McDewey

Multi-vendor documentation library · semantic search · MCP endpoint at /mcp

Page 34

↗ View in doc context
page
34
source
cucm/v15/security-guide/security-guide.md
chunk_id
cucm::v15::security-guide::security-guide::18

• The CTL file must exist on the phone, and the Unified Communications Manager entry and certificate must exist in the file. • You configured the device for authentication or encryption. Signaling Authentication This process, also known as signaling integrity, uses the TLS protocol to validate that no tampering occurred to signaling packets during transmission. Signaling authentication relies on the creation of the Certificate Trust List (CTL)file. Digest Authentication This process for SIP trunks and phones allows Unified Communications Manager to challenge the identity of a device that is connecting to Unified Communications Manager. When challenged, the device presents its digest credentials, similar to a username and password, to Unified Communications Manager for verification. If the credentials that are presented match those that are configured in the database for that device, digest authentication succeeds, and Unified Communications Manager processes the SIP request. Be aware that the cluster security mode has no effect on digest authentication. Note If you enable digest authentication for a device, the device requires a unique digest user ID and password to register. Note You configure SIP digest credentials in the Unified Communications Manager database for a phone user or application user. • For applications, you specify digest credentials in the Application User Configuration window. • For phones that are running SIP, you specify the digest authentication credentials in the End User window. To associate the credentials with the phone after you configure the user, you choose a Digest User, the end user, in the Phone Configuration window. After you reset the phone, the credentials exist in the phone configuration file that the TFTPserver offers to the phone. See topics related to encrypted phone configuration file setup to ensure digest credentials do not get sent in the clear in TFTP downloads. • For challenges received on SIP trunks, you configure a SIP realm, which specifies the realm username (device or application user) and digest credentials. When you enable digest authentication for an external phone or trunk that is running SIP and configure digest credentials, Unified Communications Manager calculates a credentials checksum that includes a hash of the username, password, and the realm. The system uses a nonce value, which is a random number, to calculate the MD5 hash. Unified Communications Manager encrypts the values and stores the username and the checksum in the database. To initiate a challenge, Unified Communications Manager uses a SIP 401 (Unauthorized) message, which includes the nonce and the realm in the header. You configure the nonce validity time in the SIP device security profile for the phone or trunk. The nonce validity time specifies the number of minutes that a nonce value stays valid. When the time interval expires, Unified Communications Manager rejects the external device and generates a new number. Security Guide for Cisco Unified Communications Manager, Release 15 and SUs 16 An Introduction to Unified CM Security Signaling Authentication