You mean, you have deleted

aviadr · ‎08-15-2016

Hi All,

We have a cluster with 4 CUCM nodes (Version 11.5.1 - Latest version for now) in mix mode.

We have 7841 IP Phones and we configured Phone Security Profile that makes authentication by mic on the CAPF process.

The CAPF is signing the LSC's for phones and on the phone we can see that the LSC is Installed.

I checked and saw that if I delete the LSC from the phone, on the security settings of the phone itself I can see that the LSC status is "Not Installed" but the phone continue to register and make calls (and the phone display the "Lock" icon during the calls that indicates that the calls are encrypted).

This is very wierd because I thought that if the phone doesnt have LSC installed on it - It wont register.

Can someone help me to understand what is wrong ?

P.S - When we tried to register CSF device without LSC it doesnt register until we make the authentication by string so we thought that maybe the phone get register with its MIC cert ?

thanks a lot!

Mohammed al Baqari · ‎08-15-2016

Hi,

I believe that is because CTL certificate is still present. Once the phone get CTL certificate, it will be used for authentication and encryption even if LSC is deleted. LSC isn't used for signaling authentication and media encryption

aviadr · ‎08-15-2016

Hi Mohammed,

Thanks for your answer.

Are u sure that the signaling and media get encrypted by CTLand not by LSC ?

If so, why do we need the LSC? the CAPF ?

What is the reason for LSC cert?

Thanks!

Mohammed al Baqari · ‎08-15-2016

Yes authentication and encryption is using CTL. LSC is used for different purposes.

See this post and let me know if you still have confusion

ttps://supportforums.cisco.com/discussion/12414601/mic-lsc-ctl-confusion

aviadr · ‎08-15-2016

I already read this post but still didnt get it.

I understand what is the porpuse of the MIC.

CTL is contain the CAPF, TFTP and CUCM certs in order to trust those servers and prevent phones from moving from one cluster to another.

I still didn't get the LSC porpuse - I understand that I sign the LSC with my root CA or local self sign CAPF service and this is more secure then trust the MIC but if the LSC is not used for the authentication and encryption so why do I need this ?

Can you please explain what is the LSC purposes ?

Thanks.

Mohammed al Baqari · ‎08-15-2016

Both have the same functionality. MIC is signed by manufacturer ca (which is cisco ). LSC is signed by CAPF. If both exist on a phone lsc is preferred

HARIS_HUSSAIN · ‎08-16-2016

LSC/MIC are the certificate of the Phone. We can notice for LSC the CN = <Unique ID Based on Ph MAC>. These are used to authenticate phone based on 802.1x standard. So this certificate is used to trust the phones to allow access to network resources. You need to enable 802.1x authentication in your infrastructure. If 802.1x is not implemented, phone will register with or without LSC Installed.

CallManger.pem certificate is used for Media and signalling encryption. This certificates is delivered to Phone via CTL during initial reboot.

Hope that clarifies the question

aviadr · ‎08-17-2016

Hi Guys,

Thanks for your answers.

Finnaly, I understood that if I have a MIC certificateon the device it will register to the CUCM even if it doesn't have LSC installed.

We wanted to prevent this situation - To block devices to register with the server until it have a LSC certificate so I deleted the callmanager-trust certificates:

CAP-RTP-001

CAP-RTP-002

Cisco_Manufacturing_CA

After restart for CallManager service and TFTP service the devices wont register until the capf sign the phone cert.

Thanks!

HARIS_HUSSAIN · ‎08-18-2016

You mean, you have deleted these Cisco CA from Call Manager itself !!.

I think you missed one CA Cert Cisco_Root_CA_2048

So now you have only LSC Certificate Installed in Phone.

Also i have found that Jabber do not have MIC Installed on It from http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/200199-CUCM-Certificate-Regeneration-Renewal-Pr.html

I still have doubt

What happens for new phones? How can we push the LSC if phone do not register to CUCM in First palace??

I have used LSC for 802.1x Authentication via Identity Service Engine.

But here we using LSC/MIC for Phone Registration.

I would also like to understand How does certificate Prevents phone from Registering.

This is how i understand it

So A new phone will try to contact TFTP server and download ITL/CTL files.
But phone cannot establish secure TLS Session with CUCM as Phone Certificate MIC is not trusted by CUCM.

I would appreciate if someone can clarify on this.

Please rate if found userful.

Thanks

Haris

Mohammed al Baqari · ‎08-18-2016

Not sure if I understand your confusion but what you said is correct. LSC/MIC will be used for secured authentication with you dot1x server to authenticate/authorize. CTL will be used for signaling/media encryption or signaling hash (depends on what is configured). ITL will be used for signaling hashing/encryption.

aviadr · ‎08-18-2016

The phone try to get the config file from the tftp.

Once it get the config file it get the command to install the LSC from capf.

the certs on Cisco are still on the CAPF-Trust so the LSC get installed on the phone by MIC authentication.

Then the phone have the LSC and he can register to the CUCM.

Before I delete the Cisco certs - the phone was registered to the CUCM even if it does not have LSC because the phone hace MIC file that the call manager trust.

HARIS_HUSSAIN · ‎08-18-2016

So If i try to register the phone with Non Secure Profile it should work. Even thought it do not have LSC and MIC CA is not trusted by CUCM?

aviadr · ‎08-18-2016

Correct

Phone get register with or without LSC installed