Showing results for 
Search instead for 
Did you mean: 


Preventing Cisco IP Phone MAC Spoofing

Hi All,

In call manager is there a mechanism by default that ip phone added in call manager is authenticated to get its config file and only its config file? Or there is something needed to configure on ip phone to make it use only its config file, so any one is trying to spoof this ip phone's mac will be denied from getting that ip phone's config file?





For Cisco phones there isn’t really sensitive stuff in the config file. Your concern would be better phrased as “what prevents a malicious/spoofed device registration?”


For the moment, this is done with certificates-based TLS client authentication. This is a rather involved topic that is covered in the security guide. The phone gets an X.509 certificate from CAPF and uses that in the TLS handshake to prove its identity. Optionally, CUCM can also encrypt the phone’s config file using the public RSA key of that cert. CUCM 12.5 allows CAPF to relay the CSR from a phone to a Microsoft CA if a customer prefers to use that.


Seperately in 12.5 you will notice references to OAuth tokens as an alternative to CAPF and LSCs. This is a major improvement over CAPF. For the moment, this is only supported by Jabber and MRA-registered IP Phones though. I can’t speak to roadmap details but you can imagine this eventually being supported by on-premises endpoints too.

Hi Jonathan,

I am having CUCM 11.5.

Does this feature works in non-secure mode or should I convert to Mixed Mode for certificates-based TLS client authentication.




Rising star

You can enable encryption of the Configuration files and only Phone with valid certificate will be able to decrypt them.

Below link will be helpful

*** Please rate helpful post; Mark "Accept as a Solution" if applicable



I am having CUCM and Phones are 8841 model IP Phone. Will this phone model supports Configuration File Encryption?




Hi Haris,

Suppose I have a phone with MAC AAAA.BBBB.CCCC. When I connect the phone to the network, it will request tftp server for ITL file and CUCM will provide ITL to the Phone. Next the phone will ask for configuraion file, and CUCM will give configuration with the signature. Next the phone verifies the configuration file has been received from valid CUCM by the public key obtained through ITL file. If the verification in successful, then the phone will get registered.


Then my question is if somebody connect another device to the network and  spoof the MAC AAAA.BBBB.CCCC, it will get the ITL file again from CUCM, and finally it will register to the CUCM after completing the same process. How can we protect this from happening?


Thanks in Advance


George Sotiropoulos
VIP Collaborator

You can encrypt the Phone' configuration files (digest password etc) by following the guidelines:



Please Rate Posts (by clicking on Star) and/or Mark Solutions as Accepted, when applies
Content for Community-Ad