will need to have a user certificate installed either manually via the admin webpage or via SCEP Server Validation is optional where Server Certificate can optionally be installed Select Save to save the changes or Cancel to dismiss the changes ...

Page 145: ...an 5 GHz channels then will attempt to associate to an available access point It is recommended to set the frequency band on the Cisco Wireless IP Phone 8821 and 8821 EX to 5 GHz when wanting to utilize the 5 GHz frequency band only which prevents scanning and potentially roaming to the 2 4 GHz frequency band Select Save to save the changes or Cancel to dismiss the changes If Network configuration...

Page 146: ...elect Erase if prompted when configuring Alternate TFTP On call power save defaults to Enabled When Enabled the phone will utilize U APSD when on call This parameter does not alter power save when in idle as the phone will always utilize U APSD when not on call On call power save should only be set to Disabled if required for troubleshooting purposes Select Save to save the changes or Cancel to di...

Page 147: ...Wireless IP Phone 8821 and 8821 EX can be accessed via Wi Fi or USB For the Wi Fi method the phone is defaulted with SSID cisco and Security Mode None For the USB method ensure the phone is connecting to a Windows 7 8 10 or Mac OS X computer A driver is not required for Windows but is required for Mac OS X http joshuawise com horndis Then set a static IP address for the network interface created o...

Page 148: ...8821 EX browse to the admin webpage of the out of box or factory defaulted Cisco Wireless IP Phone 8821 or 8821 EX Select WLAN menu option then configure the necessary profiles where the SSID 802 11 Mode Security Mode etc must be specified For EAP TLS the User Certificate can be set to User Installed or Manufacturing Installed will be defaulted to Manufacturing Installed For PEAP with Server Valid...

Page 149: ...ckup Settings menu option Prior to selecting Export enter an Encryption Key 8 127characters to encrypt the export template Save the file to the local PC after selecting Export for later use Any pre existing Server Root CA Certificates will be included in the exported configuration To apply the exported configuration file select Backup Settings on the phone s admin webpage ...

Page 150: ...ame the Root CA certificate to WLANRootCA cer then copy it to the CUCM TFTP servers and restart the TFTP service for those CUCM servers Only 1 certificate per type is allowed 1 user certificate and 1 server certificate Once a certificate is installed Server Validation is automatically enabled if configured for EAP TLS PEAP GTC or PEAP MSCHAPV2 Microsoft Certificate Authority CA servers are recomme...

Page 151: ... to keep the admin webpage interface access enabled long term then should utilize a secure profile with TFTP encryption enabled For out of box factory reset will need to ensure the date and time is configured correctly Can set the Date Time by syncing to the local machine or setting the Date Time manually Can utilize either the internal Manufacturing Installed Certificate MIC or a custom User Inst...

Page 152: ...r Installed Certificate To manually install a user certificate for EAP TLS select Install for User Installed on the main certificates webpage Select Browse to point to the user certificate in PKCS 12 format p12 or pfx Enter the Extract password up to 12 characters then select Upload Ensure the CA chain that issued the user certificate is added to the RADIUS server s trust list Will need to restart...

Page 153: ...suing certificates to the phones as well as for the RADIUS servers otherwise server validation could fail For initial certificate enrollment via SCEP the Cisco Wireless IP Phone 8821 and 8821 EX needs to be connected to a network either while docked with a supported USB to Ethernet dongle connected in the back of the dock or using the default Wi Fi settings i e SSID cisco and Security Mode None wh...

Page 154: ...he SCEP RA receives the user certificate from the CA and sends it to the phone after it receives a poll request from the phone The Cisco Wireless IP Phone 8821 and 8821 EX will periodically check the user and server certificate expiration periods Certificate renewal will occur when the expiration date is within 50 days If the CA certificate used to define the WLAN Root CA Fingerprint SHA256 or SHA...

Page 155: ...ice role service In the Add Roles Wizard on the Select Role Services page select the Network Device Enrollment Service check box then click Next The wizard will detect whether all the required dependencies are installed If any dependencies are missing you will be prompted with a dialog box explaining what is missing and requesting your permission to install the dependencies Click Yes to continue t...

Page 156: ... 8821 and 8821 EX Wireless LAN Deployment Guide 156 Click User Account under Role Services and then click Select User Type in Administrator as the user name then enter the password Enter the Registration Authority information ...

Page 157: ...isco Wireless IP Phone 8821 and 8821 EX Wireless LAN Deployment Guide 157 Select Microsoft Strong Cryptographic Provider for Signature Key CSP and Encryption key CSP Select 2048 for Key character length ...

Page 158: ...Cisco Wireless IP Phone 8821 and 8821 EX Wireless LAN Deployment Guide 158 Select Install ...

Page 159: ...Cisco Wireless IP Phone 8821 and 8821 EX Wireless LAN Deployment Guide 159 A confirmation page will be displayed if the installation was successful ...

Page 160: ...ent challenge password requirement via regedit by setting EnforcePassword to 0 HKEY_LOCAL_MACHINE SOFTWARE Microsoft Cryptography MSCEP EnforcePassword SCEP uses the certificate template that is set in the registry for issuing certificates HKEY_LOCAL_MACHINE SOFTWARE Microsoft Cryptography MSCEP ...

Page 161: ...he SCEP server After the Cisco RA is enrolled to the SCEP server admin needs to change the template in the registry if the user certificate period needs to be shorter than that of the root CA Right click Certificate Templates then select Manage Right click User template then select Duplicate Template Select Windows Server 2003 2008 Template Under the General tab change template name and validity p...

Page 162: ...Cisco Wireless IP Phone 8821 and 8821 EX Wireless LAN Deployment Guide 162 Configure the Validity Period on the General tab as necessary ...

Page 163: ...Cisco Wireless IP Phone 8821 and 8821 EX Wireless LAN Deployment Guide 163 Configure Subject Name tab as shown below ...

Page 164: ...Cisco Wireless IP Phone 8821 and 8821 EX Wireless LAN Deployment Guide 164 Configure Extensions tab as shown below ...

Page 165: ...Cisco Wireless IP Phone 8821 and 8821 EX Wireless LAN Deployment Guide 165 Configure Algorithm Name Minimum Key Size and Request Hash as necessary on the Cryptography tab ...

Page 166: ...ess IP Phone 8821 and 8821 EX Wireless LAN Deployment Guide 166 Enable the newly created template by right clicking Certificate Templates then selecting New Certificate Template to Issue Select SCEP User template ...

Page 167: ...a regedit Go to IIS Application Pools to stop then start the SCEP service for the new template to take effect RADIUS Configuration Use the following guidelines to configure the RADIUS server Add the SCEP RA under Network Device and AAA Clients Configure the RADIUS shared secret that the SCEP RA is currently configured for ...

Page 168: ...eate a user account matching the common name of the phone s Manufacturing Installed Certificate MIC with the password set to cisco e g CP 8821 SEPxxxxxxxxxxxx Add the Cisco Manufacturing CA chain to the RADIUS trust list as well as any other CA chains utilized for authentication ...

Page 169: ...uide 169 Create a Certificate Authentication Profile Create an Identity Store Sequence to be used for EAP TLS authentication Check Certificate Based select the newly created Certificate Authentication Profile and select Internal Users as the additional identity store ...

Page 170: ...21 EX Wireless LAN Deployment Guide 170 Create an Identity Store Sequence to be used for SCEP authentication Check Password Based select the newly created Certificate Authentication Profile and select Internal Users as the identity store ...

Page 171: ...Cisco Wireless IP Phone 8821 and 8821 EX Wireless LAN Deployment Guide 171 Create an Authorization Profile to be used for SCEP authorization ...

Page 172: ...Cisco Wireless IP Phone 8821 and 8821 EX Wireless LAN Deployment Guide 172 ...

Page 173: ...EX Wireless LAN Deployment Guide 173 Under the RADIUS Attributes tab add the cisco av pair attribute where the Type is set to String and Value is set to pki cert application all Create an Access Policy to be used for EAP TLS authentication ...

Page 174: ...Cisco Wireless IP Phone 8821 and 8821 EX Wireless LAN Deployment Guide 174 For the Access Service for EAP TLS authentication need to ensure that EAP TLS is enabled ...

Page 175: ...Cisco Wireless IP Phone 8821 and 8821 EX Wireless LAN Deployment Guide 175 Under Identity rules can be defined to match EAP type then determine which identity source to use for authentication ...

Page 176: ... 8821 and 8821 EX Wireless LAN Deployment Guide 176 Under Identity rules can be defined to match various conditions then determine which authorization profile to use Create an Access Policy to be used for SCEP authentication ...

Page 177: ...Cisco Wireless IP Phone 8821 and 8821 EX Wireless LAN Deployment Guide 177 For the Access Service for SCEP authentication need to ensure that PAP ASCII is enabled ...

Page 178: ...Cisco Wireless IP Phone 8821 and 8821 EX Wireless LAN Deployment Guide 178 Under Identity rules can be defined to match various conditions then determine which identity source to use for authentication ...

Page 179: ...ne which authorization profile to use SCEP RA Configuration Currently only a Cisco IOS router running IOS version 15 1 4 M10 or later is supported as the SCEP RA Use the following guidelines to configure a Cisco IOS router as a SCEP RA Enable HTTP server on the Cisco IOS router ISR_RA configure terminal ISR_RA config ip http server ISR_RA config exit ...

Page 180: ...ate MIC_trustpoint Enter the base 64 encoded Manufacturing CA certificate End with a blank line or the word quit on a line by itself BEGIN CERTIFICATE MIIEZTCCA02gAwIBAgIBAjANBgkqhkiG9w0BAQsFADArMQ4wDAYDVQQKEwVDaXNj bzEZMBcGA1UEAxMQQ2lzY28gUm9vdCBDQSBNMjAeFw0xMjExMTIxMzUwNThaFw0z NzExMTIxMzAwMTdaMDYxDjAMBgNVBAoTBUNpc2NvMSQwIgYDVQQDExtDaXNjbyBN YW51ZmFjdHVyaW5nIENBIFNIQTIwggEiMA0GCSqGSIb3DQEBAQUAA4...

Page 181: ...onfig exit Configure a PKI trustpoint and PKI server to enroll to the CA server ISR_RA configure terminal ISR_RA config crypto pki trustpoint MSCA ISR_RA ca trustpoint enrollment mode ra ISR_RA ca trustpoint enrollment url http 10 81 116 249 certsrv mscep mscep dll ISR_RA ca trustpoint serial number ISR_RA ca trustpoint fingerprint 81512B4316429092925C6891701B374EBD254447 ISR_RA ca trustpoint revo...

Page 182: ...ogress ISR_RA cs server Exporting Certificate Server signing certificate and keys Feb 17 15 21 42 CRYPTO_PKI Certificate Request Fingerprint MD5 CDE40276 04A28DA8 BDE5DF48 0BC1A8F7 Feb 17 15 21 42 CRYPTO_PKI Certificate Request Fingerprint SHA1 AE5CDEF2 A633DEF4 1D5A5104 7D6A8BD7 E08B576C Feb 17 15 21 43 PKI 6 CERTRET Certificate received from Certificate Authority Feb 17 15 21 48 PKI 6 CS_ENABLED...

Page 183: ... 5B05F599 63C66D49 E4F12A0D DE5B29D5 FB112569 B1EA4C33 1859FFB6 A1BB3860 1E6520D4 DB6201F2 4444CFE9 3F17AFA4 ED0F4877 EB9E0E50 7716FB59 9E06EFE3 72D96E30 AA697928 D5B6BA1F E6FB7EA5 B9028348 900008EC 2F4A9CCD 3DF268D5 EF020301 0001A382 01873082 0183300E 0603551D 0F0101FF 04040302 01063012 0603551D 130101FF 04083006 0101FF02 0100305C 0603551D 20045530 53305106 0A2B0601 04010915 01120030 43304106 082...

Page 184: ...5 732C434E 3D436F6E 66696775 72617469 6F6E2C44 433D7964 2D6D7363 612C4443 3D79646E 65742C44 433D636F 6D3F6365 72746966 69636174 65526576 6F636174 696F6E4C 6973743F 62617365 3F6F626A 65637443 6C617373 3D63524C 44697374 72696275 74696F6E 506F696E 743081C4 06082B06 01050507 01010481 B73081B4 3081B106 082B0601 05050730 028681A4 6C646170 3A2F2F2F 434E3D79 69636875 6E2D4341 2C434E3D 4149412C 434E3D50 75...

Page 185: ...8FD818EB 01E5FF66 D984A379 9298FFEC 65DD902C A7757358 0AECDA0B D794E150 5237FBBE F5020301 0001A369 30673013 06092B06 01040182 37140204 061E0400 43004130 0E060355 1D0F0101 FF040403 02018630 0F060355 1D130101 FF040530 030101FF 301D0603 551D0E04 16041476 97475B67 C892C5DF 1F0306D7 61CA3ACC 560B6030 1006092B 06010401 82371501 04030201 00300D06 092A8648 86F70D01 010B0500 03820101 007D4DAD 1170BBD8 2D9A...

Page 186: ...r via the admin webpage interface or via the local user interface To remove a certificate via the admin webpage select Delete for the corresponding certificate then restart the phone once a certificate has been removed Bluetooth Settings The Cisco Wireless IP Phone 8821 and 8821 EX include Bluetooth 3 0 support which enables hands free communications To pair a Bluetooth headset to the Cisco Wirele...

Page 187: ...Phone 8821 and 8821 EX will then attempt to pair will attempt to use the pin code 0000 If unsuccessful enter the pin code when prompted Once paired then the Cisco Wireless IP Phone 8821 and 8821 EX will attempt to connect to the Bluetooth device Selecting the Bluetooth device then selecting Disconnect will disconnect that currently connected Bluetooth device ...

Page 188: ...is URL http www cisco com c en us support unified communications unified communications manager callmanager products maintenance guides list html The downloaded phone configuration file is parsed and the device load is identified The Cisco Wireless IP Phone 8821 or 8821 EX then downloads the firmware files to flash if it is not running the specified image already The Load Server can be specified a...

Page 189: ...6 loads tftp server flash dtblob8821 HE 01 005 sbn tftp server flash fbi8821 HE 01 008 sbn tftp server flash kern8821 11 0 3 6 sbn tftp server flash rootfs8821 11 0 3 6 sbn tftp server flash sb28821 HE 01 019 sbn tftp server flash vc48821 11 0 3 6 sbn voice register pool type 8821 phoneload support transport tcp description Cisco SIP Phone 8821 reference pooltype 9971 voice register global load 88...

Page 190: ...bor access point details can be viewed by selecting Settings Admin settings Neighbor list AP name BSSID SSID Channel RSSI and CU Channel Utilization information will be displayed WLAN Statistics Wireless statistic information can be viewed locally on the phone under Applications Admin settings Status Wireless statistics ...

Page 191: ...uide 191 Call Statistics Call statistic information can be viewed locally on the phone under Applications Admin settings Status Call statistics Status Messages Status messages can be viewed locally on the phone under Applications Admin settings Status Status messages ...

Page 192: ...ach access point that matches a configured Wi Fi Profile when selecting Settings Admin settings Diagnostics WLAN AP name BSSID SSID Frequency Current channel Last RSSI Beacon Interval Data rate DTIM Country code Channel Power constraint Power limit CU Station count Admission capacity WMM UAPSD Proxy ARP CCX and Access category information will be displayed ...

Page 193: ...lected to proceed with the factory data reset If the Cisco Wireless IP Phone 8821 or 8821 EX is not able to boot properly a factory reset can also be initiated via the following procedure Turn the phone off by pressing the red button Press and hold the key then power on the phone Keep the key held until the LED changes colors Once the LED changes colors release the key Then press 1 2 3 4 5 6 7 8 9...

