McDewey

Multi-vendor documentation library · semantic search · MCP endpoint at /mcp

Page 103

↗ View in doc context
page
103
source
cucm/v15/security-guide/security-guide.md
chunk_id
cucm::v15::security-guide::security-guide::94

CAPF Examples with 7942 and 7962 Phones Consider how CAPF interacts with the Cisco Unified IP Phone 7962 and 7942 when a user or Unified Communications Manager resets the phone. In the examples, CAPF certificate operation fails if LSC doesn't exist in the phone and you choose By Existing Certificate for the CAPF Authentication Mode. Note Example-Nonsecure Device Security Mode The phone resets after you configure the Device Security Mode to Nonsecure and the CAPF Authentication Mode to By Null String or By Existing Certificate (Precedence). After the phone resets, it immediately registers with the primary Unified Communications Manager and receives the configuration file. The phone then automatically initiates a session with CAPF to download the LSC. After the phone installs the downloaded LSC, configure the Device Security Mode to Authenticated or Encrypted. Example-Authenticated/Encrypted Device Security Mode The phone resets after you configure the Device Security Mode to Authenticated or Encrypted and the CAPF Authentication Mode to By Null String or By Existing Certificate (Precedence). The phone doesn’t register with the primary Unified Communications Manager until the CAPF session ends and the phone installs the LSC. After the session ends, the phone registers and immediately runs in authenticated or encrypted mode. You can’t configure By Authentication String in this example because the phone doesn’t automatically contact the CAPF server. The registration fails if the phone doesn’t have a valid LSC. CAPF Interaction with IPv6 Addressing CAPF issues and upgrades certificates to a phone that uses an IPv4, an IPv6, or both types of addresses. To issue or upgrade certificates for phones running SCCP using an IPv6 address, set the Enable IPv6 service parameter to True in Cisco Unified Communications Manager Administration. CAPF uses configurations from Enable IPv6 enterprise parameter to issue or upgrade the certificate to the phone. If the enterprise parameter is False, CAPF ignores/rejects connections from phones that use IPv6 addresses, and the phone doesn’t receive the certificate. The following table describes how a phone that has an IPv4, IPv6, or both types of addresses connects to CAPF. Table 17: How IPv6 or IPv4 Phone Connects to CAPF How Phone Connects to CAPF CAPF IP Address IP Addresses on Phone IP Mode of Phone Phone uses an IPv6 address to connect to CAPF. If the phone can’t connect through an IPv6 address, it attempts to connect by using an IPv4 address. IPv4, IPv6 IPv4 and IPv6 available Two stack Security Guide for Cisco Unified Communications Manager, Release 15 and SUs 85 Basic System Security CAPF Examples with 7942 and 7962 Phones