10-05-2009 12:53 PM - edited 03-12-2019 09:21 AM
Note: |
---|
With the release of CUCM 8.0 and greater some phone models download an ITL (Initial Trust List) file that contains the CAPF certificate. Only 7941/61 and greater phone models support this ITL file. See full documentation here: http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/security/8_6_1/secugd/secusbd.html When the phone has this CAPF certificate the USB eTokens are no longer required to install an LSC on the phone. Simply perform steps 1 and 13-17. eTokens will still be required for authenticated or encrypted configuration files, but are not needed to install an LSC on the phone. |
Here are the full instructions to get the LSC to the phone. These instructions assume you have not installed the CTL Client or activated any security services on Communications Manager.
Thanks for the sharing.
I have a question that might looks quite silly: How do I accomplish step 2? I mean, where can I get these security token? How do I suppose to put it on a USB? I had my call manager downloaded from Cisco intranet, it didn't come with any instructions on that aspect.
Appreciate your help.
Ruwei,
That is a Cisco part number for a small hardware USB Token. You would have to order two of those hardware pieces from Cisco through whatever methods you normally use to order parts.
Hi there,
can we start from beginning here: are you absolutely sure "LSC requires the use of at least two USB eTokens "? What if I want to save some bucks and I'm happy with self-signed certificate on my CUCM (meaning no money will be spent on USB eTokens)?
I'm the man in charge for my voice network and I simply want to tell my boss that our IP Telephony network is completely secured, i.e. I'm able to configure fully encrypted (signaling and media) voice communication inside our LAN (calls between any two Cisco IP phones controlled by the CUCM). I don't think USB eTokens are necessary to achieve this.
Please correct me if I'm wrong.
Regards,
Tenaro
Tenaro,
The USB eTokens are required to run the CTL Client and generate the CTL file. Without the USB eTokens there is no way to generate a CTL file, and no way to set the cluster to mixed mode security.
USB eTokens are absolutely required to enable phone security.
There is also another reason why you need to have at least two tokens: If I understand correctly, if you need to change the CTL file after it is created, then you need to have at least one of the tokens that was originally used. Changing the CTL file could be needed if you add an additional subscriber, or if you add an ASA proxy. Therefore, two tokens is for safety: Keep one token in a safe place, and keep the other token in another safe place somewhere else.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: