Cisco IP Phone Authentication and Encryption for Cisco CallManager 4.0(1)
Authentication, Integrity, and Encryption
Downloads: This chapterpdf (PDF - 355.0KB) | Feedback

Authentication, Integrity, and Encryption

Table Of Contents

Authentication, Integrity, and Encryption

Authentication and Integrity Overview

Image Authentication

Device Authentication

File Authentication

Signaling Authentication

Encryption Overview

Signaling Encryption

Media Encryption

Activating the Cisco CTL Provider Service

Configuring Ports for the TLS Connection

Installing the Cisco CTL Client

Configuring the Cisco CTL Client

Updating the CTL File

Changing the Clusterwide Security Mode

Cisco CTL Client Configuration Settings

Deleting a CTL File Entry

Configuring the Devices for Authentication or Encryption

Configuring the Security Device System Default for Supported Phone Models

Configuring the Device Security Mode for a Single Device

Using the Cisco Bulk Administration Tool to Configure the Device Security Mode

Device Security Mode Configuration Settings


Authentication, Integrity, and Encryption


This chapter contains information on the following topics:

Authentication and Integrity Overview

Encryption Overview

Activating the Cisco CTL Provider Service

Configuring Ports for the TLS Connection

Installing the Cisco CTL Client

Configuring the Cisco CTL Client

Updating the CTL File

Changing the Clusterwide Security Mode

Cisco CTL Client Configuration Settings

Deleting a CTL File Entry

Configuring the Devices for Authentication or Encryption

Device Security Mode Configuration Settings

Authentication and Integrity Overview

Integrity and authentication protect against the following threats:

TFTP file manipulation (integrity)

Modification of call-processing signaling between the phone and Cisco CallManager (authentication)

Man-in-the-middle attacks (authentication), as defined in Table 1-1

Phone and server identity theft (authentication)

Cisco CallManager supports the following types of authentication and integrity:

Image Authentication

Device Authentication

File Authentication

Signaling Authentication

Image Authentication

This process prevents tampering with the binary image, that is, the firmware load, prior to loading it on the phone. Tampering with the image causes the phone to fail the authentication process and reject the image. Image authentication occurs through signed binary files that are automatically installed when you install Cisco CallManager 4.0(1). Likewise, firmware updates that you download from the web also provide signed binary images.

For a list of devices that are supported, see the "Interactions and Restrictions" section.

Device Authentication

This process validates the identity of the device and ensures that the entity is who it claims to be; for a list of devices that are supported, see the "Interactions and Restrictions" section.

Device authentication occurs between the Cisco CallManager server and supported Cisco IP Phones when each entity accepts the certificate of the other entity; only then does a secure connection between the entities occur.

File Authentication

This process validates digitally signed files that the phone downloads; for example, the configuration, ring list, locale, and CTL files. The phone validates the signature to verify that file tampering did not occur after the file creation; for a list of devices that are supported, see the "Interactions and Restrictions" section.

For additional information on how file authentication works, see the "Signaling Authentication" section.

Signaling Authentication

This process, also known as signaling integrity, uses the TLS protocol to validate that no tampering has occurred to signaling packets during transmission.

File authentication and signaling authentication rely on the creation of the Certificate Trust List (CTL) file, which is created when you install and configure the Cisco Certificate Trust List (CTL) client on a single Windows 2000 workstation or server, perhaps a Cisco CallManager server, that has a USB port. The CTL file contains entries for the following servers or security tokens:

Site Administrator Security Token (SAST)

Cisco CallManager or Cisco TFTP

Cisco CallManager and Cisco TFTP running on the same server

Certificate Authority Proxy Function (CAPF)

Alternate Cisco TFTP

The CTL file contains a server certificate, public key, serial number, signature, issuer name, subject name, server function, DNS name, and IP address for servers. After you create the CTL file, you must reboot all Cisco CallManager servers and all Cisco TFTP servers in the cluster. The next time that the phone initializes, it downloads the CTL file from the TFTP server. If the CTL file contains a TFTP server entry that has a self-signed certificate, the phone requests a signed configuration file in .sgn format. If none of the TFTP servers has a certificate, the phone requests an unsigned file.

The TFTP server does not sign any files if you configure the cluster for nonsecure mode. The TFTP server signs static files, such as ring list, localized, default .cnf.xml, and ring list wav, files in .sgn format. The TFTP server signs files in <device name>.cnf.xml format every time that the TFTP server verifies that a data change occurred for the file.

The TFTP server writes the signed files to disk if caching is disabled. If the TFTP server verifies that a saved file has changed, the TFTP server re-signs the file. The new file on the disk overwrites the saved file that gets deleted. Before the phone can download the new file, the administrator must restart affected devices in Cisco CallManager Administration.

After the phone receives the files from the TFTP server, the phone verifies the integrity of the files by validating the signature on the file. For the phone to establish a TLS connection, ensure that the following criteria are met:

A certificate must exist in the phone.

The CTL file must exist on the phone, and the Cisco CallManager entry and certificate must exist in the file.

You have configured the device for authentication or encryption.

When the preceding criteria are met, the phone establishes a TLS connection through a TLS SCCP port, which is a configured port number added to (+) 443. By default, the phone connects to port 2443 by using TLS. The handshake authenticates the certificates from the server and the phone and establishes a secure connection.


Note The Cisco CallManager self-signed certificates provide server identification, including the Cisco CallManager server name and the Global Unique Identifier (GUID). On each server in the cluster, Cisco CallManager stores the certificates, which exist in DER format, in C:\Program Files\Cisco\Certificates. Administrators have read-only access to the certificates.

Cisco stores the CTL file, which exists in .tlv format, in C:\Program Files\Cisco\tftppath on the servers in the cluster where the Cisco CallManager and Cisco TFTP services run.


Related Topics

System Requirements

Interactions and Restrictions

Activating the Cisco CTL Provider Service

Installing the Cisco CTL Client

Cisco CTL Client Configuration Settings

Configuring the Devices for Authentication or Encryption

Troubleshooting

Encryption Overview


Tip For a list of devices that are supported, see the "System Requirements" section.

Encryption installs automatically when you install Cisco CallManager 4.0 on each server in the cluster.

The files from the security package install in C:\Program Files\Cisco\bin.


Cisco CallManager supports the following types of encryption:

Signaling Encryption

Media Encryption

Signaling Encryption

Signaling encryption ensures that all SCCP signaling messages that are sent between the device and the Cisco CallManager server are encrypted.

Signaling encryption ensures that the information that pertains to the parties, DTMF digits that are entered by the parties, call status, media encryption keys, and configuration information are protected against unintended or unauthorized access.


Tip Application Layer Gateways (ALG) that allow Voice over IP to traverse firewalls and Network Address Translation (NAT) do not work with signaling encryption. For Cisco IOS firewalls, use the UDP ALG. For NAT, route private addresses internally or use route maps; use IPSec and V3PNs for remote locations.


Media Encryption

Media encryption, which uses SRTP, ensures that the media streams between supported devices prove secure and that only the intended device receives and reads the data. Media encryption includes creating a media master key pair for the devices, delivering the keys to the devices, and securing the delivery of the keys while the keys are in transport.

Authentication and signaling encryption serve as the minimum requirements for media encryption; that is, if the devices do not support signaling encryption and authentication, media encryption cannot occur.

The following example demonstrates media encryption.

1. Device A and Device B, which support media encryption and authentication, register with Cisco CallManager.

2. When Device A places a call to Device B, Cisco CallManager requests two sets of media session master values from the key manager function.

3. Both devices receive the two sets, one set for the media stream, Device A—Device B, and the other set for the media stream,
Device B—Device A.

4. Using the first set of master values, Device A derives the keys that encrypt and authenticate the media stream, Device A—Device B.

5. Using the second set of master values, Device A derives the keys that authenticate and decrypt the media stream, Device B—Device A.

6. Device B uses these sets in the inverse operational sequence.

7. After the devices receive the keys, the devices perform the required key derivation, and SRTP packet processing occurs.


Tip For a list of supported items, see the "Interactions and Restrictions" section.


Related Topics

System Requirements

Interactions and Restrictions

Configuring the Devices for Authentication or Encryption

Troubleshooting

Activating the Cisco CTL Provider Service

When you configure the Cisco CTL client, this service changes the cluster security mode from nonsecure to mixed mode and vice versa and transports the server certificates to the CTL file; the service then transports the CTL file to all Cisco CallManager and Cisco FTP servers.


Tip You must activate the Cisco CTL Provider service on all servers where you have activated the Cisco CallManager or Cisco TFTP services.

Verify that the local administrator password or the Super Users account username and password are synchronized on all Cisco CallManager and Cisco TFTP servers.


To activate the service, perform the following procedure:

Procedure


Step 1 In Cisco CallManager Serviceability, choose Tools > Service Activation.

Step 2 In the pane on the left side of the window, choose a server where you have activated the Cisco CallManager or Cisco TFTP services.

Step 3 Check the CTL Provider service check box.

Step 4 Click Update.

Step 5 Perform this procedure on all servers where you have activated the Cisco CallManager or Cisco TFTP services.


Note After you activate the service, the Cisco CTL Provider service reverts to the default CTL port, which is 2444. If you want to change the port, see the "Configuring Ports for the TLS Connection" section.



Related Topics

Cisco CallManager Serviceability Administration Guide

Cisco CallManager Serviceability System Guide

Authentication and Integrity Overview

Installing the Cisco CTL Client

Configuring Ports for the TLS Connection

You may have to configure a different port number if the port is currently being used or if you use a firewall and you cannot use the port within the firewall.

The Cisco CTL Provider default port for the TLS connection equals 2444. The Cisco CTL Provider port monitors requests from the Cisco CTL client. This port processes Cisco CTL client requests, such as retrieving the CTL file, setting the clusterwide security mode, saving the CTL file to TFTP servers, and retrieving a list of Cisco CallManager and TFTP servers in the cluster.

The Cisco CallManager port monitors registration requests from the phone. In nonsecure mode, the phone connects through port 2000. In mixed mode, the Cisco CallManager port for TLS connection equals the value for the Cisco CallManager port number added to (+) 443; therefore, the default TLS connection for Cisco CallManager equals 2443.

To change the default setting, perform the following procedure:

Procedure


Step 1 Perform the following tasks, depending on the port that you want to change:

To change the Cisco CTL Provider port, perform Step 2 through Step 6.

To change the Cisco CallManager port, perform Step 7 through Step 10.

Step 2 To change the Cisco CTL Provider port, choose Service > Service Parameters from Cisco CallManager Administration.

Step 3 Choose a server where the Cisco CTL Provider service runs.

Step 4 Choose Cisco CTL Provider service.


Tip In the upper, right corner of the window, click the"i" button to review information for the service parameter.


Step 5 To change the Cisco CTL Provider port, enter the new port number in the Port Number field.

Step 6 Click Update.

Step 7 To change the Cisco CallManager port, choose System > Cisco CallManager in Cisco CallManager Administration.

Step 8 Choose a server where the Cisco CallManager service runs.

Step 9 In the Ethernet Phone Port field, enter the new port number.

Step 10 Click Update.


Related Topics

Authentication and Integrity Overview

Installing the Cisco CTL Client

Configuring the Cisco CTL Client

Cisco CTL Client Configuration Settings

Troubleshooting

Installing the Cisco CTL Client

You install the Cisco CTL client on a single Windows 2000 workstation or server that has a USB port. The server or workstation can exist at a remote site. If you choose to do so, you can install the client on a server where Cisco CallManager Release 4.0 is installed.

You must use the client and update the CTL file when the following events occur:

After the Cisco CallManager installation

After you restore a Cisco CallManager server or Cisco CallManager data

After you upgrade the Cisco CallManager cluster

After you change the IP address or hostname of the Cisco CallManager server

After you add or remove a security token, CAPF server, TFTP server, or Cisco CallManager server


Caution Do not use Terminal Services to install the client. Cisco installs Terminal Services, so Cisco Technical Assistance Center (TAC) can perform remote troubleshooting and configuration tasks.

You must disable the Cisco Security Agent (CSA) or other Cisco-approved intrusion detection or antivirus applications before you run the plugin. Failure to disable the applications may prevent the installation and result in unrecoverable errors.


