Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
14251
Views
5
Helpful
6
Replies

Understanding CAPF

Go to solution
Grayson Wells
Level 1
Level 1

‎12-01-2010 09:31 AM - edited ‎03-16-2019 02:13 AM

I am trying to figure out how CAPF works, and I am not getting too far with the cisco docs. You can configure CAPF for each device in CUCM, but it basically consists of saying you want to install an LSC. I want to know how it actually works. I am looking for a configuration on the CUCM that tells the CUCM where the Certificate Authority actually is. It makes sense to me that the CUCM is basically acting as a middle man, it requests a new certification for the phone, when the cert arrives it installs it. However, I don't see any info on how to configure the CUCM for the correct Certificate Authority server or anything along those lines.

Any insight is appreciated!

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Fernando Rivas Martin
Cisco Employee
Cisco Employee
In response to Grayson Wells

‎12-01-2010 03:21 PM

Hi Robert

You can see CAPF as a service in CUCM (in fact it is a service).

Phone knows which server is the CAPF Server of the network (one of the CUCMs) via the CTL file. (CTL file is created once you set the cluster in mixed mode with the 2 USB e-tokens)

CTL File is downloaded by the phone everytime it boots.

When the phone is instructed to download the LSC, it will connect to the CAPF server and it will perform the action configured for the phone.

In the phone config you can specify this action, the phone can install/delete or upgrade the certificate, and you configure an authentication string in the phone (if you want).

This action can be done manually on the phone if needed, to refresh the LSC certificate.

The phone will connect to the CUCM acting as a CAPF server and will generate a certificate based on the information exchanged with the CAPF server. This information is based on the certificates that the CUCM has already on the certificate store, and eventually the LSC will be generated in the phone.

From that moment onwards, the phone has an LSC certificate which is related to the certificates on the CUCM, so it will be able to use secure profiles to encrypt the signalling, the config, etc...

Not sure if this is what you needed. I can give you more details if needed.


Regards
Fernando

View solution in original post

Go to solution
Fernando Rivas Martin
Cisco Employee
Cisco Employee
In response to Grayson Wells

‎12-02-2010 11:39 AM

Hello Robert

You can upload 3rd party certificates and used them as your certificates for the CAPF service.

You need to go to the Administration OS.

Generate a CSR for the CAPF certificate. Use that CSR to generate the certificates and the upload them to the CUCM.

Check this guide:

http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/cucos/8_0_2/cucos/iptpch6.html#wp1053402

(It is for CUCM 8.0.2 but the principle applies for 6.X and 7.X)

So you can generate the CSR and generate a certificate based on the certificate you already have on the Microsoft NPS.

Then upload the certificate and the root certificate to the CUCM.

The other option as you said would be to download the certificates from the CUCM (OS Administration page -> Security -> Certificate Management) and put them in the Microsoft NPS

Regards
Fernando

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Grayson Wells
Level 1
Level 1

‎12-01-2010 10:10 AM

Basically, I need to figure out how to get an locally significant certificate(LSC) on the phone. Once I do that I can figure out the rest of the authentication configs.

0 Helpful

Go to solution
Fernando Rivas Martin
Cisco Employee
Cisco Employee
In response to Grayson Wells

‎12-01-2010 03:21 PM

Hi Robert

You can see CAPF as a service in CUCM (in fact it is a service).

Phone knows which server is the CAPF Server of the network (one of the CUCMs) via the CTL file. (CTL file is created once you set the cluster in mixed mode with the 2 USB e-tokens)

CTL File is downloaded by the phone everytime it boots.

When the phone is instructed to download the LSC, it will connect to the CAPF server and it will perform the action configured for the phone.

In the phone config you can specify this action, the phone can install/delete or upgrade the certificate, and you configure an authentication string in the phone (if you want).

This action can be done manually on the phone if needed, to refresh the LSC certificate.

The phone will connect to the CUCM acting as a CAPF server and will generate a certificate based on the information exchanged with the CAPF server. This information is based on the certificates that the CUCM has already on the certificate store, and eventually the LSC will be generated in the phone.

From that moment onwards, the phone has an LSC certificate which is related to the certificates on the CUCM, so it will be able to use secure profiles to encrypt the signalling, the config, etc...

Not sure if this is what you needed. I can give you more details if needed.


Regards
Fernando

Go to solution
Grayson Wells
Level 1
Level 1
In response to Fernando Rivas Martin

‎12-02-2010 06:13 AM

Alright, things are starting to clear up. So the certificates are generated on the CUCM. I was hoping to use the CUCM as a proxy to obtain certificates from my local CA on behalf of the phone. Can I not use my "third-party" certificates and have the CUCM install those on the phone instead of generating the certificates in the CUCM? Also, if the CUCM has to be the one to generate the certificates then how do I authenticate 802.1x? The switches are pointing to a radius server running microsoft NPS that does all of our certificate authentication. So what would I do in this case? Upload the root cert that is currently on the CUCM to the radius server?

0 Helpful

Go to solution
Fernando Rivas Martin
Cisco Employee
Cisco Employee
In response to Grayson Wells

‎12-02-2010 11:39 AM

Hello Robert

You can upload 3rd party certificates and used them as your certificates for the CAPF service.

You need to go to the Administration OS.

Generate a CSR for the CAPF certificate. Use that CSR to generate the certificates and the upload them to the CUCM.

Check this guide:

http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/cucos/8_0_2/cucos/iptpch6.html#wp1053402

(It is for CUCM 8.0.2 but the principle applies for 6.X and 7.X)

So you can generate the CSR and generate a certificate based on the certificate you already have on the Microsoft NPS.

Then upload the certificate and the root certificate to the CUCM.

The other option as you said would be to download the certificates from the CUCM (OS Administration page -> Security -> Certificate Management) and put them in the Microsoft NPS

Regards
Fernando

0 Helpful

Go to solution
Grayson Wells
Level 1
Level 1
In response to Fernando Rivas Martin

‎12-02-2010 01:40 PM

Thanks! I really appreciate all of your help.

0 Helpful

Go to solution
Yosi Yakovishvili
Level 1
Level 1
In response to Fernando Rivas Martin

‎01-02-2012 11:42 AM

Hi,

Thanks for the detailed explanation.

I didn't found/understand couple thing.

When i am signing the CUCM with external CA (MS CA) which template do i need  to use ?

And if all the certificates are the same type ? for example i need to sign  the ipsec with the same certificate template as CAPF ?

And also when i am using the ctl client do i have to use both tokens ?  becuase the proccess is not asking to switch the tokens.

Thanks.

0 Helpful
Customers Also Viewed These Support Documents