Jabber authentication

Abdo Ahmed Saleh Al-Kaf · ‎02-18-2014

Hi all,

I have issue with cisco jabber voice that any user can type the server address and device ID of any other user and can used his extension

Can we sign the end user password/PIN authentication for accessing?

Thanks

Abdul

Chris Deren · ‎02-18-2014

Which Jabber are you alluding to?

Normally Jabber requires password to authenticate which typically is LDAP password, so not sure what you are seeing.

Chris

Abdo Ahmed Saleh Al-Kaf · ‎02-22-2014

Hi Chris,

I am using "Cisco jabber Voice" Version: 9.1.5 from Samsung play store

When I install it in phone services settings it's only ask for

Device ID:

Server Address:

one time setup then I got the extension of the Device ID there is no any verification LDAP.

Thanks

Abdul

Jonathan Schulenberg · ‎02-23-2014

Interesting. It appears this app doesn't query any of the normal Tomcat services (e.g. CCMCIP) that would require End User authentication. The admin guide supports your statement that you only need a TCT device ID and TFTP server address.

Normally, the way to address this would be SIP Digest Authentication. Unfortuantely, Jabber and/or CUCM decide to embed the digest credentials into the TFTP XML config file, rendering the security feature entirely useless without a mixed-mode cluster.

In this instance, I believe you're stuck from a security perspective. Not at all useful but worth noting: this is the same level of security every other CUCM device, including physical phones, have operated under from the beginning. Anyone with any degree of motivation could do emulate another device using [redacted] client application as long as they knew the model and MAC address of the device... which they can get from the webpage of the phone if they know it's IP address... which they can see by calling it and sniffing the RTP traffic when the call connects.

Please remember to rate helpful responses and identify helpful or correct answers.