Guest

Cisco Unified Communications Manager (CallManager)

Configure AnyConnect VPN IP Phones with Certificate Authentication on an ASA

Document ID: 115785

Updated: Dec 10, 2015

Contributed by Cisco TAC Engineers.

   Print

Introduction

This document describes how to configure the Cisco Adaptive Security Appliance (ASA) and Cisco CallManager devices in order to provide certificate authentication for Cisco AnyConnect clients that run on Cisco IP phones. After this configuration is complete, the Cisco IP phones can successfully establish VPN connections to the ASAs that make use of certificates in order to secure the communication.

Prerequisites

Requirements

Ensure that you meet these requirements before you attempt this configuration:

  • Cisco AnyConnect Premium Secure Sockets Layer (SSL) License

  • Cisco AnyConnect for Cisco VPN Phone License

Note: Dependent upon the ASA version, you will see either AnyConnect for Linksys phone for ASA Release 8.0.x or AnyConnect for Cisco VPN Phone for ASA Release 8.2.x or later.

Components Used

The information in this document is based on these software and hardware versions:

  • Cisco ASA Release 8.0(4) or later

  • Cisco 7942, 7962, 7945, 7965, and 7975 model IP phones

  • Cisco 8961, 9951, and 9971 model phones that run Release 9.1(1) firmware

  • Cisco phones that run Release 9.0(2)SR1S Skinny Call Control Protocol (SCCP) or later

  • Cisco Unified Communications Manager (CUCM) Release 8.0.1.100000-4 or later

The releases that are used in this configuration example include:

  • Cisco ASA Release 9.1(1)

  • Cisco CallManager Release 8.5.1.10000-26

In order to view a complete list of supported phones in your CUCM version, complete these steps:

  1. Open this URL in a browser: https://<CUCM Server IP Address>:8443/cucreports/systemReports.do.

  2. Navigate to Unified CM Phone Feature List > Generate a new report > Feature: Virtual Private Network.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to the Cisco Technical Tips Conventions for more information on document conventions.

Phone Certificate Types

Cisco uses these certificate types in phones:

  • Manufacturer Installed Certificates (MICs):

    • The MICs are included on all 7941, 7961, and newer model Cisco IP phones. The MICs are 2048-bit key certificates that are signed by the Cisco Certificate Authority (CA). When an MIC is present, it is not necessary to install a Locally Significant Certificate (LSC). In order for the CUCM to trust the MIC certificate, it utilizes the pre-installed CA certificates CAP-RTP-001, CAP-RTP-002, Cisco_Manufacturing_CA, and Cisco_Manufacturing_CA_SHA2 in its certificate truststore.

    • An MIC is valid for ten years.

    • There is no certificate revocation support.

  • Locally Significant Certificates (LSCs):

    • The LSC secures the connection between the CUCM and the phone after you configure the device security mode for authentication or encryption.

    • The LSC possesses the public key for the Cisco IP phone, which is signed by the CUCM Certificate Authority Proxy Function (CAPF) private key. This is the preferred method (as opposed to the use of MICs) because only Cisco IP phones that are manually provisioned by an administrator are allowed to download and verify the CTL file.

    • The LSC supports Rivest-Shamir-Adleman (RSA) key size 512, 1024, or 2048 bits.

    • An LSC can be installed, re-issued, or deleted in bulk with the CUCM Bulk Admin Tool.

    • An LSC that is signed by the CAPF is valid for five years.

Caution: Due to the increased security risk, Cisco recommends the use of MICs solely for LSC installation and not for continued use. Customers who configure Cisco IP phones to use MICs for Transport Layer Security (TLS) authentication or for any other purpose do so at their own risk.

Configure

This section describes how to complete these configurations:

Note: Use the Command Lookup Tool (registered customers only) to obtain more information on the commands used in this section.

ASA Configuration

The configuration of the ASA is similar to configurations that involve an AnyConnect client computer that is connected to the ASA. However, these restrictions apply:

  • The tunnel-group must have a group-url. This URL is configured in the CM under the VPN Gateway URL.

  • The group policy must not contain a split tunnel.

This configuration uses a previously configured and installed ASA (self-signed or third-party) certificate in the SSL trustpoint of the ASA device. For more information, refer to these documents:

Here is the relevant ASA configuration:

ip local pool SSL_Pool 10.10.10.1-10.10.10.254 mask 255.255.255.0
group-policy GroupPolicy_SSL internal
group-policy GroupPolicy_SSL attributes
split-tunnel-policy tunnelall
vpn-tunnel-protocol ssl-client

tunnel-group SSL type remote-access
tunnel-group SSL general-attributes
address-pool SSL_Pool
default-group-policy GroupPolicy_SSL
tunnel-group SSL webvpn-attributes
authentication certificate
group-url https://asa5520-c.cisco.com/SSL enable

webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.0.3054-k9.pkg
anyconnect enable

ssl trust-point SSL outside

It is important to note that in Versions 9.4.1 and later, elliptic curve cryptography is supported for SSL/TLS. When an elliptic curve-capable SSL VPN client connects to the ASA, the elliptic curve cipher suite is negotiated, and the ASA presents the SSL VPN client with an elliptic curve certificate, even when the interface that corresponds is configured with an RSA-based trustpoint. In order to avoid the need to have the ASA present a self-signed SSL certificate, the administrator must remove the related cipher suites via the ssl cipher command. For example, for an interface that is configured with an RSA trustpoint, the administrator can execute this command so that only the RSA-based ciphers are negotiated:

ssl cipher tlsv1.2 custom "AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:
DHE-RSA-AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA:RC4-SHA:RC4-MD5"

CallManager Configuration

Complete these steps in order to export the certificate from the ASA and import the certificate into the CallManager as a Phone-VPN-Trust certificate:

  1. Register the generated certificate with the CUCM.

  2. Verify the certificate that is used for SSL:
    ASA(config)#show run ssl
    ssl trust-point SSL outside
  3. Export the certificate:
    ASA(config)#crypto ca export SSL identity-certificate
    The Privacy Enhanced Mail (PEM) encoded identity certificate follows:
    -----BEGIN CERTIFICATE-----
    ZHUxFjAUBgkqhkiG9w0BCQIWB0FTQTU1NDAwHhcNMTMwMTMwMTM1MzEwWhcNMjMw
    MTI4MTM1MzEwWjAmMQwwCgYDVQQDEwNlZHUxFjAUBgkqhkiG9w0BCQIWB0FTQTU1
    NDAwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMYcrysjZ+MawKBx8Zk69SW4AR
    FSpV6FPcUL7xsovhw6hsJE/2VDgd3pkawc5jcl5vkcpTkhjbf2xC4C1q6ZQwpahde22sdf1
    wsidpQWq1DDrJD1We83L/oqmhkWJO7QfNrGZhOLv9xOpR7BFpZd1yFyzwAPkoBl1
    -----END CERTIFICATE-----
  4. Copy the text from the terminal and save it as a .pem file.

  5. Log in to the CallManager and navigate to Unified OS Administration > Security > Certificate Management > Upload Certificate > Select Phone-VPN-trust in order to upload the certificate file that was saved in the previous step.

VPN Configuration on CallManager

Complete these steps in order to configure VPN on the CallManager:

  1. Navigate to Cisco Unified CM Administration.

  2. Choose Advanced Features > VPN > VPN Gateway from the menu bar:



  3. Complete these steps in the VPN Gateway Configuration window:

    1. Enter a name in the VPN Gateway Name field. This can be any name.

    2. Enter a description in the VPN Gateway Description field (optional).

    3. Enter the group-url that is defined on the ASA in the VPN Gateway URL field.

    4. In the VPN Certificates section of the Location field, select the certificate that was uploaded to the CallManager previously in order to move it from the truststore to this location:



  4. Choose Advanced Features > VPN > VPN Group from the menu bar:



  5. Select the VPN Gateway that was previously defined from the All Available VPN Gateways field. Click the down arrow in order to move the selected gateway to the Selected VPN Gateways in this VPN Group field:



  6. Choose Advanced Features > VPN > VPN Profile from the menu bar:



  7. Complete all of the fields that are marked with an asterisk (*) in order to configure the VPN Profile:



    • Enable Auto Network Detect: If this feature is enabled, the VPN phone pings the TFTP server. If no response is received, it auto-initiates a VPN connection.

    • Enable Host ID Check: If this feature is enabled, the VPN phone compares the Fully Qualified Domain Name (FQDN) of the VPN Gateway URL against the CN/SAN of the certificate. The client fails to connect if they do not match or if a wildcard certificate with an asterisk (*) is used.

    • Enable Password Persistence: This feature allows the VPN phone to cache the username and passsword for the next VPN attempt.

  8. Click Apply Config in the Common Phone Profile Configuration window in order to apply the new VPN configuration. You can use the Standard Common Phone Profile or create a new profile.





  9. If you created a new profile for specific phones/users, then navigate to the Phone Configuration window. Choose Standard Common Phone Profile in the Common Phone Profile field:



  10. Register the phone to the CallManager again in order to download the new configuration.

Certificate Authentication Configuration

Complete these steps in the CallManager and the ASA in order to configure certificate authentication:

  1. Choose Advanced Features > VPN > VPN Profile from the menu bar.

  2. Confirm that the Client Authentication Method field is set to Certificate:



  3. Log in to the CallManager. Choose Unified OS Administration > Security > Certificate Management > Find from the menu bar.

  4. Export the correct certificate(s) for the selected certificate authentication method:

    • Use the Cisco_Manufacturing_CA in order to authenticate the IP phones with an MIC (Select either Cisco_Manufacturing_CA or Cisco_Manufacturing_CA_SHA2, dependent upon the IP phone model. Check the certificate installation on IP phone for more details): 





    • Use the CAPF in order to authenticate the IP phones with an LSC:



  5. Locate the certificate (either Cisco_Manufacturing_CA, Cisco_Manufacturing_CA_SHA2, or CAPF). Download the .pem file and save it as a .txt file.

  6. Create a new trustpoint on the ASA and authenticate the trustpoint with the previous saved certificate. When you are prompted for base-64 encoded CA certificate, select and paste the text in the downloaded .pem file along with the BEGIN and END lines. Here is an example:
    ASA (config)#crypto ca trustpoint CM-Manufacturing
    ASA(config-ca-trustpoint)#enrollment terminal
    ASA(config-ca-trustpoint)#exit
    ASA(config)#crypto ca authenticate CM-Manufacturing
    ASA(config)#

    <base-64 encoded CA certificate>

    quit
  7. Confirm that the authentication on the tunnel-group is set to certificate authentication:
    tunnel-group SSL webvpn-attributes
    authentication certificate
    group-url https://asa5520-c.cisco.com/SSL enable

Certificate Installation on IP Phones

The IP phones can work with either MICs or LSCs, but the configuration process is different for each certificate.

MIC Installation

By default, all of the phones that support VPN are pre-loaded with MICs. The 7960 and 7940 model phones do not come with an MIC and require a special installation procedure so that the LSC registers securely.

The newest Cisco IP phones (8811, 8841, 8851, and 8861) include MIC certificates that are signed by the new Manufacturing SHA2 CA:

  • The CUCM Version 10.5(1) includes and trusts the new SHA2 certificates.

  • If you run an earlier CUCM version, you might be required to download the new Manufacturing CA certificate and:

    • Upload it to the CAPF-trust so that the phones can authenticate with CAPF in order to obtain an LSC.

    • Upload it to the CallManager-trust if you want to allow the phones to authenticate with an MIC for SIP 5061.

Tip: Click this link in order to obtain the SHA2 CA if the CUCM currently runs an earlier version.

Caution: Cisco recommends that you use MICs for LSC installation only. Cisco supports LSCs for authentication of the TLS connection with the CUCM. Because the MIC root certificates can be compromised, customers who configure phones to use MICs for TLS authentication or for any other purpose do so at their own risk. Cisco assumes no liability if the MICs are compromised.

LSC Installation

Complete these steps in order to install an LSC:

  1. Enable the CAPF service on the CUCM.

  2. After the CAPF service is activated, assign the phone instructions in order to generate an LSC in the CUCM. Log in to the CUCM Administration, choose Device > Phone, and then select the phone that you configured.