Tip If the Smart Card service is not set to started and automatic on the server or workstation where you plan to install the client, the installation fails. For information on how to perform this task, see the "Troubleshooting" section.

To review a list of error messages that could display during the installation of the plugin, see the "Troubleshooting" section.


To install the Cisco CTL client, perform the following procedure:

Procedure


Step 1 Verify that the Smart Card service is set to started and automatic. For more information, see the "Setting the Smart Card Service to Started and Automatic" section.

Step 2 Browse to Cisco CallManager Administration from the Windows 2000 workstation or server that has the USB port; that is, the location where you plan to install the client.

Step 3 From Cisco CallManager Administration, choose Application > Install Plugins.

Step 4 To download the file, click Cisco CTL Client.

Step 5 Download the file to a location that you will remember.

Step 6 To begin the installation, double-click Cisco CTL Client (icon or executable depending on where you saved the file).

Step 7 The version of the Cisco CTL client displays; click Continue.

Step 8 The installation wizard displays. Click Next.

Step 9 Accept the license agreement and click Next.

Step 10 Choose a folder where the client will exist. If you want to do so, click Browse to change the default location; after you choose the location, click Next.

Step 11 To begin the installation, click Next.

Step 12 After the installation completes, click Finish to exit.



Tip To verify that the client installed, see the "Troubleshooting" section.


Related Topics

System Requirements

Interactions and Restrictions

Authentication and Integrity Overview

Setting the Smart Card Service to Started and Automatic

Activating the Cisco CTL Provider Service

Configuring the Cisco CTL Client

Updating the CTL File

Deleting a CTL File Entry

Configuring the Devices for Authentication or Encryption

Troubleshooting

Configuring the Cisco CTL Client


Tip Configure the Cisco CTL client during a scheduled maintenance window because you must reboot all servers in the cluster for the changes to take effect.


The Cisco CTL client performs the following tasks:

Sets the Cisco CallManager cluster security mode.


Tip You cannot set the Cisco CallManager clusterwide mixed mode through the Enterprise Parameters window of Cisco CallManager Administration. You must configure the CTL client to set the clusterwide mode. For more information, see the "Cisco CTL Client Configuration Settings" section.


Creates the Certificate Trust List (CTL), which is a file that contains certificate entries for security tokens, Cisco CallManager, alternate TFTP, and CAPF servers.

The CTL file indicates the servers that support TLS for the phone connection. The client automatically detects the Cisco CallManager and Cisco TFTP servers and adds certificate entries for these servers.

You must manually add alternate TFTP and Certificate Authority Proxy Function (CAPF) servers and Site Administrator Security Tokens (SAST) to the CTL file.

The security tokens that you insert during the configuration sign the CTL file.


Tip You can configure an alternative TFTP server, even if this server exists in a different cluster. Through manual configuration, the certificate from the alternate TFTP server gets added to the CTL file, which is written to the FileLocation path as specified in the TFTP service parameter. For a multicluster configuration, you must map the drive on the alternate TFTP server and configure the FileLocation parameter to the mapped drive. For example, if you use TFTP1 as your alternate TFTP server and you have mapped drive L: to the path on TFTP1, the FileLocation equals L:\TFTPPath. You must add the TFTP server, TFTP1, for example, by specifying a valid administrator username and password for TFTP1. The Cisco CTL client will write the CTL file to L:\TFTPPath.

Before you implement this TFTP configuration, all servers in the multicluster environment must run the same version of Cisco CallManager 4.0; be aware that all servers in the multicluster environment must run the Cisco CTL Provider service.



Caution The Cisco IP Telephony Backup and Restore System (BARS) backs up the CTL file only if the file exists in the default TFTP directory.

Before You Begin

Before you configure the Cisco CTL client, obtain at least two security tokens; the Cisco certificate authority issues these security tokens.

Obtain the following passwords, hostnames/IP addresses, and port numbers:

Local administrative password and hostname/IP address for Cisco CallManager and the port number for the CTL Provider service

Local administrative password, hostname/IP address, and port number for CAPF

Local administrative password and hostname/IP address for alternate TFTP

Security token administrative password

See Table 2-1 for a description of the preceding information.


Tip Before you install the Cisco CTL client, verify that you have network connectivity to each server in the cluster; likewise, ensure that the server uses DNS and that each server is running. To ensure that you have network connectivity to all servers in the cluster, issue a ping command to each server. Choose Start > Run; enter cmd, and click OK. At the command prompt, enter ping <server>, where server equals the name of the server that displays in the Server Configuration window of Cisco CallManager Administration. Repeat the ping command for each server in the cluster.


If you installed multiple Cisco CTL clients, Cisco CallManager only accepts CTL configuration information on one client at a time, but you can perform configuration tasks on up to five Cisco CTL clients simultaneously. While you perform configuration tasks on one client, Cisco CallManager automatically stores the information that you entered on the other clients. To configure the client, perform the following procedure:

Procedure


Step 1 Obtain at least two security tokens that you purchased.

Step 2 Perform one of the following tasks:

Double-click the Cisco CTL Client icon that exists on the desktop of the workstation/server where you installed it.

Choose Start > Programs > Cisco CTL Client.

Step 3 Enter the configuration settings for the Cisco CallManager server, as described in Table 2-1; click Next.

Step 4 Click Set CallManager Cluster to Mixed Mode, as described in Table 2-1; click Next.

Step 5 Perform the following tasks, depending on what you want to accomplish:

To add a security token, see Step 6 through Step 12.

To add an alternate TFTP server, see Step 13 through Step 15.

To add a CAPF server, see Step 16 and Step 17.

To complete the Cisco CTL client configuration, see Step 18 through Step 22.


Caution You need a minimum of two security tokens the first time that you configure the client. Do not insert the tokens until the application prompts you to do so. If you have two USB ports on the workstation or server, do not insert two security tokens at the same time.

Step 6 When the application prompts you to do so, insert one security token in an available USB port on the workstation or server where you are currently configuring the Cisco CTL client; click OK.

Step 7 The security token information displays for the token that you inserted; click Add.

Step 8 The detected certificate entries display in the pane.

Step 9 To add other security token(s) to the certificate trust list, click Add Tokens.

Step 10 If you have not already done so, remove the token that you inserted into the server or workstation. When the application prompts you to do so, insert the next token and click OK.

Step 11 The security token information for the other token displays; click Add.

Step 12 For all security tokens, repeat Step 9 through Step 11.

Step 13 The certificate entries display in the pane. If you need to add an Alternate TFTP server, click Add TFTP Server.

Step 14 Enter the configuration settings, as described in Table 2-1.

Step 15 Click Next.

Step 16 The certificate entries display in the pane. To add a CAPF server, click Add CAPF.

Step 17 Enter the configuration settings, as described in Table 2-1; click Next.

Step 18 When you have added all security tokens and servers, click Finish.

Step 19 Enter the username password for the security token, as described in Table 2-1; click OK.

Step 20 After the client creates the CTL file, a window displays the server, file location, and status of the CTL file on each server. Click Finish.

Step 21 Reset all devices in the cluster. See the "Resetting the Devices, Restarting Cisco CallManager Service, or Rebooting the Server/Cluster" section.

Step 22 Reboot all Cisco CallManager and TFTP servers in the cluster.



Tip To verify that you set the Cisco CallManager cluster to mixed mode, see the "Troubleshooting" section.

If you are prompted to change the security token password, see the "Troubleshooting" section.


Related Topics

Cisco CTL Client Configuration Settings

System Requirements

Interactions and Restrictions

Authentication and Integrity Overview

Setting the Smart Card Service to Started and Automatic

Activating the Cisco CTL Provider Service

Cisco CTL Client Configuration Settings

Configuring the Cisco CTL Client

Updating the CTL File

Configuring the Devices for Authentication or Encryption

Troubleshooting

Updating the CTL File

You must update the CTL file if the following scenarios occur:

If you add a new Cisco CallManager server to the cluster

If you change the name or IP address of the Cisco CallManager server in the cluster

If you need to add or delete additional security tokens

If you need to add, delete, or replace the alternate TFTP or CAPF server

If you restore the Cisco CallManager server or Cisco CallManager data

If you upgrade the Cisco CallManager cluster

You must reboot all Cisco CallManager and Cisco TFTP servers in the cluster for the changes to take effect; you must also reset all devices in the cluster before you reboot the servers. See the "Resetting the Devices, Restarting Cisco CallManager Service, or Rebooting the Server/Cluster" section for more information on how to perform this task.


Tip Cisco strongly recommends that you update the file when minimal call-processing interruptions will occur.


To update the information that exists in CTL file, perform the following procedure:

Procedure


Step 1 Obtain one security token that you inserted to configure the latest CTL file.

Step 2 Double-click the Cisco CTL Client icon that exists on the desktop of the workstation/server where you installed it.

Step 3 Enter the configuration settings for the Cisco CallManager server, as described in Table 2-1; click Next.


Tip You make updates in this window for the Cisco CallManager server.


Step 4 To update the CTL file, click Update CTL File, as described in Table 2-1; click Next.


Caution For all CTL file updates, you must insert one security token that already exists in the CTL file into the USB port. The client validates the signature of the CTL file through this token. You cannot add new tokens until the CTL client validates the signature. If you have two USB ports on the workstation or server, do not insert both security tokens at the same time.

Step 5 If you have not already inserted one security token in an available USB port on the workstation or server where you are currently updating the CTL file, insert one of the security tokens; click OK.

Step 6 The security token information displays for the token that you inserted; click Next.

The detected certificate entries display in the pane.


Tip You cannot update the Cisco CallManager or Cisco TFTP entries from this pane. To update the Cisco CallManager entry, click Cancel and perform Step 2 through Step 6 again.


Step 7 To update existing Cisco CTL entries or to add or delete security tokens, consider the following information:

To update alternate TFTP or CAPF entries, delete the entry, as described in "Deleting a CTL File Entry" section; then, add the entry, as described in "Configuring the Cisco CTL Client" section.

To add new security tokens, see "Configuring the Cisco CTL Client" section.

To delete a security token, see the "Deleting a CTL File Entry" section.



Tip If you are prompted to change the security token password, see the "Troubleshooting" section.


Related Topics

Cisco CTL Client Configuration Settings

System Requirements

Interactions and Restrictions

Authentication and Integrity Overview

Setting the Smart Card Service to Started and Automatic

Activating the Cisco CTL Provider Service

Configuring the Cisco CTL Client

Updating the CTL File

Configuring the Devices for Authentication or Encryption

Troubleshooting

Changing the Clusterwide Security Mode

You must use the Cisco CTL client to configure the clusterwide security mode. You cannot change the clusterwide security mode from the Enterprise Parameters window of Cisco CallManager Administration.

To change the clusterwide security mode after the initial configuration of the Cisco CTL client, you must update the CTL file, as described in the "Updating the CTL File" section and Table 2-1. If you change the clusterwide security mode from mixed to nonsecure mode, the CTL file still exists on the servers in the cluster, but the CTL file does not contain any certificates. Because no certificates exist in the CTL file, the phone requests an unsigned configuration file and registers as nonsecure with Cisco CallManager.

Related Topics

Updating the CTL File

Cisco CTL Client Configuration Settings

Troubleshooting

Cisco CTL Client Configuration Settings

The cluster can exist in one of two modes, as described in Table 2-1. Only mixed mode supports authentication. When you configure the Cisco CTL client for authentication, you must choose Set CallManager Cluster to Mixed Mode.

Use Table 2-1 to configure the Cisco CTL client for the first time, to update the CTL file, or to change the mode from mixed to nonsecure.

Table 2-1 Configuration Settings for CTL Client 

Setting
Description
Radio Button

Set CallManager Cluster to Mixed Mode

Mixed mode allows authenticated or encrypted Cisco IP Phones and nonauthenticated Cisco IP Phones to register with Cisco CallManager. In this mode, Cisco CallManager ensures that authenticated or encrypted devices use a secure SCCP port.

Note Cisco CallManager disables auto-registration if you configure the cluster for mixed mode.

Set CallManager Cluster to Non-Secure Mode

All devices register as unauthenticated with Cisco CallManager, and Cisco CallManager supports image authentication only.

When you choose this mode, the CTL client removes the certificates for all entries that are listed in the CTL file, but the CTL file still exists in the directory that you specified. The phone requests unsigned configuration files and registers as nonsecure with Cisco CallManager.

Tip To revert the phone to the default nonsecure mode, you must delete the CTL file from the phone and all Cisco CallManager servers. For information on deleting the CTL file from the phone and Cisco CallManager servers, see the "Troubleshooting" section.
Tip You can use auto-registration in this mode.

Update CTL File

After you have created the CTL file, you must choose this option to make any changes to the CTL file. Choosing this option ensures that the Cluster Security mode does not change.

CallManager Server

Hostname or IP Address

Enter the hostname or IP address for a server in the cluster that runs the Cisco CallManager or Cisco TFTP service.

Port

Enter the port number, which equals the CTL port for the Cisco CTL Provider service that runs on the specified Cisco CallManager server. The default port number equals 2444.

Username and Password

Enter a username and password that has administrative privileges on the Cisco CallManager server.

Tip Verify that you entered the username and password for the Cisco CallManager administrator or Power User account. The same username and password must exist on all servers in the cluster.
Alternate TFTP Server

Hostname or IP Address

Note Alternate TFTP server designates a Cisco TFTP server that exists in a different cluster. If you use two different clusters for the alternate TFTP server configuration, both clusters must use the same clusterwide security mode, which means that you must install and configure the Cisco CTL client in both clusters. Likewise, both clusters must run the same version of Cisco CallManager 4.0.


Caution Ensure that the path in the TFTP service parameter, FileLocation, is the same for all servers in the cluster.

Enter the hostname or IP address for the TFTP server.

Port

Enter the port number, which equals the CTL port for the Cisco CTL Provider service that runs on the specified TFTP server. The default port number equals 2444.

Username and Password

Enter a username and password that have local administrative privileges on the server.

CAPF Server

Hostname or IP Address

Enter the hostname or IP address for the CAPF server.

Port

The default port number equals 3805. If you want to do so, enter a different port number for the CAPF server.

Username and Password

Enter a username and password that have local administrative privileges on the server.

Security Token

User Password

The first time that you configure the Cisco CTL client, enter Cisco123, the case-sensitive default password, to retrieve the private key of the certificate and ensure that the CTL file gets signed.

Tip To change this password, see the "Changing the Security Token Password (Etoken)" section.

Related Topics

System Requirements

Interactions and Restrictions

Authentication and Integrity Overview

Activating the Cisco CTL Provider Service

Installing the Cisco CTL Client

Configuring the Cisco CTL Client

Updating the CTL File

Configuring the Devices for Authentication or Encryption

Troubleshooting

Deleting a CTL File Entry

At any time, you can delete some CTL entries that display in the CTL Entries window of the Cisco CTL client. After you open the client and follow the prompts to display the CTL Entries window, click Delete Selected to delete the entry.

You cannot delete servers that run Cisco CallManager or Cisco TFTP from the CTL file. You can delete alternate TFTP servers and security tokens that you manually add to the CTL file, but you cannot delete TFTP servers that the client automatically detects.

Two security token entries must exist in the CTL file at all times. You cannot delete all security tokens from the file.


Tip For information on uninstalling the Cisco CTL client, deleting the CTL file from the phone, or deleting the CTL file from the server, see the "Troubleshooting the Cisco CTL Client" section.


Related Topics

System Requirements

Interactions and Restrictions

Authentication and Integrity Overview

Activating the Cisco CTL Provider Service

Installing the Cisco CTL Client

Configuring the Cisco CTL Client

Updating the CTL File

Configuring the Devices for Authentication or Encryption

Troubleshooting

Configuring the Devices for Authentication or Encryption

To configure the devices for authentication or encryption, perform one of the following tasks:

Configure the default device security mode for supported phone models.

Configure the device security mode for a single device in the Phone Configuration window of Cisco CallManager Administration.

Configure the device security mode for a supported phone model by using the Cisco Bulk Administration Tool.

For information on the device security mode configuration settings, see the "Device Security Mode Configuration Settings" section.

Related Topics

System Requirements

Interactions and Restrictions

Activating the Cisco CTL Provider Service

Configuring the Cisco CTL Client

Updating the CTL File

Configuring the Devices for Authentication or Encryption

Device Security Mode Configuration Settings

Troubleshooting

Configuring the Security Device System Default for Supported Phone Models


Note This procedure requires that you reset the devices and restart the Cisco CallManager service for the changes to take effect.


In Cisco CallManager Administration, the security device system default for all phone types displays as Non-Secure. To set the security device system default to Authenticated or Encrypted, perform the following procedure:

Procedure


Step 1 From Cisco CallManager Administration, choose System > Enterprise Parameters.

Step 2 In the Security Parameters section, locate Device Security Mode.

Step 3 From the drop-down list box, choose Authenticated or Encrypted. For more information, see Table 2-2.

Step 4 At the top of the Enterprise Parameters window, click Update.

Step 5 Reset all devices in the cluster; see "Resetting the Devices, Restarting Cisco CallManager Service, or Rebooting the Server/Cluster" section.

Step 6 Restart the Cisco CallManager service for the changes to take effect.


Related Topics

System Requirements

Interactions and Restrictions

Configuring the Devices for Authentication or Encryption

Device Security Mode Configuration Settings

Configuring the Device Security Mode for a Single Device

To configure the device security mode for a single device, perform the following procedure. This procedure assumes that you have added the device to the database.

Configuring the Device Security Mode in the Phone Configuration window of Cisco CallManager Administration triggers a rebuild of the device configuration .xml file. After you configure the device security mode for the first time or if you change the device security mode, you must reset the device, so the phone requests the new configuration file.

Procedure


Step 1 In Cisco CallManager Administration, choose Device > Phone.

Step 2 Specify the criteria to find the phone and click Find or click Find to display a list of all phones.

If you have not added the phone to the database, the phone does not display in the list. For information on adding a phone, refer to the Cisco CallManager Administration Guide.

Step 3 To open the Phone Configuration window for the device, click the device name.

Step 4 Locate the Device Security Mode drop-down list box.

If the phone type does not support security, this option does not display. You cannot configure authentication or encryption for the phone type.

Step 5 From the Device Security Mode drop-down list box, choose the option that you want to configure. See Table 2-2 for information on the options.

The Device Security Mode drop-down list box only displays if the phone supports authentication or encryption. For example, if the phone does not support encryption, the encryption option does not display in the drop-down list box.

Step 6 Click Update.

Step 7 Click Reset Phone.


Caution When you reset the phone, the system drops all calls that are occurring through a gateway.


Related Topics

System Requirements

Interactions and Restrictions

Configuring the Devices for Authentication or Encryption

Device Security Mode Configuration Settings

Using the Cisco Bulk Administration Tool to Configure the Device Security Mode

You can use the Cisco Bulk Administration Tool that supports Cisco CallManager 4.0(1) to configure the device security mode for specific phone models that support encryption or authentication. For more information on how to perform this task, refer to the Bulk Administration Tool User Guide that supports this version of Cisco CallManager.

Related Topics

System Requirements

Interactions and Restrictions

Configuring the Devices for Authentication or Encryption

Device Security Mode Configuration Settings

Bulk Administration Tool User Guide

Device Security Mode Configuration Settings

The options in Table 2-2 exist for the device security mode.

Table 2-2 Device Security Modes

Option
Description

Use System Default

The phone uses the value that you specified for the enterprise parameter, Device Security Mode.

Non-secure

No security features except image authentication exist for the phone. A TCP connection opens to Cisco CallManager.

Authenticated

Cisco CallManager provides integrity and authentication for the phone. A TLS connection that uses NULL/SHA opens.

Encrypted

Cisco CallManager provides integrity, authentication, and encryption for the phone. A TLS connection that uses AES128/SHA opens.


Related Topics

System Requirements

Interactions and Restrictions

Configuring the Devices for Authentication or Encryption

Device Security Mode Configuration Settings

Bulk Administration Tool User Guide