Cisco Unified IP Phone 8941 and 8945 Administration Guide for Cisco Unified Communications Manager 9.0 (SCCP and SIP)
Cisco Unified IP Phone
Downloads: This chapterpdf (PDF - 1.6MB) The complete bookPDF (PDF - 4.42MB) | The complete bookePub (ePub - 731.0KB) | Feedback

Cisco Unified IP Phone

Contents

Cisco Unified IP Phone

The Cisco Unified IP Phone 8941 and 8945 provides voice communication over an IP network. The Cisco Unified IP Phone functions much like a digital business phone, allowing you to place and receive phone calls and to access features such as Mute, Hold, Transfer, Speed Dial, Call Forward, and more. In addition, because the phone is connected to your data network, it offers enhanced IP telephony features, including access to network information and services, and customizeable features and services.

A Cisco Unified IP Phone, like other network devices, must be configured and managed. These phones encode G.711a, G.711mu, G.722, G.729, G.729a, G.729ab, G.729b, iLBC, and decode G.711a, G.711mu, G.722, G.729, G.729a, G.729ab, G.729b, and iLBC.


Caution


Using a cell, mobile, or GSM phone, or two-way radio in close proximity to a Cisco Unified IP Phone may cause interference. For more information, refer to the manufacturer’s documentation of the interfering device.


This chapter includes the following topics:

Cisco Unified IP Phone 8941 and 8945

The following sections describe the Cisco Unified IP Phone 8941 and 8945. For more information, see Cisco Unified IP Phone 8941 and 8945 User Guide for Cisco Unified Communications Manager (SCCP and SIP).

Cisco Unified IP Phone 8941

The Cisco Unified IP Phone 8941 provides these features:

  • Phone connections
  • Footstand
  • Buttons and hardware
  • Phone screen
  • Power-save mode
  • Handset rest

Phone connections

Use the following figure to help you connect your phone to the corporate IP telephony network.

1

DC adapter port (DC48V)

5

Computer port (10/100 PC) connection

2

AC-to-DC power supply (optional)

6

Handset connection

3

AC power wall plug (optional)

7

Analog headset connection (headset optional)

4

Network port (10/100 SW) with IEEE 802.3af and 802.3at power enabled

 

Cisco Unified IP Phone 8945

The Cisco Unified IP Phone 8945 provides these features:

  • Phone connections
  • Bluetooth
  • Footstand
  • Buttons and hardware
  • Phone screen
  • Power-save mode
  • Handset rest

Phone connections

Use the following figure to help you connect your phone to the corporate IP telephony network.

1

DC adapter port (DC48V)

5

Computer port (10/100/1000 PC) connection

2

AC-to-DC power supply (optional)

6

Handset connection

3

AC power wall plug (optional)

7

Analog headset connection (headset optional)

4

Network port (10/100/1000 SW) with IEEE 802.3af and 802.3at power enabled

 

Buttons and hardware

Your phone provides quick access to your phone lines, features, and call sessions. The Programmable Feature buttons (left side) are used to view calls on a line or access features such as Speed Dial or All Calls. These buttons are also called Line buttons.

1

Phone screen

Shows information about your phone, including directory number, call information (for example, caller ID, icons for an active call or call on hold) and available softkeys.

2

Video Camera

Connects to your Cisco Unified IP Phone and allows you to make a point-to-point video call with another Cisco Unified IP Phone.

3

Lens Cover button

Integrated lens cover protects the camera lens.

4

Softkey buttons

Allows you to access the softkey options (for the selected call or menu item) that displays on your phone screen.

5

Navigation pad and Select button

The two-way Navigation pad allows you to scroll through menus, highlight items, and move within a text input field.

The Select button (center of the Navigation pad) allows you to select a highlighted item as well as wake up the phone from deep-sleep mode.

The Select button is lit (white) when the phone is in power-save mode.

6

Conference button

Creates a conference call.

7

Hold button

Places an active call on hold and toggles between an active and on-hold call.

8

Transfer button

Transfers a call.

9

Redial button

Redials a call.

10

Keypad

Allows you to dial phone numbers, enter letters, and choose menu items (by entering the item number).

11

Speakerphone button

Selects the speakerphone as the default audio path and initiates a new call, picks up an incoming call, or ends a call. During a call, the button is lit green.

The speakerphone audio path does not change until a new default audio path is selected (for example, by picking up the handset).

If external speakers are connected, the Speakerphone button selects them as the default audio path.

12

Video Mute button

Mutes the video from the phone screen during a video call. When Video Mute is on, the Video Mute button is lit red.

13

Mute button

Toggles the microphone on or off during a call. When the microphone is muted, the button is lit red.

14

Headset button

Selects the headset as the default audio path and initiates a new call, picks up an incoming call, or ends a call. During a call, the button is lit green.

A headset icon in the phone screen header line indicates that the headset is the default audio path. This audio path does not change until a new default audio path is selected (for example, by picking up the handset).

15

Volume button

Controls the handset, headset, and speakerphone volume (off hook) and controls the ringer volume (on hook).

Silences the ringer on the phone if an incoming call is ringing.

Your administrator sets a minimum ringer volume level ranging from 0 to 14. The default level is 0 (silent).

You can only adjust the ringer volume to a level greater than the configured minimum ring volume value.

16

Messages button

Autodials voicemail system (varies by system).

17

Applications button

Opens/closes the Applications menu. Depending on how the phone is set up, use this button to access applications such as Call History, Preferences, and Phone Information.

18

Contacts button

Opens/closes the Contacts menu. Depending on how the phone is set up, use this button to access Personal Directory, Corporate Directory, or Call History.

Use this button to exit from a feature and return to your home screen.

19

Phone Speaker

Speaker for the phone.

20

Programmable feature buttons (also called Line buttons)

Each corresponds with a phone line, Speed Dial, and calling feature.

Pressing a button for a phone line displays the active calls for that line.

If you have multiple lines, you may have an All Calls button that displays a consolidated list of all calls from all lines (oldest at the top). Cisco recommends that you keep your phone in the All Calls view.

Color LEDs indicate the line state:

  • Amber Ringing call on this line
  • Green Active or held call on this line
  • Red Shared line in-use remotely

The positions of the feature buttons can be reversed on phones that use a locale with a right-to-left reading orientation, such as Hebrew and Arabic.

21

Handset rest

Provides a rest for the phone handset.

When the phone is ringing with an incoming call, the LED in the handset rest flashes red. If there is a new voice message, the LED is lit red.

Network Protocols

Cisco Unified IP Phones support several industry-standard and Cisco network protocols required for voice communication. The following table provides an overview of the network protocols that the Cisco Unified IP Phones 8941 and 8945 support.

Table 1 Supported Network Protocols on the Cisco Unified IP Phone

Network protocol

Purpose

Usage notes

Bluetooth Wireless Technology

Bluetooth enables low bandwidth wireless connections within a range of 30 feet (10 meters). The best performance is in the 3- to 6-foot (1- to 2-meter) range. Bluetooth wireless technology operates in the 2.4 GHz band which is the same as the 802.11b/g band. There can be a potential interference issues. Cisco recommends that you:

  • Use 802.11a that operates in the 5 GHz band.
  • Reduce the proximity of other 802.11b/g devices, Bluetooth devices, microwave ovens, and large metal objects.
Note   

Only the Cisco Unified IP Phone 8945 supports Bluetooth.

For more information about using Bluetooth headsets with your Cisco Unified IP Phone, see Bluetooth Wireless Headsets.

Bootstrap Protocol (BootP)

BootP enables a network device such as the Cisco Unified IP Phone to discover certain startup information; for example, the phone IP address.

Cisco Audio Session Tunneling (CAST)

The CAST protocol allows IP phones and associated applications to discover remote endpoints and communicate with them without requiring changes to the traditional signalling components, like Cisco Unified Communications Manager and gateways. The CAST protocol allows separate hardware devices to synchronize related media and allows the PC to be used as a video resource for non-video enabled phones.

 

Cisco Discovery Protocol (CDP)

CDP is a device-discovery protocol that runs on all Cisco-manufactured equipment.

Using CDP, a device can advertise its existence to other devices and receive information about other devices in the network.

The Cisco Unified IP Phone uses CDP to communicate information such as auxiliary VLAN ID, per port power management details, and Quality of Service (QoS) configuration information with the Cisco Catalyst switch.

Dynamic Host Configuration Protocol (DHCP)

DHCP dynamically allocates and assigns an IP address to network devices.

DHCP enables you to connect an IP phone into the network and have the phone become operational without your needing to manually assign an IP address or to configure additional network parameters.

DHCP is enabled by default. If disabled, you must manually configure the IP address, subnet mask, gateway, and a TFTP server on each phone locally.

Cisco recommends that you use DHCP custom option 150. With this method, you configure the TFTP server IP address as the option value. For additional supported DHCP configurations, go to the "Dynamic Host Configuration Protocol" chapter and the "Cisco TFTP" chapter in the Cisco Unified Communications Manager System Guide.

Note   

If you cannot use option 150, you may try using DHCP option 66.

Hypertext Transfer Protocol (HTTP)

HTTP is the standard way of transferring information and moving documents across the Internet and the web.

Cisco Unified IP Phones use HTTP for XML services, downloading of images and configuration files, and for troubleshooting purposes.

Hypertext Transfer Protocol Secure (HTTPS)

Hypertext Transfer Protocol Secure (HTTPS) is a combination of the Hypertext Transfer Protocol with the SSL/TLS protocol to provide encryption and secure identification of servers.

Web applications with both HTTP and HTTPS support have two URLs configured. Cisco Unified IP Phones that support HTTPS choose the HTTPS URL.

IEEE 802.1X

The IEEE 802.1X standard defines a client-server-based access control and authentication protocol that restricts unauthorized clients from connecting to a LAN through publicly accessible ports.

Until the client is authenticated, 802.1X access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port to which the client is connected. After authentication is successful, normal traffic can pass through the port.

The Cisco Unified IP Phone implements the IEEE 802.1X standard by providing support for the following authentication methods: EAP-FAST, EAP-TLS, and EAP-MD5.

When 802.1X authentication is enabled on the phone, you should disable the PC port and voice VLAN. For more information, see the 802.1X Authentication.

Internet Protocol (IP)

IP is a messaging protocol that addresses and sends packets across the network.

To communicate using IP, network devices must have an assigned IP address, subnet, and gateway.

IP addresses, subnets, and gateways identifications are automatically assigned if you are using the Cisco Unified IP Phone with Dynamic Host Configuration Protocol (DHCP). If you are not using DHCP, you must manually assign these properties to each phone locally.

Link Layer Discovery Protocol (LLDP)

LLDP is a standardized network discovery protocol (similar to CDP) that is supported on some Cisco and third-party devices.

The Cisco Unified IP Phone supports LLDP on the PC port.

Link Layer Discovery Protocol-Media Endpoint Devices (LLDP-MED)

LLDP-MED is an extension of the LLDP standard developed for voice products.

The Cisco Unified IP Phone supports LLDP-MED on the SW port to communicate information such as:

  • Voice VLAN configuration
  • Device discovery
  • Power management
  • Inventory management

For more information about LLDP-MED support, see the LLDP-MED and Cisco Discovery Protocol white paper:http:/​/​www.cisco.com/​en/​US/​tech/​tk652/​tk701/​technologies_​white_​paper0900aecd804cd46d.shtml

Real-Time Transport Protocol (RTP)

RTP is a standard protocol for transporting real-time data, such as interactive voice and video, over data networks.

Cisco Unified IP Phones use the RTP protocol to send and receive real-time voice traffic from other phones and gateways.

Real-Time Control Protocol (RTCP)

RTCP works in conjunction with RTP to provide QoS data (such as jitter, latency, and round trip delay) on RTP streams.

RTCP is disabled by default, but you can enable it on a per phone basis by using Cisco Unified Communications Manager.

Session Initiation Protocol (SIP)

SIP is the Internet Engineering Task Force (IETF) standard for multimedia conferencing over IP. SIP is an ASCII-based application-layer control protocol (defined in RFC 3261) that can be used to establish, maintain, and terminate calls between two or more endpoints.

Like other VoIP protocols, SIP is designed to address the functions of signaling and session management within a packet telephony network. Signaling allows call information to be carried across network boundaries. Session management provides the ability to control the attributes of an end-to-end call.

You can configure the Cisco Unified IP Phone to use either SIP or Skinny Client Control Protocol (SCCP). Cisco Unified IP Phones do not support the SIP protocol when the phones are operating in IPv6 address mode.

Skinny Client Control Protocol (SCCP)

SCCP includes a messaging set that allows communications between call control servers and endpoint clients such as IP Phones. SCCP is proprietary to Cisco Systems.

Cisco Unified IP Phone 8941 and 8945 use SCCP, version 20, for call control.

Secure Real-Time Transfer protocol (SRTP)

SRTP is an extension of the Real-Time Protocol (RTP) Audio/Video Profile and ensures the integrity of RTP and Real-Time Control Protocol (RTCP) packets providing authentication, integrity, and encryption of media packets between two endpoints.

Cisco Unified IP Phones use SRTP for media encryption.

Transmission Control Protocol (TCP)

TCP is a connection-oriented transport protocol.

Cisco Unified IP Phones use TCP to connect to Cisco Unified Communications Manager and to access XML services.

Transport Layer Security (TLS)

TLS is a standard protocol for securing and authenticating communications.

When security is implemented, Cisco Unified IP Phones use the TLS protocol when securely registering with Cisco Unified Communications Manager.

For more information, see the Cisco Unified Communications Manager Security Guide.

Trivial File Transfer Protocol (TFTP)

TFTP allows you to transfer files over the network.

On the Cisco Unified IP Phone, TFTP enables you to obtain a configuration file specific to the phone type.

TFTP requires a TFTP server in your network, which can be automatically identified from the DHCP server. If you want a phone to use a TFTP server other than the one specified by the DHCP server, you must manually assign the IP address of the TFTP server by using the Network Setup menu on the phone.

For more information, see the Cisco TFTP chapter in the Cisco Unified Communications Manager System Guide.

User Datagram Protocol (UDP)

UDP is a connectionless messaging protocol for delivery of data packets.

Cisco Unified IP Phones transmit and receive RTP streams, which utilize UDP.

Related Tasks
Related References

Cisco Unified IP Phone 8941 and 8945 Supported Features

Cisco Unified IP Phones function much like a digital business phone, allowing you to place and receive phone calls. In addition to traditional telephony features, the Cisco Unified IP Phone includes features that enable you to administer and monitor the phone as a network device.

This section includes the following topics:

Feature Overview

Cisco Unified IP Phones provide traditional telephony functionality, such as Call Forward, Call Transfer, Redial, Speed Dial, Conference, and voicemail. Cisco Unified IP Phones also provide a variety of other features.

As with other network devices, you must configure the Cisco Unified IP Phones to prepare them to access Cisco Unified Communications Manager and the rest of the IP network. By using DHCP, you have fewer settings to configure on a phone, but if your network requires it, you can manually configure an IP address, TFTP server, subnet information, and other information.

Cisco Unified IP Phones can interact with other services and devices on your IP network to provide enhanced functionality. For example, you can integrate Cisco Unified Communications Manager with the corporate Lightweight Directory Access Protocol 3 (LDAP3) standard directory to enable users to search for coworker contact information directly from their IP Phones. You can also use XML to enable users to access information such as weather, stocks, quote of the day, and other web-based information.

Finally, because the Cisco Unified IP Phone is a network device, you can obtain detailed status information from it directly. This information can assist you with troubleshooting any problems users might encounter when using their IP Phones.

Telephony Feature Administration

You can modify additional settings for the Cisco Unified IP Phone from Cisco Unified Communications Manager Administration. Use Cisco Unified Communications Manager Administration to set up phone registration criteria and calling search spaces, to configure corporate directories and services, and to modify phone button templates, among other tasks. See the related topics and the Cisco Unified Communications Manager documentation for additional information.

For more information about Cisco Unified Communications Manager Administration, refer to Cisco Unified Communications Manager documentation, including Cisco Unified Communications Manager Administration Guide. You can also use the context-sensitive help available within the application for guidance.

You can access Cisco Unified Communications Manager documentation at this location:

http:/​/​www.cisco.com/​en/​US/​products/​sw/​voicesw/​ps556/​tsd_​products_​support_​series_​home.html

You can access Cisco Unified Communications Manager Business Edition documentation at this location:

http:/​/​www.cisco.com/​en/​US/​products/​ps7273/​tsd_​products_​support_​series_​home.html

Cisco Unified IP Phone Network Parameters

You can configure parameters such as DHCP, TFTP, and IP settings on the phone itself. You can also obtain statistics about a current call or firmware versions on the phone.

Information for End Users

If you are a system administrator, you are likely the primary source of information for Cisco Unified IP Phone users in your network or company. To ensure that you distribute the most current feature and procedural information, familiarize yourself with Cisco Unified IP Phone documentation on the Cisco Unified IP Phone web site:

http:/​/​www.cisco.com/​en/​US/​products/​ps10451/​tsd_​products_​support_​series_​home.html

From this site, you can view various user documentation.

In addition to providing documentation, it is important to inform users of available Cisco Unified IP Phone features, including those specific to your company or network, and of how to access and customize those features, if appropriate.

Related Information

Cisco Unified IP Phones security features

Implementing security in the Cisco Unified Communications Manager system prevents identity theft of the phone and Cisco Unified Communications Manager server, prevents data tampering, and prevents call signaling and media stream tampering.

To alleviate these threats, the Cisco IP telephony network establishes and maintains secure communication streams between a phone and the server, digitally signs files before they are transferred to a phone, and encrypts media streams and call signaling between Cisco Unified IP phones.

The Cisco Unified IP Phone 8941 and 8945 use the Phone security profile, which defines whether the device is nonsecure or encrypted. For information on applying the security profile to the phone, see the Cisco Unified Communications Manager Security Guide.

If you configure security-related settings in Cisco Unified Communications Manager Administration, the phone configuration file contains sensitive information. To ensure the privacy of a configuration file, you configure it for encryption. For detailed information, see the "Configuring Encrypted Phone Configuration Files" chapter in Cisco Unified Communications Manager Security Guide.

The following table shows where you can find additional information about security in this and other documents.

Table 2 Cisco Unified IP Phone and Cisco Unified Communications Manager security topics

Topic

Reference

Detailed explanation of security, including set up, configuration, and troubleshooting information for Cisco Unified Communications Manager and Cisco Unified IP Phones

Refer to the Cisco Unified Communications Manager Security Guide.

Security features supported on the Cisco Unified IP Phone

See Supported security features.

Restrictions regarding security features

See Security Restrictions.

Viewing a security profile name

See Security Profiles.

Identifying phone calls for which security is implemented

See Encrypted Phone Call Identification.

TLS connection

See Network Protocols.

See Cisco Unified Communications Manager Phone Addition Methods.

Security and the phone startup process

See Phone startup process.

Security and phone configuration files

See Cisco Unified Communications Manager Phone Addition Methods.

Changing the TFTP Server 1 or TFTP Server 2 option on the phone when security is implemented

See IPv4 Setup menu options.

Items on the Security Configuration menu that you access from the Device Configuration menu on the phone

See Security Configuration menu.

Items on the Security Configuration menu that you access from the Settings menu on the phone

See Security Configuration menu.

Applying a password to the phone so that no changes can be made to the administrative options

See Password Protection.

Disabling access to a phone web page

See Control web page access.

Troubleshooting

See Cisco Unified IP Phone Security Problems.

Refer to the Troubleshooting Guide for Cisco Unified Communications Manager.

Deleting the CTL file from the phone

See Cisco Unified IP Phone Reset or Restore.

Resetting or restoring the phone

See Cisco Unified IP Phone Reset or Restore.

802.1X Authentication for Cisco Unified IP Phones

See these sections:

All Cisco Unified IP Phones that support Cisco Unified Communications Manager use a security profile, which defines whether the phone is nonsecure or secure.

For information about configuring the security profile and applying the profile to the phone, see Cisco Unified Communications Manager Security Guide.

Supported security features

The following table provides an overview of the security features that the Cisco Unified IP Phone 8941 and 8945 support. For more information about these features and about Cisco Unified Communications Manager and Cisco Unified IP Phone security, see Cisco Unified Communications Manager Security Guide.

For information about current security settings on a phone, choose Applications > Administrator Settings > Security Setup.


Note


Most security features are available only if a certificate trust list (CTL) is installed on the phone. For more information about the CTL, see "Configuring the Cisco CTL Client" chapter in Cisco Unified Communications Manager Security Guide.


Table 3 Overview of security features

Feature

Description

Image authentication

Signed binary files (with the extension .sgn) prevent tampering with the firmware image before it is loaded on a phone. Tampering with the image causes a phone to fail the authentication process and reject the new image.

Customer-site certificate installation

Each Cisco Unified IP Phone requires a unique certificate for device authentication. Phones include a manufacturing installed certificate (MIC), but for additional security, you can specify in Cisco Unified Communications Manager Administration that a certificate be installed by using the Certificate Authority Proxy Function (CAPF). Alternatively, you can install a Locally Significant Certificate (LSC) from the Security Configuration menu on the phone. See the Cisco Unified IP Phone Security for more information.

Device authentication

Occurs between the Cisco Unified Communications Manager server and the phone when each entity accepts the certificate of the other entity. Determines whether a secure connection between the phone and a Cisco Unified Communications Manager should occur and, if necessary, creates a secure signaling path between the entities by using TLS protocol. Cisco Unified Communications Manager does not register phones unless they are authenticated by the Cisco Unified Communications Manager.

File authentication

Validates digitally signed files that the phone downloads. The phone validates the signature to make sure that file tampering did not occur after the file creation. Files that fail authentication are not written to flash memory on the phone and the phone rejects such files without further processing.

Signaling Authentication

Uses the TLS protocol to validate that no tampering has occurred to signaling packets during transmission.

Manufacturing installed certificate

Each Cisco Unified IP Phone contains a unique manufacturing installed certificate (MIC), which is used for device authentication. The MIC is a permanent unique proof of identity for the phone and allows Cisco Unified Communications Manager to authenticate the phone.

Secure SRST reference

After you configure a SRST reference for security and then reset the dependent devices in Cisco Unified Communications Manager Administration, the TFTP server adds the SRST certificate to the phone cnf.xml file and sends the file to the phone. A secure phone then uses a TLS connection to interact with the SRST-enabled router.

Media encryption

Uses SRTP to ensure that the media streams between supported devices prove secure and that only the intended device receives and reads the data. Includes creating a media master key pair for the devices, delivering the keys to the devices, and securing the delivery of the keys while the keys are in transport.

Signaling encryption

Ensures that all SCCP signaling messages sent between the device and the Cisco Unified Communications Manager server are encrypted.

CAPF (Certificate Authority Proxy Function)

Implements parts of the certificate generation procedure that are too processing-intensive for the phone and interacts with the phone for key generation and certificate installation. The CAPF can be configured to request certificates from customer-specified certificate authorities on behalf of the phone or it can be configured to generate certificates locally.

Security profiles

Defines whether the phone is nonsecure or encrypted. See the Security Profiles for more information.

Encrypted configuration files

Lets you ensure the privacy of phone configuration files.

Optional disabling of the web server functionality for a phone

You can prevent access to a phone web page, which displays a variety of operational statistics for the phone. See Control web page access.

Phone hardening

Additional security options, which you control from Cisco Unified Communications Manager Administration:

  • Disabling PC port
  • Disabling PC Voice VLAN access
  • Disabling access to web pages for a phone
Note   

You can view current settings for the PC Port Disabled, GARP Enabled, and Voice VLAN enabled options by looking at the phone Security Configuration menu. For more information, see the Security Configuration menu.

802.1X Authentication

The Cisco Unified IP Phone can use 802.1X authentication to request and gain access to the network. See the 802.1X Authentication for more information.

Related References

Security Profiles

All Cisco Unified IP Phones that support Cisco Unified Communications Manager use a security profile, which defines whether the phone is nonsecure or encrypted. For information about configuring the security profile and applying the profile to the phone, refer to Cisco Unified Communications Manager Security Guide.

To view the security mode that is set for the phone, look at the Security Mode setting in the Security Configuration menu.

Related References

Encrypted Phone Call Identification

When security is implemented for a phone, you can identify encrypted phone audio calls by icons on the screen on the phone. You can also determine if the connected phone is secure and protected if a security tone plays at the beginning of the call.

In a secure call, all call signaling and media streams are encrypted. An encrypted call offers a high level of security, providing integrity and privacy to the call. When an in-progress call is being encrypted, the call progress icon to the right of the call duration timer in the phone LCD screen changes to the lock icon: .

If the call is routed through non-IP call legs (for example, PSTN), the call may be nonsecure even though it is encrypted within the IP network and has a lock icon associated with it.

In a secure call, a security tone plays at the beginning of a call to indicate that the other connected phone is also receiving and transmitting encrypted audio. For video calls, the user may first hear a secure indication tone for the audio portion of the call and then a nonsecure indication tone for overall nonsecure media. If your call is connected to a nonprotected phone, the security tone does not play.


Note


Secured calling is supported for connections between two phones only. Some features, such as conference calling, shared lines, and Cisco Extension Mobility are not available when secured calling is configured.


Identify Secure Conference Call

You can initiate a secure conference call and monitor the security level of participants. A secure conference call is established using this process:

  1. A user initiates the conference from a secure phone.
  2. Cisco Unified Communications Manager assigns a secure conference bridge to the call.
  3. As participants are added, Cisco Unified Communications Manager verifies the security mode of each phone and maintains the secure level for the conference.
  4. The phone displays the security level of the conference call. A secure conference displays the to the right of Conference on the phone screen.

Note


There are interactions, restrictions, and limitations that affect the security level of the conference call depending on the security mode of the participant phones and the availability of secure conference bridges. For more information about the interactions, see Call Security Interactions and Restrictions.


Identify Secure Phone Call

A protected call is established when your phone and the phone on the other end are configured for protected calling. The other phone can be in the same Cisco IP network or on a network outside the IP network. Protected calls can only be made between two phones. Conference calls and other multiple-line calls cannot be protected.

A protected call is established using this process:

  1. A user initiates the call from a protected phone (protected security mode).
  2. The phone displays the icon (encrypted) on the phone screen. This icon indicates that the phone is configured for secure (encrypted) calls, but this does not mean that the other connected phone is also protected.
  3. A security tone plays if the call is connected to another protected phone, indicating that both ends of the conversation are encrypted and protected. If the call is connected to a unprotected phone, then the secure tone does not play.

Note


Protected calling is supported for conversations between two phones. Some features, such as conference calling, shared lines, Cisco Extension Mobility, and Join Across Lines are not available when protected calling is configured.


Call Security Interactions and Restrictions

Cisco Unified Communications Manager checks the phone security status when conferences are established and changes the security indication for the conference or blocks the completion of the call to maintain integrity and security in the system. The following table provides information about changes to call security levels when using Barge.

