Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
891
Views
3
Helpful
5
Replies

IP-Phone SSL VPN

Go to solution
thomas.busse
Level 1
Level 1

‎01-09-2013 02:22 AM - edited ‎03-16-2019 03:03 PM

Hello everyone,

we are about to implement a solution with SSL Phone VPN to an ASA and I was wondering if it is possible to load a client certificate onto the IP-Phones, so that it will automatically authenticate itself against the ASA, without the need for the user to provide his username:password.

Thanks and best regards,

Thomas

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Aaron Harrison
VIP Alumni
VIP Alumni

‎01-09-2013 03:13 AM

Hi Thomas

Yes, it is.

The way I've done this is to enable the CAPF service on CUCM. On previous versions you needed a USB Security token to enable this, but now you can enable CAPF and issue LSC (Local Significant Certificates) to the phones. THese can be used for authentication over the VPN, but not for SRTP.

You would install the CAPF root cert from CUCM Cert management in OS admin as the ASA trustpoint.

CAPF doesn't seem to have a revocation service, but since the phones will register to the CUCM when they VPN in you can kill a phone by telling CUCM to instruct the phone to delete the LSC.

Example of CAPF without security tokens is here:

https://supportforums.cisco.com/docs/DOC-12963

Regards

Aaron Harrison

Principal Engineer at Logicalis UK

Please rate helpful posts...

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Aaron Harrison
VIP Alumni
VIP Alumni

‎01-09-2013 03:13 AM

Hi Thomas

Yes, it is.

The way I've done this is to enable the CAPF service on CUCM. On previous versions you needed a USB Security token to enable this, but now you can enable CAPF and issue LSC (Local Significant Certificates) to the phones. THese can be used for authentication over the VPN, but not for SRTP.

You would install the CAPF root cert from CUCM Cert management in OS admin as the ASA trustpoint.

CAPF doesn't seem to have a revocation service, but since the phones will register to the CUCM when they VPN in you can kill a phone by telling CUCM to instruct the phone to delete the LSC.

Example of CAPF without security tokens is here:

https://supportforums.cisco.com/docs/DOC-12963

Regards

Aaron Harrison

Principal Engineer at Logicalis UK

Please rate helpful posts...

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!
0 Helpful

Go to solution
thomas.busse
Level 1
Level 1
In response to Aaron Harrison

‎01-09-2013 03:23 AM

Hello Aaron,

thank you for your reply, that helps me alot!


Have a nice day

Thomas

0 Helpful

Go to solution
dlcharville
Level 4
Level 4
In response to Aaron Harrison

‎02-27-2013 01:19 PM

Aaron - our security guys want us to revoke the LSC if a user is terminated or if the VPN phone is stolen.  I'm trying to use/understand the Delete operation under CAPF settings of the phone but it's not working.  Have you used this before to delete the LSC?

Thanks,

Dan

0 Helpful

Go to solution
Aaron Harrison
VIP Alumni
VIP Alumni
In response to dlcharville

‎02-28-2013 11:11 AM

Hi Dan

It works for me - obviously for that delete function to work, the phone must first connect to the VPN, and then register to CUCM - CUCM then tells the phone to delete, and that's what it should do. It worked for me when I tested it.

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

Go to solution
dlcharville
Level 4
Level 4
In response to Aaron Harrison

‎02-28-2013 10:52 PM

Aaron - I ended up opening a TAC case and found out that the cert wasn't automatically deleting because we were using Authentication Code and not using Authentication Null.

Thanks,

Dan

0 Helpful
Customers Also Viewed These Support Documents