Network Bulls
www.networkbulls.com
Best Institute for CCNA CCNP CCSP CCIP CCIE Training in India
M-44, Old Dlf, Sector-14 Gurgaon, Haryana, India
Call: +91-9654672192

Cisco Unified IP Phone 7940 and 7960 models do not have MICs, and they work only with
LSCs. The Cisco Unified IP Phone 797[015], 796[125], 794[125], 7911, and 7906 models
can use either MICs or LSCs. If an LSC is installed in such a Cisco IP Phone, the LSC has
higher priority than the MIC.
426 Chapter 16: Implementing Security in CUCM
CAPF is used to issue LSCs. CAPF can act as a certification authority (CA) itself, signing
the LSCs, or it can act as a proxy to an external CA, having the external CA signing the
LSCs.
NOTE CAPF cannot proxy to an external CA in CUCM Release 5.0 and 6.0. All
versions of 4.x, Release 5.1, and later versions of the 5.x release train support proxying
to external CAs.
CAPF Service Configuration Parameter
CAPF is configured in the CAPF Service Parameter Configuration window, as shown in
Figure 16-6. In CUCM, choose Cisco Unified Communications Administration >
System > Service Parameter > Cisco Certificate Authority Proxy Function.
Figure 16-6 CAPF Service Configuration Parameter
The certificate issuer—whether the CAPF itself or an external CA and IP address of the
external CA—can be set if doing so is supported by the CUCM software release. Some
default values, such as the Rivest, Shamir, and Adleman (RSA) key size, or the certificate
lifetime, can also be modified.
CAPF Phone Configuration Options
Two main settings must be configured in the Phone Configuration window when you install
or upgrade LSCs for Cisco IP Phones, as shown in Figure 16-7.
The first setting is Certificate Operation, which lets you manage LSCs. This setting is used
to delete, install, or upgrade certificates.
The second setting is Authentication Mode, which specifies how the phone should
authenticate to CAPF during enrollment.
CAPF Configuration and LSC Enrollment 427
Figure 16-7 CAPF Phone Configuration Options
For the Certificate Operation setting, one of these four options can be configured:
• Install/Upgrade: This operation lets you install an LSC if the IP Phone does not have
one. It also lets you upgrade or replace an existing LSC if the IP Phone already has one.
• Delete: This operation removes an LSC from a Cisco IP Phone.
• Troubleshoot: This operation retrieves all existing IP Phone certificates from the IP
Phone and stores them in CAPF trace files. MICs and LSCs have separate CAPF trace
files. The CAPF trace files are located on the external computer where traces are
configured in the Real-Time Monitoring Tool (RTMT) to be stored.
• No Pending Operation: This is the default value. Change back to this value when you
cancel a previously configured operation that has not yet been executed.
For the Authentication Mode setting, you can choose one of four options:
• By Authentication String: This authentication mode is the default. It requires the
Cisco IP Phone user to manually initiate the installation of an LSC. The user must
authenticate to CUCM using the authentication string that has been set by the administrator
in the Authentication String field. To enable the user to enter the correct authentication
string, the administrator must communicate the configured authentication
string to the user.
• By Null String: This authentication mode disables Cisco IP Phone authentication
for the download of IP Phone certificate enrollment. The IP Phone should be enrolled
only over a trusted network when this setting is used. Because no user intervention is
needed, the enrollment is done automatically when the Cisco IP Phone boots or is reset.
428 Chapter 16: Implementing Security in CUCM
• By Existing Certificate (Precedence to LSC): This authentication mode uses an
existing certificate (with precedence to the LSC if both a MIC and an LSC are present
in the IP Phone) for IP Phone authentication. Because no user intervention is needed,
the enrollment occurs automatically when the IP Phone boots or is reset.
• By Existing Certificate (Precedence to MIC): This authentication mode uses an
existing certificate (with precedence to the MIC if both a MIC and an LSC are present
in the IP Phone) for IP Phone authentication. Because no user intervention is needed,
the enrollment occurs automatically when the IP Phone boots or is reset.
First-Time Installation of a Certificate with a Manually Entered
Authentication String
For a first-time installation of a certificate with a manually entered authentication string, as
shown in Figure 16-8, set the Certificate Operation field to Install/Upgrade and the
Authentication Mode to By Authentication String.
Figure 16-8 First-Time Installation of a Certificate with a Manually Entered Authentication
String
You can enter a string of four to ten digits. Or you can click Generate String to create an
authentication string that then populates the Authentication String field. After the IP Phone
reset, the IP Phone is ready for enrollment. However, enrollment is not automatically
triggered; the user must initiate it from the Settings menu of the Cisco IP Phone.
NOTE The Settings menu can also be used to gain information about the IP telephony
system or to remove the CTL. Usually, IP Phone users should not have access to such
options. Therefore, access to the settings on the IP Phone is often restricted or disabled.
LSC enrollment with authentication by authentication string is not possible if settings
access is not fully enabled. If access to settings is restricted or disabled, it has to be
enabled for the enrollment and then returned to its previous value.
CAPF Configuration and LSC Enrollment 429
A user or an administrator must enter the authentication string at the beginning of the
enrollment procedure. If the process is successful, the certificate is issued to the IP Phone.
For example, on a Cisco Unified IP Phone 7940, the user would complete these steps:
Step 1 Press the Settings button to access the Settings menu.
Step 2 Scroll to the Security Configuration option and press the Select softkey
to display the Security Configuration menu.
Step 3 Press **# to unlock the IP Phone configuration.
Step 4 Scroll to LSC and press the Update softkey to start the enrollment.
Step 5 Enter the authentication string and press the Submit softkey to
authenticate the IP Phone to the CAPF when prompted to do so.
Step 6 The IP Phone generates its RSA keys and requests a certificate signed by
the CAPF. When the signed certificate is installed, the message "Success"
appears in the lower-left corner of the Cisco IP Phone display.
Certificate Upgrade Using an Existing MIC
Figure 16-9 shows an example of a certificate upgrade that uses an existing LSC.
Figure 16-9 Certificate Upgrade Using an Existing MIC
Upgrades may be required when, for example, an LSC will soon reach its expiration date.
If a new LSC is issued shortly before the existing LSC expires, the existing LSC can still
be used for the upgrade.
For this scenario, set the Certificate Operation to Install/Upgrade and the Authentication
Mode to By Existing Certificate (Precedence to LSC).
430 Chapter 16: Implementing Security in CUCM
After reset, the IP Phone automatically contacts the CAPF for the download of the new
certificate. The existing certificate is used to authenticate the new enrollment, and there
is no need for a manually entered authentication string.
Generating a CAPF Report to Verify LSC Enrollment
CUCM lets you create CAPF reports in comma-separated values (CSV) file format, as
shown in Figure 16-10.
Figure 16-10 Generating a CAPF Report to Verify LSC Enrollment
Step 3 CUCM generates the report file, and a file download dialog box opens.
Click Save to save the report file to the PC's hard disk.
Step 4 Open the file from the hard disk. Figure 16-11 shows a CAPF report
opened in Microsoft Excel.
Signed and Encrypted Configuration Files 431
Figure 16-11 CAPF Report
Finding Phones by Their LSC Status
Find IP Phones with security features from CUCM Administration by using the Find and
List Phones window, as shown in Figure 16-12.