Table 4 Call Security Interactions When Using Barge

Initiator’s phone security level

Feature used

Call security level

Results of action

Nonsecure

cBarge

Encrypted call

Call barged and identified as nonsecure call

Secure

cBarge

Secure call

Call barged and identified as Secure call

The following table provides information about changes to conference security levels depending on the initiator’s phone security level, the security levels of participants, and the availability of secure conference bridges.

Table 5 Security Restrictions with Conference Calls

Initiator’s phone security level

Feature used

Security level of participants

Results of action

Nonsecure

Conference

Encrypted

Nonsecure conference bridge

Nonsecure conference

Secure

Conference

At least one member is nonsecure.

Secure conference bridge

Nonsecure conference

Secure

Conference

All participants are encrypted.

Secure conference bridge

Secure encrypted level conference

Secure

Join

Encrypted

Secure conference bridge

Conference remains secure

Nonsecure

cBarge

All participants are encrypted.

Secure conference bridge

Conference changes to nonsecure

Nonsecure

Meet Me

Minimum security level is encrypted.

Only nonsecure conference bridge is available and used

Nonsecure conference

Secure

Meet Me

Minimum security level is nonsecure

Only secure conference bridge available and used

Conference accepts all calls

When using VPN and with security enabled, the maximum supported bandwidth is 1 Mbps.

When using Cisco TelePresence, the maximum bandwidth is 448 kbps.

802.1X Authentication

This section provides information about 802.1X support on the Cisco Unified IP Phones.

Overview

Cisco Unified IP Phones and Cisco Catalyst switches traditionally use Cisco Discovery Protocol (CDP) to identify each other and determine parameters such as VLAN allocation and inline power requirements. CDP does not identify locally attached workstations. Cisco Unified IP Phones provide an EAPOL pass-through mechanism. This mechanism allows a workstation attached to the Cisco Unified IP Phone to pass EAPOL messages to the 802.1X authenticator at the LAN switch. The pass-through mechanism ensures that the IP phone does not act as the LAN switch to authenticate a data endpoint before accessing the network.

Cisco Unified IP Phones also provide a proxy EAPOL Logoff mechanism. In the event that the locally attached PC disconnects from the IP phone, the LAN switch does not see the physical link fail, because the link between the LAN switch and the IP phone is maintained. To avoid compromising network integrity, the IP phone sends an EAPOL-Logoff message to the switch on behalf of the downstream PC, which triggers the LAN switch to clear the authentication entry for the downstream PC.

Cisco Unified IP Phones also contain an 802.1X supplicant. This supplicant allows network administrators to control the connectivity of IP phones to the LAN switch ports. The current release of the phone 802.1X supplicant uses the EAP-FAST, EAP-TLS, and EAP-MD5 options for network authentication.

Best Practices, Requirements, and Recommendations

  • Enable 802.1X Authentication: If you want to use the 802.1X standard to authenticate Cisco Unified IP Phones, be sure that you have properly configured the other components before enabling it on the phone. See 802.1X Authentication and 802.1X Authentication Status Menus for more information.
  • Configure PC Port: The 802.1X standard does not take into account the use of VLANs and thus recommends that only a single device should be authenticated to a specific switch port. However, some switches (including Cisco Catalyst switches) support multidomain authentication. The switch configuration determines whether you can connect a PC to the PC port of the phone.
    • Enabled: If you are using a switch that supports multidomain authentication, you can enable the PC port and connect a PC to it. In this case, Cisco Unified IP Phones support proxy EAPOL-Logoff to monitor the authentication exchanges between the switch and the attached PC. For more information about IEEE 802.1X support on the Cisco Catalyst switches, refer to the Cisco Catalyst switch configuration guides at: http:/​/​www.cisco.com/​en/​US/​products/​hw/​switches/​ps708/​tsd_​products_​support_​series_​home.html
    • Disabled: If the switch does not support multiple 802.1X-compliant devices on the same port, you should disable the PC port when 802.1X authentication is enabled. See the Security Configuration menu for more information. If you do not disable this port and subsequently attempt to attach a PC to it, the switch will deny network access to both the phone and the PC.
  • Configure Voice VLAN: Because the 802.1X standard does not account for VLANs, you should configure this setting based on the switch support.
    • Enabled: If you are using a switch that supports multidomain authentication, you can continue to use the voice VLAN.
    • Disabled: If the switch does not support multidomain authentication, disable the Voice VLAN and consider assigning the port to the native VLAN. See the Security Configuration menu for more information.
  • Enter MD5 Shared Secret: If you disable 802.1X authentication or perform a factory reset on the phone, the previously-configured MD5 shared secret is deleted. See the 802.1X Authentication and 802.1X Authentication Status Menus for more information.

Required Network Components

Support for 802.1X authentication on Cisco Unified IP Phones requires several components, including:

  • Cisco Unified IP Phone: The phone acts as the 802.1X supplicant, which initiates the request to access the network.
  • Cisco Secure Access Control Server (ACS) (or other third-party authentication server): The authentication server and the phone must both be configured with a shared secret that authenticates the phone.
  • Cisco Catalyst Switch (or other third-party switch): The switch must support 802.1X, so it can act as the authenticator and pass the messages between the phone and the authentication server. After the exchange completes, the switch grants or denies the phone access to the network.

Security Restrictions

A user cannot barge into an encrypted call if the phone that is used to barge is not configured for encryption. When barge fails in this case, a reorder (fast busy) tone plays on the phone that the barge was initiated.

If the initiator phone is configured for encryption, the barge initiator can barge into a nonsecure call from the encrypted phone. After the barge occurs, Cisco Unified Communications Manager classifies the call as nonsecure.

If the initiator phone is configured for encryption, the barge initiator can barge into an encrypted call, and the phone indicates that the call is encrypted.

Cisco Unified IP Phone Deployment

When deploying a new IP telephony system, system administrators and network administrators must complete several initial configuration tasks to prepare the network for IP telephony service. For information and a checklist for setting up and configuring a Cisco IP telephony network, see the "System Configuration Overview" chapter in Cisco Unified Communications Manager System Guide.

After you have set up the IP telephony system and configured system-wide features in Cisco Unified Communications Manager, you can add IP phones to the system.

Cisco Unified IP Phones Setup in Cisco Unified Communications Manager

To add phones to the Cisco Unified Communications Manager database, you can use:

  • Autoregistration
  • Cisco Unified Communications Manager Administration
  • Bulk Administration Tool (BAT)
  • BAT and the Tool for Auto-Registered Phones Support (TAPS)

For general information about configuring phones in Cisco Unified Communications Manager, refer to the following documentation:

  • "Cisco Unified IP Phones" chapter in Cisco Unified Communications Manager System Guide
  • "Cisco Unified IP Phone Configuration" chapter in Cisco Unified Communications Manager Administration Guide
  • "Autoregistration Configuration" chapter in Cisco Unified Communications Manager Administration Guide

Set up Cisco Unified IP Phone in Cisco Unified Communications Manager

The following steps provide an overview and checklist of configuration tasks for the Cisco Unified IP Phone in Cisco Unified Communications Manager Administration. The steps present a suggested order to guide you through the phone configuration process. Some tasks are optional, depending on your system and user needs. For detailed procedures and information, refer to the sources in the list.

Procedure
    Step 1   Gather the following information about the phone:
    • Phone Model
    • MAC address
    • Physical location of the phone
    • Name or user ID of phone user
    • Device pool
    • Partition, calling search space, and location information
    • Number of lines and associated directory numbers (DNs) to assign to the phone
    • Cisco Unified Communications Manager user to associate with the phone
    • Phone usage information that affects phone button template, softkey template, phone features, IP Phone services, or phone applications

    This step provides a list of configuration requirements for setting up phones and identifies preliminary configuration that you need to perform before configuring individual phones, such as phone button templates or softkey templates.

    For more information, see the "Cisco Unified IP Phones" chapter in the Cisco Unified Communications Manager System Guide and see the Telephony features available for Cisco Unified IP Phone.

    Step 2   Verify that you have sufficient unit licenses for your phone.

    For more information, see the “License Unit Report” chapter in the Cisco Communications Manager Administration Guide.

    Step 3   Customize phone button templates (if required). This step changes the number of line buttons, speed-dial buttons, Service URL buttons, and adds a Privacy button to meet user needs.

    For more information, go to the "Phone Button Template Configuration" chapter in the Cisco Communications Manager Administration Guide and see the Phone Button Templates.

    Step 4   Add and configure the phone by completing the required fields in the Phone Configuration window. Required fields are indicated by an asterisk (*) next to the field name; for example, MAC address and device pool.

    The device with its default settings gets added to the Cisco Unified Communications Manager database.

    For more information, see the "Cisco Unified IP Phone Configuration" chapter in the Cisco Communications Manager Administration Guide.

    For information about Product Specific Configuration fields, refer to "?" Button Help in the Phone Configuration window.

    Note   

    If you want to add both the phone and user to the Cisco Unified Communications Manager database at the same time, go to the "User/Phone Add Configuration" chapter in the Cisco Communications Manager Administration Guide.

    Step 5   Add and configure directory numbers (lines) on the phone by completing the required fields in the Directory Number Configuration window. Required fields are indicated by an asterisk (*) next to the field name; for example, directory number and presence group.

    This step adds primary and secondary directory numbers and features associated with directory numbers to the phone.

    For more information, see the “Directory Number Configuration” chapter in the Cisco Unified Communications Manager Administration Guide and see the Telephony features available for Cisco Unified IP Phone.

    Step 6   Customize softkey templates. Adds, deletes, or changes the order of softkey features that display on the user’s phone to meet feature usage needs.

    For more information, see the Cisco Unified Communications Manager Administration Guide, “Softkey Template Configuration” and “Cisco Unified IP Phone Configuration”.

    Step 7   Configure speed-dial buttons and assign speed-dial numbers (optional). Adds speed-dial buttons and numbers.

    Users can change speed-dial settings on their phones by using Cisco Unified Communications Manager User Options.

    For more information, see the Cisco Unified Communications Manager Administration Guide, “Cisco Unified IP Phone Configuration” chapter.

    Step 8   Add user information by configuring required fields. Required fields are indicated by an asterisk (*); for example, User ID and last name.
    Note   

    Assign a password (for User Options web pages) and PIN (for Cisco Extension Mobility and Personal Directory).

    This step adds user information to the global directory for Cisco Unified Communications Manager.

    For more information, see the Cisco Unified Communications Manager Administration Guide, “End User Configuration” chapter.

    Note   

    If your company uses a Lightweight Directory Access Protocol (LDAP) directory to store information on users, you can install and configure Cisco Unified Communications to use your existing LDAP directory, as discussed in Corporate Directory setup. After the synchronization between the LDAP server and the system is enabled, you cannot add additional users from Cisco Unified Communications Manager Administration.

    Note   

    If you want to add both the phone and user to the Cisco Unified Communications Manager database at the same time, see "User/Phone Add Configurations" in the Cisco Unified Communications Manager Administration Guide.

    Step 9   Associate a user to a user group.

    This step assigns to users a common list of roles and permissions that apply to all users in a user group. Administrators can manage user groups, roles, and permissions to control the level of access (and, therefore, the level of security) for system users.

    Note   

    For end users to access Cisco Unified Communications Manager User Options, you must add users to the standard Cisco Unified Communications Manager End Users group.

    For more information, see Cisco Unified Communications Manager Administration Guide, “End User Configuration” and “User Group Configuration” chapters.

    Step 10   Associate a user with a phone. This step provides users with control over their phone such a forwarding calls or adding speed-dial numbers or services.
    Note   

    Some phones, such as those in conference rooms, do not have an associated user.

    For more information, see the Cisco Unified Communications Manager Administration Guide, “End User Configuration” chapter.


    Cisco Unified IP Phones Installation

    After you have added the phones to the Cisco Unified Communications Manager database, you can complete the phone installation. You (or each phone user) can install the phone at the user’s location. The Cisco Unified IP Phone Installation Guide, which is provided on the cisco.com web site, provides directions for connecting the phone handset, cables, and other accessories.


    Note


    Before you install a phone, even if it is new, upgrade the phone to the current firmware image. For information about upgrading, refer to the Readme file for the phone, which is located at:

    http:/​/​www.cisco.com/​kobayashi/​sw-center/​index.shtml

    After the phone is connected to the network, the phone startup process begins, and the phone registers with Cisco Unified Communications Manager. To finish installing the phone, configure the network settings on the phone depending on whether you enable or disable DHCP service.

    If you used autoregistration, you need to update the specific configuration information for the phone such as associating the phone with a user, changing the button table, or directory number.

    Install Cisco Unified IP Phone 8941 and 8945

    The following steps provide an overview and checklist of installation tasks for the Cisco Unified IP Phone 8941 and 8945. The steps present a suggested order to guide you through the phone installation. Some tasks are optional, depending on your system and user needs. For detailed procedures and information, refer to the sources in the list.

    Procedure
      Step 1   Choose the power source for the phone:
      • Power over Ethernet (PoE)
      • External power supply

      This step determines how the phone receives power.

      For more information, see the Cisco Unified IP Phone power.

      Step 2   Assemble the phone, adjust phone placement, and connect the network cable. This step locates and installs the phone in the network.

      For more information, see Install Cisco Unified IP Phone and Footstand.

      Step 3   Monitor the phone startup process. Adds primary and secondary directory numbers and features associated with directory numbers to the phone. Verifies that phone is configured properly.

      For more information, see the Phone Startup Process.

      Step 4   If you are configuring the network settings on the phone, you can set up an IP address for the phone by either using DHCP or manually entering an IP address.
      • Using DHCP: To enable DHCP and allow the DHCP server to automatically assign an IP address to the Cisco Unified IP Phone and direct the phone to a TFTP server, choose Applications > Administrator Settings > Network Setup > IPv4 Setup and:
        • To enable DHCP, set DHCP Enabled to Yes. DHCP is enabled by default.
        • To use an alternate TFTP server, set Alternate TFTP Server to Yes, and enter the IP address for the TFTP Server.
          Note   

          Consult with the network administrator to determine whether you need to assign an alternative TFTP server instead of using the TFTP server assigned by DHCP.

      • Without DHCP: You must configure the IP address, subnet mask, TFTP server, and default router locally on the phone, choose Applications > Administrator Settings > Network Setup > IPv4 Setup: To disable DHCP and manually set an IP address:
        1. To disable DHCP, set DHCP Enabled to No.
        2. Enter the static IP address for phone.
        3. Enter the subnet mask.
        4. Enter the default router IP addresses.
        5. Set Alternate TFTP Server to Yes, and enter the IP address for TFTP Server 1.
        You must also enter the domain name where the phone resides by choosing Applications > Administrator Settings > Network Setup.

      For more information, see the Network Settings and Network Setup Menu.

      Step 5   Set up security on the phone. Provides protection against data tampering threats and identity theft of phones.

      For more information, see the Cisco Unified IP Phone Security.

      Step 6   Make calls with the Cisco Unified IP Phone. Verifies that the phone and features work correctly.

      For more information, see Cisco Unified IP Phone 8941 and 8945 User Guide for Cisco Unified Communications Manager (SCCP and SIP) .

      Step 7   Provide information to end users about how to use their phones and how to configure their phone options. Ensures that users have adequate information to successfully use their Cisco Unified IP Phones.

      For more information, see Internal Support Web Site.


      Terminology Differences

      The following table highlights some of the important differences in terminology used in these documents:

      • Cisco Unified IP Phone 8941 and 8945 User Guide for Cisco Unified Communications Manager (SCCP and SIP)
      • Cisco Unified IP Phone 8941 and 8945 Administration Guide for Cisco Unified Communications Manager (SCCP and SIP)
      • Cisco Unified Communications Manager Administration Guide
      • Cisco Unified Communications Manager System Guide

      User Guide

      Administration and System Guides

      Speed-Dialing (Placing a call with a speed-dial code)

      Abbreviated Dialing

      Conference across Lines

      Join Across Lines

      Conference

      Join or Conference

      Line Status

      Busy Lamp Field (BLF)

      Message Indicators

      Message Waiting Indicator (MWI) or Message Waiting Lamp

      Programmable Feature Button

      Programmable Line Button or Programmable Line Key (PLK)

      Voicemail System

      Voice Messaging System