Cisco Call Manager Device Security Profile

Cisco Call Manager Device Security Profile

Cisco Call Manager uses profiles to keep track of the different security profiles or levels for devices. This is done to manage the permission levels for each device in a single place. The use of profiles allows the network admin to easily set the privilege levels by creating different profiles. In the setup guide for CUCM we recommend using the Third-Party SIP Device Basic-Standard SIP Non-Secure Profile Third-Party SIP Device Advanced-Standard SIP Non-Secure Profile depending on the type of device they are using. The profiles that we recommend are non-secure profiles. This means that there is no Authentication done when our endpoints are attempting to register. This could be acceptable for some users but security is an ever-growing concern so it is likely that many users will create their own security profiles to help secure their devices. Undoubtedly people will run into issues when trying to create their own profiles. Currently the process for making a security profile is:

From the CM Administration Page Browse to System -> Security -> Phone Security Profile.

On the Phone Security Profile page press the 'Add New Button'.

On the following page select Third-party SIP Device (basic) or Third-Party SIP Device (Advanced) depending on the device in question.

The security profile configuration page is limited for 3rd party devices as many of the authentication processes used with CUCM are unique to Cisco Phones. The configurable options are:

Name*:

Description:

Nonce Validity Time*: 600 (Default Value)

Transport Type*: TCP+UDP (Default Value)

Enable Digest Authentication

SIP Phone Port*: 5060 (Default Value)

Here is a test profile that I created when testing

Name: CyberTest

Description: Paul's Test Security Profile

Nonce Validity Time: 600

Transport Type: UDP

Digest Authentication Enabled

SIP Phone Port 5060

 

This is the most basic configuration, which is shared by the Third-Party SIP Device profiles. If some authentication is desired by the user they should 'Enable Digest Authentication'. Then save and apply the config.

 

Now that the phones have a profile that will be expecting a password we must then give each users profile 'Digest Credentials'. This is done through the End User Configuration page. (User Management -> End User) The Digest Credentials fields are at the bottom of the User Information section. The password used for Digest Authentication must be input as the Primary AUTH Password on the respective CyberData Device. 

 

Once this is done the devices will be authenticated when connecting to the server. 

Note: Since Digest Authentication is being used the server is going to challenge every SIP packet set to the server. This could introduce some network congestion with the added authentication traffic.


    • Related Articles

    • CyberData Products that are Compatiable with Webex by Cisco

      This is a list of products that are compatible with Cisco Webex, please note the serial number of the device because some older products with the same part number may not be compatible Product Name Part Number Serial Number SIP Paging Adapter 011233 ...
    • Intercom Does Not Activate Relay Using DTMF from Cisco/Linksys SPA Series Phones

      I am using Cisco/Linksys SPA series deskphones.  The CyberData intercom does not recognize the DTMF tones from these phones to unlock the door.   CyberData devices may detect more than one digit press when the ‘Mark All AVT Packets’ is set to Yes on ...
    • Cisco Managed Switches Smart Port issue

      Here are some known issues with some Cisco managed Switches having Smartports that can cause CyberData Devices to have issues. The SF/SG 200 and SF/SG 300 Series Managed Switches and some other Cisco switches have a smartport configuration that may ...
    • CyberData Device Does Not Stop Ringing When Point-To-Point Call Is Missed

      I am using a Snom phone. The CyberData device does not stop ringing if it misses a point-to-point SIP call. By default, the Snom phone initiates a point-to-point SIP call on a port that CyberData devices do not monitor. This causes missed ...
    • Compatible IP-PBX Servers and SIP Registration

      To answer SIP calls, CyberData devices need to be registered with a SIP server.  The registration process requires entering SIP credentials provided by the SIP Server into the CyberData device. Credential formats vary by vendor and the credentials ...