Cisco Call Manager Device Security Profile
Posted by Paul Tuttle, Last modified by Paul Tuttle on 20 June 2017 08:54 AM
Cisco Call Manager uses profiles to keep track of the different security profiles or levels for devices. This is done to manage the permission levels for each device in a single place. The use of profiles allows the network admin to easily set the privilege levels by creating different profiles. In the setup guide for CUCM we recommend using the Third-Party SIP Device Basic-Standard SIP Non-Secure Profile Third-Party SIP Device Advanced-Standard SIP Non-Secure Profile depending on the type of device they are using. The profiles that we recommend are non-secure profiles. This means that there is no Authentication done when our endpoints are attempting to register. This could be acceptable for some users but security is an ever-growing concern so it is likely that many users will create their own security profiles to help secure their devices. Undoubtedly people will run into issues when trying to create their own profiles. Currently the process for making a security profile is:
From the CM Administration Page Browse to System -> Security -> Phone Security Profile.
On the Phone Security Profile page press the 'Add New Button'.
On the following page select Third-party SIP Device (basic) or Third-Party SIP Device (Advanced) depending on the device in question.
The security profile configuration page is limited for 3rd party devices as many of the authentication processes used with CUCM are unique to Cisco Phones. The configurable options are:
Nonce Validity Time*: 600 (Default Value)
Transport Type*: TCP+UDP (Default Value)
Enable Digest Authentication
SIP Phone Port*: 5060 (Default Value)
Here is a test profile that I created when testing
Description: Paul's Test Security Profile
Nonce Validity Time: 600
Transport Type: UDP
Digest Authentication Enabled
SIP Phone Port 5060
This is the most basic configuration, which is shared by the Third-Party SIP Device profiles. If some authentication is desired by the user they should 'Enable Digest Authentication'. Then save and apply the config.
Now that the phones have a profile that will be expecting a password we must then give each users profile 'Digest Credentials'. This is done through the End User Configuration page. (User Management -> End User) The Digest Credentials fields are at the bottom of the User Information section. The password used for Digest Authentication must be input as the Primary AUTH Password on the respective CyberData Device.
Once this is done the devices will be authenticated when connecting to the server.
Note: Since Digest Authentication is being used the server is going to challenge every SIP packet set to the server. This could introduce some network congestion with the added authentication traffic.