Page 194: ...nly information regarding device information network setup streaming statistics device logs etc To access the standard webpage interface Web Access must be enabled in Cisco Unified Communications Manager The admin webpage interface https x x x x 8443 contains all of the info as the standard read only page plus a few extra configurable pages i e Certificates Date and time and Phone restart To acces...

Page 195: ...o Wireless IP Phone 8821 and 8821 EX provide network setup information where network and Cisco Unified Communications Manager information is displayed Browse to the standard web interface https x x x x of the Cisco Wireless IP Phone 8821 or 8821 EX then select Network setup to view this information ...

Page 196: ...co Wireless IP Phone 8821 and 8821 EX provide call statistic information where MOS jitter and packet counters are displayed Browse to the standard web interface https x x x x of Cisco Wireless IP Phone 8821 or 8821 EX then select the necessary menu item under Streaming statistics to view this information ...

Page 197: ...mps status messages and debug display can be obtained from the web interface of Cisco Wireless IP Phone 8821 or 8821 EX for troubleshooting purposes Browse to the standard web interface https x x x x of Cisco Wireless IP Phone 8821 or 8821 EX then select the necessary menu item under Device Logs to view this information ...

Page 198: ...8 Status Messages The Cisco Wireless IP Phone 8821 and 8821 EX provide status message information Browse to the standard web interface https x x x x of Cisco Wireless IP Phone 8821 or 8821 EX then select the necessary menu item under Status messages to view this information ...

Page 199: ... Cisco Wireless IP Phone 8821 or 8821 EX can be captured by browsing to http x x x x CGI Screenshot where x x x x is the IP address of the Cisco Wireless IP Phone 8821 or 8821 EX At the prompt enter the username and password for the account that the Cisco Wireless IP Phone 8821 or 8821 EX is associated to in Cisco Unified Communications Manager ...

Page 200: ..._quick_start pdf Cisco Wireless IP Phone 8821 Series Accessory Guide http www cisco com c en us td docs voice_ip_comm cuipph 8821 english accessories w88x_b_wireless ip phone 882x accessory html Cisco Wireless IP Phone 8821 Series Release Notes http www cisco com c en us support collaboration endpoints unified ip phone 8800 series products release notes list html Cisco Wireless IP Phone 8821 Serie...

Page 201: ...ications unified communications manager callmanager products implementation design guides list html Cisco Wireless LAN Controller Documentation http www cisco com c en us support wireless 5500 series wireless controllers products installation and configuration guides list html Cisco Meraki Wireless LAN Documentation https meraki cisco com products wireless Cisco Autonomous Access Point Documentati...

Page 202: ...Networkers Networking Academy Network Registrar PCNow PIX PowerPanels ProConnect ScriptShare SenderBase SMARTnet Spectrum Expert StackWise The Fastest Way to Increase Your Internet Quotient TransPath WebEx and the WebEx logo are registered trademarks of Cisco Systems Inc and or its affiliates in the United States and certain other countries Cisco and the Cisco logo are trademarks or registered tra...

Reviews:

No comments

Related manuals for 8821

Touch Tone Capture

Brand: Chase Pages: 10

Brand: Uniden Pages: 16

Brand: Commax Pages: 16

DECT 2005 Series

Brand: Uniden Pages: 24

Brand: Dual Pages: 12

centralalert CA-CX

Brand: Serene Pages: 21

Brand: Bell Pages: 11

Brand: Radio Shack Pages: 16

Brand: Panasonic Pages: 2

Brand: Panasonic Pages: 10

Brand: Panasonic Pages: 28

Brand: Panasonic Pages: 32

Brand: Panasonic Pages: 24

Brand: Panasonic Pages: 48

Brand: Panasonic Pages: 44

Brand: Panasonic Pages: 44

Brand: Panasonic Pages: 48

Brand: Panasonic Pages: 56

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands