Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1157
Views
0
Helpful
2
Replies

SIP Digest Authentication and Extension Mobility

Go to solution
hanlykent
Level 1
Level 1

‎05-31-2017 04:21 PM - edited ‎03-17-2019 10:28 AM

Hi All,

I am hoping the knowledgeable people out there can help me with the following:

  • Configuration of SIP Digest Authentication and the Digest User configured
  • Configuration of SIP Digest Authentication when all phones and users in the enterprise use extension mobility

In our environment, we are mainly using Cisco 7941/7942 IP Phones
If the physical phone has a secure phone security profile with  "Enable Digest Authentication" checked,
then a Digest User needs to be configured on the phone configuration and the corresponding Digest Credentials set for that Digest User.
With both of these set,  phone registration is accepted.

After the phone is registered, users can then log in using extension mobility.
Cisco security guide documentation states that "Cisco Unified Communications Manager uses the digest credentials for the extension mobility end user, as configured in the End User Configuration window, when extension mobility user logs in"
I have noticed that I do not need to populate the "Digest Credentials" fields for any of the LDAP sync'd users in the database.
Are these End User Digest Credential fields being populated automatically somehow?

When the physical phone is configured for a user specific extension, I would assume the Digest User should/could be the end user themselves?
However, this would mean that every time the phone changes hands, the Digest User setting should reflect the new user details.
However, with extension mobility a physical phone is not assigned to any particular person.

What is the recommended/common practice configuration for the physical phone's  "Digest User"?
Should I just configure a generic local "Digest User" for all potential registered phones to allow for registration to occur?
This would seem to allow a physical phone's Digest User to remain the same regardless of who the phone's extension is assigned to, and would continue to allow the phone to register and extension mobility seems to work as long as the physical phone is registered initially.

Any insight or recommendations are appreciated.

Thanks

Kent

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
dohnesor
Cisco Employee
Cisco Employee

‎06-06-2017 02:50 PM

Hi Kent,

This is certainly an interesting question as in most EM deployments, Digest Authentication does not come in to picture. As you asked for recommended practice with regards to security, my recommendation would be to not use Digest Authentication unless it is really needed (needed for 3rd party SIP Endpoints). Digest Authentication uses the MD5 algorithm which is susceptible to brute force cracking.

My recommendation would be to utilise Certificate Based 802.1X Authentication with Cisco ISE. Have a read of the IP Telephony for 802.1X Design Guide.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
dohnesor
Cisco Employee
Cisco Employee

‎06-06-2017 02:50 PM

Hi Kent,

This is certainly an interesting question as in most EM deployments, Digest Authentication does not come in to picture. As you asked for recommended practice with regards to security, my recommendation would be to not use Digest Authentication unless it is really needed (needed for 3rd party SIP Endpoints). Digest Authentication uses the MD5 algorithm which is susceptible to brute force cracking.

My recommendation would be to utilise Certificate Based 802.1X Authentication with Cisco ISE. Have a read of the IP Telephony for 802.1X Design Guide.

0 Helpful

Go to solution
hanlykent
Level 1
Level 1

‎06-06-2017 03:01 PM

Hi.

The question came up after working my way through the Security guide for CUCM 11.5(1) and how certain configurations would apply in my Cisco UC environment.

The recommendation you have put forward answers my question.

Thanks for taking the time to answer.

Regards,

Kent

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents