McDewey

Multi-vendor documentation library · semantic search · MCP endpoint at /mcp

Page 2

↗ View in doc context
page
2
source
cucm/v15/lsc-phone-install/lsc-phone-install.md
chunk_id
cucm::v15::lsc-phone-install::lsc-phone-install::1

Note: It only pertains to phones that support Security By Default (SBD). For example, the 7940 and 7960 phones do not support SBD, nor do the 7935, 7936 and 7937 conference phones. For a list of devices that support SBD in your version of CUCM, navigate to Cisco Unified Reporting > System Reports > Unified CM Phone Feature List and run a report on Feature: Security By Default. The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command. Background Information Cisco Authority Proxy Function (CAPF) Service runs only on the publisher node. The publisher acts as the Certificate Authority (CA) or signer of the LSC. MICs versus LSCs If you use certificate based authentication for 802.1X or AnyConnect Phone VPN, it is important to understand the difference between MICs and LSCs. Every Cisco phone comes with a MIC pre-installed at the factory. This certificate is signed by one of the Cisco Manufacturing CA certificates, either by the Cisco Manufacturing CA, Cisco Manufacturing CA SHA2, CAP-RTP-001 or CAP-RTP-002 certificate. When the phone presents this certificate, it proves that it is a valid Cisco phone, but this does not validate that the phone belongs to a specific user or CUCM cluster. It could potentially be a rogue phone purchased on the open market or brought over from a different site. LSCs, on the other hand, are intentionally installed on phones by an administrator, and are signed by the CUCM Publisher's CAPF certificate. You would configure 802.1X or AnyConnect VPN to only trust LSCs issued by known CAPF certificate authorities. Basing certificate authentication on LSCs instead of MICs provides you with a much more granular control over which phone devices are trusted. Configure Network Topology These CUCM lab servers were used for this document: CUCM Publisher and TFTP server • CUCM Subscriber and TFTP server • Verify that the CAPF certificate has not expired, nor is about to expire in the near future. Navigate to Cisco Unified OS Administration > Security > Certificate Management, then Find Certificate List where Certificate is exactly CAPF as shown in the image.