McDewey

C H A P T E R 66 SIP OAuth Mode • SIP OAuth Mode Overview, on page 795 • SIP OAuth Mode Prerequisites, on page 796 • SIP OAuth Mode Configuration Task Flow, on page 797 SIP OAuth Mode Overview Secure registrations to Unified Communications Manager involves a process of updating CTL files, setting up a mutual certificate trust store and so on. If devices are switching between on-premises and off-premises, it is difficult to update LSCs and renew Certificate Authority Proxy Function (CAPF) enrolment each time when a secure registration is completed. SIP OAuth mode allows you to use OAuth refresh tokens for all devices authentication in secure environments. This feature enhances the security of Unified Communications Manager. Unified Communications Manager verifies the token presented by the endpoints and serves the configuration files only to authorized ones. OAuth token validation during SIP registration is completed when OAuth based authorization is enabled on Unified Communications Manager cluster and other Cisco devices. OAuth support for SIP registrations is extended for • Cisco Jabber devices from Unified Communications Manager 12.5 Release onwards • SIP Phones from Unified Communications Manager Release 14 onwards By default, TFTP is secure for SIP phones when SIP OAuth is enabled. TFTP file download happens through secured channel, and only for authenticated phones. SIP OAuth provides end to end secure signaling and media encryption without CAPF on-premises as well as over MRA. Note The following are the Phone Security Profile Types that can be configured for OAuth: • Cisco Dual Mode For iPhone (TCT device) • Cisco Dual Mode For Android (BOT device) • Cisco Unified Client Service Framework (CSF device) • Cisco Jabber for Tablet (TAB device) Feature Configuration Guide for Cisco Unified Communications Manager, Release 15 and SUs 795