[Index]

Model: device/cucm/PhoneSecurityProfile

Model Details: device/cucm/PhoneSecurityProfile

Title Description Details
SIP Phone Port This setting applies to phones that are running SIP that use UDP transport. Enter the port number for Cisco Unified IP Phones (SIP only) that use UDP to listen for SIP messages from Cisco Unified Communications Manager. The default setting equals 5060. Phones that use TCP or TLS ignore this setting. Default: 5060
  • Field Name: sipPhonePort
  • Type: Integer
  • Cardinality: [0..1]
  • Default: 5060
Transport Type When Device Security Mode is Non Secure, choose one of the following options from the drop-down list box (some options may not display): TCP—Choose the Transmission Control Protocol to ensure that packets get received in the same order as the order in which they are sent. This protocol ensures that no packets get dropped, but the protocol does not provide any security. UDP—Choose the User Datagram Protocol to ensure that packets are received quickly. This protocol, which can drop packets, does not ensure that packets are received in the order in which they are sent. This protocol does not provide any security. TCP + UDP—Choose this option if you want to use a combination of TCP and UDP. This option does not provide any security. When Device Security Mode is Authenticated or Encrypted, TLS specifies the Transport Type. TLS provides signaling integrity, device authentication, and signaling encryption (encrypted mode only) for SIP phones. If Device Security Mode cannot be configured in the profile, the transport type specifies UDP. Default: TCP+UDP
  • Field Name: transportType
  • Type: String
  • Cardinality: [0..1]
  • Default: TCP+UDP
  • Choices: ["TCP", "UDP", "TLS", "TCP+UDP"]
Device Protocol *
  • Field Name: protocol
  • Type: ["String", "Null"]
  • Cardinality: [1..1]
  • Choices: ["SCCP", "Digital Access PRI", "H.225", "Analog Access", "Digital Access T1", "Route Point", "Unicast Bridge", "Multicast Point", "Inter-Cluster Trunk", "RAS", "Digital Access BRI", "SIP", "MGCP", "Static SIP Mobile Subscriber", "SIP Connector", "Remote Destination", "Mobile Smart Client", "Digital Access E1 R2", "CTI Remote Device", "Protocol Not Specified"]
Name * Enter a name for the security profile. When you save the new profile, the name displays in the Device Security Profile drop-down list box in the Phone Configuration window for the phone type and protocol. Tip    Include the device model and protocol in the security profile name to help you find the correct profile when you are searching for or updating a profile.
  • Field Name: name
  • Type: String
  • Cardinality: [1..1]
TFTP Encrypted Config When this check box is checked, Cisco Unified Communications Manager encrypts phone downloads from the TFTP server. This option exists for Cisco phones only. Tip    Cisco recommends that you enable this option and configure a symmetric key to secure digest credentials and administrative passwords.
  • Field Name: tftpEncryptedConfig
  • Type: Boolean
  • Cardinality: [0..1]
Description Enter a description for the security profile.
  • Field Name: description
  • Type: ["String", "Null"]
  • Cardinality: [0..1]
Enable Digest Authentication If you check this check box, Cisco Unified Communications Manager challenges all SIP requests from the phone. Digest authentication does not provide device authentication, integrity, or confidentiality. Choose a security mode of authenticated or encrypted to use these features.