  3. Ensure that all of the settings are correct and that the operation is set to a future date in the Certificate Authority Proxy Function (CAPF) Information section:



  4. If the Authentication Mode is set to either Null String or Existing Certificate, no further action is required.

  5. If the Authentication Mode is set to a string, then manually select Settings > Security Configuration > **# > LSC > Update in the phone console.

Verify

Use this section in order to confirm that your configuration works properly.

ASA Verification

Use this information in order to verify the configuration on the ASA:

ASA5520-C(config)#show vpn-sessiondb detail anyconnect

Session Type: AnyConnect Detailed

Username : CP-7962G-SEPXXXXXXXXXXXX
Index : 57
Assigned IP : 10.10.10.2 Public IP : 172.16.250.15
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Premium, AnyConnect for Cisco VPN Phone
Encryption : AnyConnect-Parent: (1)AES128 SSL-Tunnel: (1)AES128
DTLS-Tunnel: (1)AES128
Hashing : AnyConnect-Parent: (1)SHA1 SSL-Tunnel: (1)SHA1
DTLS-Tunnel: (1)SHA1Bytes Tx : 305849
Bytes Rx : 270069Pkts Tx : 5645
Pkts Rx : 5650Pkts Tx Drop : 0
Pkts Rx Drop : 0Group Policy :
GroupPolicy_SSL Tunnel Group : SSL
Login Time : 01:40:44 UTC Tue Feb 5 2013
Duration : 23h:00m:28s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none

AnyConnect-Parent Tunnels: 1
SSL-Tunnel Tunnels: 1
DTLS-Tunnel Tunnels: 1

AnyConnect-Parent:
Tunnel ID : 57.1
Assigned IP : 10.10.10.2 Public IP : 172.16.250.15
Encryption : AES128 Hashing : SHA1
Encapsulation: TLSv1.0 TCP Dst Port : 443
Auth Mode : Certificate
Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes
Client Type : AnyConnect Client Ver : Cisco SVC IPPhone Client v1.0 (1.0)
Bytes Tx : 1759 Bytes Rx : 799
Pkts Tx : 2 Pkts Rx : 1
Pkts Tx Drop : 0 Pkts Rx Drop : 0

SSL-Tunnel:
Tunnel ID : 57.2
Public IP : 172.16.250.15
Encryption : AES128 Hashing : SHA1
Encapsulation: TLSv1.0 TCP Src Port : 50529
TCP Dst Port : 443 Auth Mode : Certificate
Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes
Client Type : SSL VPN Client
Client Ver : Cisco SVC IPPhone Client v1.0 (1.0)
Bytes Tx : 835 Bytes Rx : 0
Pkts Tx : 1 Pkts Rx : 0
Pkts Tx Drop : 0 Pkts Rx Drop : 0

DTLS-Tunnel:
Tunnel ID : 57.3
Assigned IP : 10.10.10.2 Public IP : 172.16.250.15
Encryption : AES128 Hashing : SHA1
Encapsulation: DTLSv1.0 UDP Src Port : 51096
UDP Dst Port : 443 Auth Mode : Certificate
Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes
Client Type : DTLS VPN Client
Client Ver : Cisco SVC IPPhone Client v1.0 (1.0)
Bytes Tx : 303255 Bytes Rx : 269270
Pkts Tx : 5642 Pkts Rx : 5649
Pkts Tx Drop : 0 Pkts Rx Drop : 0

CUCM Verification

Use this information in order to verify the configuration on the CUCM:

Troubleshoot

These Cisco bug IDs are related to the configurations that are described in this document:

  • Cisco bug ID CSCtf09529Add support for VPN feature in CUCM for 8961, 9951, 9971 phones

  • Cisco bug ID CSCuc71462IP phone VPN failover takes 8 minutes

  • Cisco bug ID CSCtz42052IP Phone SSL VPN Support For Non Default Port Numbers

  • Cisco bug ID CSCuj71475Manual TFTP entry needed for IP Phone VPN

  • Cisco bug ID CSCum10683 – IP phones not logging missed, placed, or received calls

  • Cisco bug ID CSCut10077DX650: CUCM provisioned VPN profile fails certificate validation
Updated: Dec 10, 2015
Document ID: 115785