[Index]
Title | Description | Details | |||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Phone Security Profile Type * |
|
||||||||||||||||||||||||||||||||||||||||||||||||
SIP Phone Port | This setting applies to phones that are running SIP that use UDP transport. Enter the port number for Cisco Unified IP Phones (SIP only) that use UDP to listen for SIP messages from Cisco Unified Communications Manager. The default setting equals 5060. Phones that use TCP or TLS ignore this setting. Default: 5060 |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Transport Type | When Device Security Mode is Non Secure, choose one of the following options from the drop-down list box (some options may not display): TCP—Choose the Transmission Control Protocol to ensure that packets get received in the same order as the order in which they are sent. This protocol ensures that no packets get dropped, but the protocol does not provide any security. UDP—Choose the User Datagram Protocol to ensure that packets are received quickly. This protocol, which can drop packets, does not ensure that packets are received in the order in which they are sent. This protocol does not provide any security. TCP + UDP—Choose this option if you want to use a combination of TCP and UDP. This option does not provide any security. When Device Security Mode is Authenticated or Encrypted, TLS specifies the Transport Type. TLS provides signaling integrity, device authentication, and signaling encryption (encrypted mode only) for SIP phones. If Device Security Mode cannot be configured in the profile, the transport type specifies UDP. Default: TCP+UDP |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Device Protocol * |
|
||||||||||||||||||||||||||||||||||||||||||||||||
Description | Enter a description for the security profile. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
TFTP Encrypted Config | When this check box is checked, Cisco Unified Communications Manager encrypts phone downloads from the TFTP server. This option exists for Cisco phones only. Tip Cisco recommends that you enable this option and configure a symmetric key to secure digest credentials and administrative passwords. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Enable Digest Authentication | If you check this check box, Cisco Unified Communications Manager challenges all SIP requests from the phone. Digest authentication does not provide device authentication, integrity, or confidentiality. Choose a security mode of authenticated or encrypted to use these features. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Device Security Mode | From the drop-down list box, choose one of the following options: Non Secure—No security features except image, file, and device authentication exist for the phone. A TCP connection opens to Cisco Unified Communications Manager. Authenticated— Cisco Unified Communications Manager provides integrity and authentication for the phone. A TLS connection that uses NULL/SHA opens for signaling. Encrypted— Cisco Unified Communications Manager provides integrity, authentication, and encryption for the phone. A TLS connection that uses AES128/SHA opens for signaling, and SRTP carries the media for all phone calls on all SRTP-capable hops. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Ec Key Size | For this setting that is used for CAPF, choose the key size for the certificate from the drop-down list box. The default setting equals 1024. The other option for key size is 512. If you choose a higher key size than the default setting, the phones take longer to generate the entropy that is required to generate the keys. Key generation, which is set at low priority, allows the phone to function while the action occurs. Depending on the phone model, you may notice that key generation takes up to 30 or more minutes to complete. Note The CAPF settings that are configured in the Phone Security Profile window interact with the CAPF parameters that are configured in the Phone Configuration window. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Authentication Mode | This field allows you to choose the authentication method that the phone uses during the CAPF certificate operation. This option exists for Cisco phones only. From the drop-down list box, choose one of the following options: By Authentication String—Installs/upgrades or troubleshoots a locally significant certificate only when the user enters the CAPF authentication string on the phone. By Null String— Installs/upgrades or troubleshoots a locally significant certificate without user intervention.This option provides no security; Cisco strongly recommends that you choose this option only for closed, secure environments. By Existing Certificate (Precedence to LSC)— Installs/upgrades or troubleshoots a locally significant certificate if a manufacture-installed certificate (MIC) or locally significant certificate (LSC) exists in the phone. If a LSC exists in the phone, authentication occurs via the LSC, regardless whether a MIC exists in the phone. If a LSC does not exist in the phone, but a MIC does exist, authentication occurs via the MIC. Before you choose this option, verify that a certificate exists in the phone. If you choose this option and no certificate exists in the phone, the operation fails. At any time, the phone uses only one certificate to authenticate to CAPF even though a MIC and LSC can exist in the phone at the same time. If the primary certificate, which takes precedence, becomes compromised for any reason, or, if you want to authenticate via the other certificate, you must update the authentication mode. By Existing Certificate (Precedence to MIC)—Installs/upgrades or troubleshoots a locally significant certificate if a LSC or MIC exists in the phone. If a MIC exists in the phone, authentication occurs via the MIC, regardless whether a LSC exists in the phone. If a LSC exists in the phone, but a MIC does not exist, authentication occurs via the LSC. Before you choose this option, verify that a certificate exists in the phone. If you choose this option and no certificate exists in the phone, the operation fails. Note The CAPF settings that are configured in the Phone Security Profile window interact with the CAPF parameters that are configured in the Phone Configuration window. Refer to the Default: By Null String |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Key Size (Bits) | For this setting that is used for CAPF, choose the key size for the certificate from the drop-down list box. The default setting equals 1024. The other option for key size is 512. If you choose a higher key size than the default setting, the phones take longer to generate the entropy that is required to generate the keys. Key generation, which is set at low priority, allows the phone to function while the action occurs. Depending on the phone model, you may notice that key generation takes up to 30 or more minutes to complete. Note The CAPF settings that are configured in the Phone Security Profile window interact with the CAPF parameters that are configured in the Phone Configuration window. Default: 2048 |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Key Order | Applicable only for sip phones Default: RSA Only |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Nonce Validity Time | Enter the number of minutes (in seconds) that the nonce value is valid. The default value equals 600 (10 minutes). When the time expires, Cisco Unified Communications Manager generates a new value. Note A nonce value, a random number that supports digest authentication, gets used to calculate the MD5 hash of the digest authentication password. Default: 600 |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Enable O Auth Authentication | Applicable only for SIP phones |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Exclude Digest Credentials in Configuration File | When this check box is checked, Cisco Unified Communications Manager omits digest credentials in phone downloads from the TFTP server. This option exists for Cisco Unified IP Phones 7905G, 7912G, 7940G, and 7960G (SIP only). |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Name * | Enter a name for the security profile. When you save the new profile, the name displays in the Device Security Profile drop-down list box in the Phone Configuration window for the phone type and protocol. Tip Include the device model and protocol in the security profile name to help you find the correct profile when you are searching for or updating a profile. |
|