  • Field Name: enableDigestAuthentication
  • Type: Boolean
  • Cardinality: [0..1]
Nonce Validity Time Enter the number of minutes (in seconds) that the nonce value is valid. The default value equals 600 (10 minutes). When the time expires, Cisco Unified Communications Manager generates a new value. Note    A nonce value, a random number that supports digest authentication, gets used to calculate the MD5 hash of the digest authentication password. Default: 600
  • Field Name: nonceValidityTime
  • Type: Integer
  • Cardinality: [0..1]
  • Default: 600
Authentication Mode This field allows you to choose the authentication method that the phone uses during the CAPF certificate operation. This option exists for Cisco phones only. From the drop-down list box, choose one of the following options: By Authentication String—Installs/upgrades or troubleshoots a locally significant certificate only when the user enters the CAPF authentication string on the phone. By Null String— Installs/upgrades or troubleshoots a locally significant certificate without user intervention.This option provides no security; Cisco strongly recommends that you choose this option only for closed, secure environments. By Existing Certificate (Precedence to LSC)— Installs/upgrades or troubleshoots a locally significant certificate if a manufacture-installed certificate (MIC) or locally significant certificate (LSC) exists in the phone. If a LSC exists in the phone, authentication occurs via the LSC, regardless whether a MIC exists in the phone. If a LSC does not exist in the phone, but a MIC does exist, authentication occurs via the MIC. Before you choose this option, verify that a certificate exists in the phone. If you choose this option and no certificate exists in the phone, the operation fails. At any time, the phone uses only one certificate to authenticate to CAPF even though a MIC and LSC can exist in the phone at the same time. If the primary certificate, which takes precedence, becomes compromised for any reason, or, if you want to authenticate via the other certificate, you must update the authentication mode. By Existing Certificate (Precedence to MIC)—Installs/upgrades or troubleshoots a locally significant certificate if a LSC or MIC exists in the phone. If a MIC exists in the phone, authentication occurs via the MIC, regardless whether a LSC exists in the phone. If a LSC exists in the phone, but a MIC does not exist, authentication occurs via the LSC. Before you choose this option, verify that a certificate exists in the phone. If you choose this option and no certificate exists in the phone, the operation fails. Note    The CAPF settings that are configured in the Phone Security Profile window interact with the CAPF parameters that are configured in the Phone Configuration window. Refer to the Default: By Null String
  • Field Name: authenticationMode
  • Type: String
  • Cardinality: [0..1]
  • Default: By Null String
  • Choices: ["By Authentication String", "By Null String", "By Existing Certificate (precedence to LSC)", "By Existing Certificate (precedence to MIC)"]
Key Size (Bits) For this setting that is used for CAPF, choose the key size for the certificate from the drop-down list box. The default setting equals 1024. The other option for key size is 512. If you choose a higher key size than the default setting, the phones take longer to generate the entropy that is required to generate the keys. Key generation, which is set at low priority, allows the phone to function while the action occurs. Depending on the phone model, you may notice that key generation takes up to 30 or more minutes to complete. Note    The CAPF settings that are configured in the Phone Security Profile window interact with the CAPF parameters that are configured in the Phone Configuration window. Default: 2048
  • Field Name: keySize
  • Type: String
  • Cardinality: [0..1]
  • Default: 2048
  • Choices: ["512", "1024", "2048", "3072", "4096"]
Enable O Auth Authentication Applicable only for SIP phones
  • Field Name: EnableOAuthAuthentication
  • Type: Boolean
  • Cardinality: [0..1]
Key Order Applicable only for sip phones Default: RSA Only
  • Field Name: keyOrder
  • Type: String
  • Cardinality: [0..1]
  • Default: RSA Only
  • Choices: ["RSA Only", "EC Only", "EC Preferred, RSA Backup"]
Phone Security Profile Type *
  • Field Name: phoneType
  • Type: ["String", "Null"]
  • Cardinality: [1..1]
  • Choices: ["Cisco 30 SP+", "Cisco 12 SP+", "Cisco 12 SP", "Cisco 12 S", "Cisco 30 VIP", "Cisco 7910", "Cisco 7960", "Cisco 7940", "Cisco 7935", "Cisco VGC Phone", "Cisco VGC Virtual Phone", "Cisco ATA 186", "EMCC Base Phone", "SCCP Phone", "Analog Access", "Digital Access", "Digital Access+", "Digital Access WS-X6608", "Analog Access WS-X6624", "VGC Gateway", "Conference Bridge", "Conference Bridge WS-X6608", "Cisco IOS Conference Bridge (HDV2)", "Cisco Conference Bridge (WS-SVC-CMM)", "H.323 Phone", "H.323 Gateway", "Music On Hold", "Device Pilot", "CTI Port", "CTI Route Point", "Voice Mail Port", "Cisco IOS Software Media Termination Point (HDV2)", "Cisco Media Server (WS-SVC-CMM-MS)", "Cisco Video Conference Bridge (IPVC-35xx)", "Cisco IOS Heterogeneous Video Conference Bridge", "Cisco IOS Guaranteed Audio Video Conference Bridge", "Cisco IOS Homogeneous Video Conference Bridge", "Route List", "Load Simulator", "Media Termination Point", "Media Termination Point Hardware", "Cisco IOS Media Termination Point (HDV2)", "Cisco Media Termination Point (WS-SVC-CMM)", "Cisco 7941", "Cisco 7971", "MGCP Station", "MGCP Trunk", "GateKeeper", "7914 14-Button Line Expansion Module", "Trunk", "Tone Announcement Player", "SIP Trunk", "SIP Gateway", "WSM Trunk", "Remote Destination Profile", "7915 12-Button Line Expansion Module", "7915 24-Button Line Expansion Module", "7916 12-Button Line Expansion Module", "7916 24-Button Line Expansion Module", "CKEM 36-Button Line Expansion Module", "SPA8800", "Unknown MGCP Gateway", "Unknown", "Cisco 7985", "Cisco 7911", "Cisco 7961G-GE", "Cisco 7941G-GE", "Motorola CN622", "Third-party SIP Device (Basic)", "Cisco 7931", "Cisco Unified Personal Communicator", "Cisco 7921", "Cisco 7906", "Third-party SIP Device (Advanced)", "Cisco TelePresence", "Nokia S60", "Cisco 7962", "Cisco 3951", "Cisco 7937", "Cisco 7942", "Cisco 7945", "Cisco 7965", "Cisco 7975", "Cisco 3911", "Cisco Unified Mobile Communicator", "Cisco TelePresence 1000", "Cisco TelePresence 3000", "Cisco TelePresence 3200", "Cisco TelePresence 500-37", "Cisco 7925", "Cisco 9971", "Cisco 6921", "Cisco 6941", "Cisco 6961", "Cisco Unified Client Services Framework", "Cisco TelePresence 1300-65", "Cisco TelePresence 1100", "Transnova S3", "BlackBerry MVS VoWifi", "Cisco 9951", "Cisco 8961", "Cisco 6901", "Cisco 6911", "Cisco ATA 187", "Cisco TelePresence 200", "Cisco TelePresence 400", "Cisco Dual Mode for iPhone", "Cisco 6945", "Cisco Dual Mode for Android", "Cisco 7926", "Cisco E20", "Generic Single Screen Room System", "Generic Multiple Screen Room System", "Cisco TelePresence EX90", "Cisco 8945", "Cisco 8941", "Generic Desktop Video Endpoint", "Cisco TelePresence 500-32", "Cisco TelePresence 1300-47", "Cisco 3905", "Cisco Cius", "VKEM 36-Button Line Expansion Module", "Cisco TelePresence TX1310-65", "Cisco TelePresence MCU", "Ascom IP-DECT Device", "Cisco TelePresence Exchange System", "Cisco TelePresence EX60", "Cisco TelePresence Codec C90", "Cisco TelePresence Codec C60", "Cisco TelePresence Codec C40", "Cisco TelePresence Quick Set C20", "Cisco TelePresence Profile 42 (C20)", "Cisco TelePresence Profile 42 (C60)", "Cisco TelePresence Profile 52 (C40)", "Cisco TelePresence Profile 52 (C60)", "Cisco TelePresence Profile 52 Dual (C60)", "Cisco TelePresence Profile 65 (C60)", "Cisco TelePresence Profile 65 Dual (C90)", "Cisco TelePresence MX200", "Cisco TelePresence TX9000", "Cisco TelePresence TX9200", "Cisco 7821", "Cisco 7841", "Cisco 7861", "Cisco TelePresence SX20", "Cisco TelePresence MX300", "IMS-integrated Mobile (Basic)", "Third-party AS-SIP Endpoint", "Cisco Cius SP", "Cisco TelePresence Profile 42 (C40)", "Cisco VXC 6215", "CTI Remote Device", "Usage Profile", "Carrier-integrated Mobile", "Universal Device Template", "Cisco DX650", "Cisco Unified Communications for RTX", "Cisco Jabber for Tablet", "Cisco 8831", "Cisco ATA 190", "Cisco TelePresence SX10", "Cisco 8841", "Cisco 8851", "Cisco 8861", "Cisco TelePresence SX80", "Cisco TelePresence MX200 G2", "Cisco TelePresence MX300 G2", "Cisco 7905", "Cisco 7920", "Cisco 7970", "Cisco 7912", "Cisco 7902", "Cisco IP Communicator", "Cisco 7961", "Cisco 7936", "Analog Phone", "ISDN BRI Phone", "SCCP gateway virtual phone", "IP-STE", "Cisco TelePresence Conductor", "Cisco DX80", "Cisco DX70", "BEKEM 36-Button Line Expansion Module", "Cisco TelePresence MX700", "Cisco TelePresence MX800", "Cisco TelePresence IX5000", "Cisco 7811", "Cisco 8821", "Cisco 8811", "Interactive Voice Response", "Cisco 8845", "Cisco 8865", "Cisco TelePresence MX800 Dual", "Cisco 8851NR", "Cisco Spark Remote Device", "Cisco Webex DX80", "Cisco TelePresence DX70", "Cisco 7832", "Cisco 8865NR", "Cisco Meeting Server", "Cisco Webex Room Kit", "Cisco Webex Room 55", "Cisco Webex Room Kit Plus", "CP-8800-Video 28-Button Key Expansion Module", "CP-8800-Audio 28-Button Key Expansion Module", "Cisco 8832", "Cisco Webex Room 70 Single", "Cisco 8832NR", "Cisco ATA 191", "Cisco Collaboration Mobile Convergence", "Cisco Webex Room 70 Dual", "Cisco Webex Room Kit Pro", "Cisco Webex Room 55 Dual", "Cisco Webex Room 70 Single G2", "Cisco Webex Room 70 Dual G2", "SIP Station", "Cisco Webex Room Kit Mini", "Cisco Webex VDI Svc Framework", "Cisco Webex Board 55", "Cisco Webex Board 70", "Cisco Webex Board 85", "Cisco Webex Desk Pro", "Cisco Webex Room Panorama", "Cisco Webex Room 70 Panorama", "Cisco Webex Room Phone", "Cisco 860", "Cisco Webex Desk LE"]
Ec Key Size For this setting that is used for CAPF, choose the key size for the certificate from the drop-down list box. The default setting equals 1024. The other option for key size is 512. If you choose a higher key size than the default setting, the phones take longer to generate the entropy that is required to generate the keys. Key generation, which is set at low priority, allows the phone to function while the action occurs. Depending on the phone model, you may notice that key generation takes up to 30 or more minutes to complete. Note    The CAPF settings that are configured in the Phone Security Profile window interact with the CAPF parameters that are configured in the Phone Configuration window.
  • Field Name: ecKeySize
  • Type: String
  • Cardinality: [0..1]
  • Choices: ["256", "384", "521"]
Exclude Digest Credentials in Configuration File When this check box is checked, Cisco Unified Communications Manager omits digest credentials in phone downloads from the TFTP server. This option exists for Cisco Unified IP Phones 7905G, 7912G, 7940G, and 7960G (SIP only).
  • Field Name: excludeDigestCredentials
  • Type: Boolean
  • Cardinality: [0..1]
Device Security Mode From the drop-down list box, choose one of the following options: Non Secure—No security features except image, file, and device authentication exist for the phone. A TCP connection opens to Cisco Unified Communications Manager. Authenticated— Cisco Unified Communications Manager provides integrity and authentication for the phone. A TLS connection that uses NULL/SHA opens for signaling. Encrypted— Cisco Unified Communications Manager provides integrity, authentication, and encryption for the phone. A TLS connection that uses AES128/SHA opens for signaling, and SRTP carries the media for all phone calls on all SRTP-capable hops.
  • Field Name: deviceSecurityMode
  • Type: ["String", "Null"]
  • Cardinality: [0..1]
  • Choices: ["Non Secure", "Authenticated", "Encrypted"]