01-09-2013 02:22 AM - edited 03-16-2019 03:03 PM
Hello everyone,
we are about to implement a solution with SSL Phone VPN to an ASA and I was wondering if it is possible to load a client certificate onto the IP-Phones, so that it will automatically authenticate itself against the ASA, without the need for the user to provide his username:password.
Thanks and best regards,
Thomas
Solved! Go to Solution.
01-09-2013 03:13 AM
Hi Thomas
Yes, it is.
The way I've done this is to enable the CAPF service on CUCM. On previous versions you needed a USB Security token to enable this, but now you can enable CAPF and issue LSC (Local Significant Certificates) to the phones. THese can be used for authentication over the VPN, but not for SRTP.
You would install the CAPF root cert from CUCM Cert management in OS admin as the ASA trustpoint.
CAPF doesn't seem to have a revocation service, but since the phones will register to the CUCM when they VPN in you can kill a phone by telling CUCM to instruct the phone to delete the LSC.
Example of CAPF without security tokens is here:
https://supportforums.cisco.com/docs/DOC-12963
Regards
Principal Engineer at Logicalis UK
Please rate helpful posts...
01-09-2013 03:13 AM
Hi Thomas
Yes, it is.
The way I've done this is to enable the CAPF service on CUCM. On previous versions you needed a USB Security token to enable this, but now you can enable CAPF and issue LSC (Local Significant Certificates) to the phones. THese can be used for authentication over the VPN, but not for SRTP.
You would install the CAPF root cert from CUCM Cert management in OS admin as the ASA trustpoint.
CAPF doesn't seem to have a revocation service, but since the phones will register to the CUCM when they VPN in you can kill a phone by telling CUCM to instruct the phone to delete the LSC.
Example of CAPF without security tokens is here:
https://supportforums.cisco.com/docs/DOC-12963
Regards
Principal Engineer at Logicalis UK
Please rate helpful posts...
01-09-2013 03:23 AM
Hello Aaron,
thank you for your reply, that helps me alot!
Have a nice day
Thomas
02-27-2013 01:19 PM
Aaron - our security guys want us to revoke the LSC if a user is terminated or if the VPN phone is stolen. I'm trying to use/understand the Delete operation under CAPF settings of the phone but it's not working. Have you used this before to delete the LSC?
Thanks,
Dan
02-28-2013 11:11 AM
Hi Dan
It works for me - obviously for that delete function to work, the phone must first connect to the VPN, and then register to CUCM - CUCM then tells the phone to delete, and that's what it should do. It worked for me when I tested it.
Aaron
02-28-2013 10:52 PM
Aaron - I ended up opening a TAC case and found out that the cert wasn't automatically deleting because we were using Authentication Code and not using Authentication Null.
Thanks,
Dan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide