Client Certificates for Cisco Phones

Philip91 · ‎04-07-2014

Hello Guys,

i have a question regarding certificates on cisco wired and wireless phones. I´m comming from the security/wireless side of cisco but i need an information about cisco call manager.

We want to switch our network to eap-tls. We have a couple of cisco wired phones and some wireless phones.

For security we need client certificates on that phones. I have red something about an tool which is called "Certificate Authority Proxy Function".

Is there any Funktionality on cucm or any tool to provide client certificates via scep on those phones automatically ?

We have an miscosoft pki with scep server so we need any scep client functionality on the cucm/phone side.

Thanks a lot

Kind regards

Philip

George Thomas · ‎04-07-2014

Hi Philip,

There is a feature where you put a cluster in mixed mode and push down certificates from CUCM side. This is something that needs to be done in the lab before its tried in production. If you are running CUCM version 9.x or older, you will need a USB token to enable this feature. In version 10, you can substitute it for MS CA:

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/10_0_1/secugd/CUCM_BK_C68276B4_00_cucm-security-guide-100.html

HTH

Please rate useful posts.

Brian Meade · ‎04-07-2014

The CUCM cluster doesn't need to run mixed mode in order to push down certificates via CAPF. Assuming you're running newer model phones and CUCM 8.x+, the phones will be able to trust CAPF for certificate installation due to the ITL. I install LSCs on non-secure clusters all the time.

Most of the phones also have a manufacturer installed certificate (MIC) that you can use as long as you can just the Cisco Manufacturing CA. That might be easier than pushing down certificates to the phones and having to manage them when they expire every 5 years.