Cisco Unified SIP Phone 3905 Administration Guide for Cisco Unified Communications Manager 10.0
Cisco Unified SIP Phone Security
Downloads: This chapterpdf (PDF - 1.19MB) The complete bookPDF (PDF - 3.51MB) | The complete bookePub (ePub - 653.0KB) | Feedback

Cisco Unified SIP Phone Security

Cisco Unified SIP Phone Security

Cisco Unified SIP Phone security features

The following table provides an overview of the security features that the Cisco Unified SIP Phone 3905 supports. For more information about these features and about Cisco Unified Communications Manager and phone security, see the Cisco Unified Communications Manager Security Guide.
Table 1 Phone and Cisco Unified Communications Manager Security Topics

Topic

Reference

Detailed explanation of security, including set up, configuration, and troubleshooting information for Cisco Unified Communications Manager and Cisco Unified IP Phones

See the Troubleshooting Guide for Cisco Unified Communications Manager.

Security and the phone startup process

See Verify phone startup.

Security and phone configuration files

See Phone addition methods.

Disabling access to a phone web pages

See Control phone web page access.

Troubleshooting

  • See Troubleshooting
  • See the Troubleshooting Guide for Cisco Unified Communications Manager

Resetting or restoring the phone

See Basic reset.

802.1X Authentication for Cisco Unified IP Phones

See these sections:

SIP MD5 Digest Authentication

See Set up SIP MD5 Digest Authentication.

802.1X authentication

The Cisco IP Phones support 802.1X Authentication.

Cisco IP Phones and Cisco Catalyst switches traditionally use Cisco Discovery Protocol (CDP) to identify each other and determine parameters such as VLAN allocation and inline power requirements. CDP does not identify locally attached workstations. Cisco IP Phones provide an EAPOL pass-through mechanism. This mechanism allows a workstation attached to the Cisco IP Phone to pass EAPOL messages to the 802.1X authenticator at the LAN switch. The pass-through mechanism ensures that the IP phone does not act as the LAN switch to authenticate a data endpoint before accessing the network.

Cisco IP Phones also provide a proxy EAPOL Logoff mechanism. In the event that the locally attached PC disconnects from the IP phone, the LAN switch does not see the physical link fail, because the link between the LAN switch and the IP phone is maintained. To avoid compromising network integrity, the IP phone sends an EAPOL-Logoff message to the switch on behalf of the downstream PC, which triggers the LAN switch to clear the authentication entry for the downstream PC.

Support for 802.1X authentication requires several components:

  • Cisco IP Phone: The phone initiates the request to access the network. Cisco IP Phones contain an 802.1X supplicant. This supplicant allows network administrators to control the connectivity of IP phones to the LAN switch ports. The current release of the phone 802.1X supplicant uses the EAP-FAST and EAP-TLS options for network authentication.
  • Cisco Secure Access Control Server (ACS) (or other third-party authentication server): The authentication server and the phone must both be configured with a shared secret that authenticates the phone.
  • Cisco Catalyst Switch (or other third-party switch): The switch must support 802.1X, so it can act as the authenticator and pass the messages between the phone and the authentication server. After the exchange completes, the switch grants or denies the phone access to the network.

You must perform the following actions to configure 802.1X.

  • Configure the other components before you enable 802.1X Authentication on the phone.
  • Configure PC Port: The 802.1X standard does not consider VLANs and thus recommends that only a single device should be authenticated to a specific switch port. However, some switches (including Cisco Catalyst switches) support multidomain authentication. The switch configuration determines whether you can connect a PC to the PC port of the phone.
    • Enabled: If you are using a switch that supports multidomain authentication, you can enable the PC port and connect a PC to it. In this case, Cisco IP Phones support proxy EAPOL-Logoff to monitor the authentication exchanges between the switch and the attached PC. For more information about IEEE 802.1X support on the Cisco Catalyst switches, see the Cisco Catalyst switch configuration guides at: http:/​/​www.cisco.com/​en/​US/​products/​hw/​switches/​ps708/​tsd_​products_​support_​series_​home.html
    • Disabled: If the switch does not support multiple 802.1X-compliant devices on the same port, you should disable the PC Port when 802.1X authentication is enabled. If you do not disable this port and subsequently attempt to attach a PC to it, the switch denies network access to both the phone and the PC.
  • Configure Voice VLAN: Because the 802.1X standard does not account for VLANs, you should configure this setting based on the switch support.
    • Enabled: If you are using a switch that supports multidomain authentication, you can continue to use the voice VLAN.
    • Disabled: If the switch does not support multidomain authentication, disable the Voice VLAN and consider assigning the port to the native VLAN.
  • Enter MD5 Shared Secret: If you disable 802.1X authentication or perform a factory reset on the phone, the previously configured MD5 shared secret is deleted.

Set up SIP MD5 Digest Authentication

You can challenge SIP phones for MD5 digest authentication credentials before they can connect to your network. For more information, see Cisco Unified Communications Manager Security Guide.

Procedure
    Step 1   Access one of the following Cisco Unified Communications Manager Administration windows:

    • System > Enterprise Phone Configuration
    • Device > Device Settings > Common Phone Profile
    • Device > Phone > Phone Configuration
    Step 2   Set the Enable Digest Authentication parameter to Enabled or Disabled.

    The default is Disabled.


    Set Device Authentication field

    Procedure
      Step 1   Press Applications.
      Step 2   Choose Admin Settings > Security > 802.1X Authentication > Device Authentication.
      Step 3   Press Select.
      Step 4   Set the Device Authentication option to Enabled or Disabled.
      Step 5   Press Select to confirm.

      Set Shared Secret field

      Choose a password to use on the phone and on the authentication server. The password must be between 6 and 32 characters, consisting of any combination of numbers or letters.


      Note


      If you disable 802.1X authentication or perform a factory reset of the phone, the shared secret is deleted.


      Procedure
        Step 1   Press Applications.
        Step 2   Choose Admin Settings > Security > 802.1X Authentication > EAP-MD5 > Shared Secret.
        Step 3   Press Select.
        Step 4   Enter the shared secret.
        Step 5   Press Select to confirm.