05-01-2014 12:59 PM - edited 03-19-2019 08:08 AM
Hi Community,
I'm preparing for the migration of 1000 IP Phones from a CM4 cluster to an exisiting CM 7 cluster.
The problem I'm facing is that security is enabled on the CM4 (not on CM 7) : all phones have CTL file, with servers address configured.
As a test, I tried to manually enter TFTP server of the new cluster on a phone, but I could not save the change as the IP address were not in the CTL list.
What would be my option here considering the phone will switch from the old to the new after a DHCP option 150 update.
The tokens used originally are not available anymore, so I cannot make any change to the existing CTL file. (my first guess was to add new TFTP address).
Can security be disable on all phones/cluster without the token/CTL client ?
Thanks
James
Solved! Go to Solution.
05-01-2014 08:44 PM
Hi James,
As per the security guide for cucm 4.x
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/4_1_3/sec413/secutrbl.html#wp1029242
Delete the CTL file on the Cisco IP Phone if the following cases occur:
•You lose all security tokens that signed the CTL file.
•The security tokens that signed the CTL file appear compromised.
•You move a phone out of a secure cluster; for example, to a storage area, to a nonsecure cluster, or to another secure cluster in a different domain.
•You move a phone from an area with an unknown security policy to a secure cluster.
•You change the alternate TFTP server address to a server that does not exist in the CTL file.
HTH
Manish
05-01-2014 08:44 PM
Hi James,
As per the security guide for cucm 4.x
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/4_1_3/sec413/secutrbl.html#wp1029242
Delete the CTL file on the Cisco IP Phone if the following cases occur:
•You lose all security tokens that signed the CTL file.
•The security tokens that signed the CTL file appear compromised.
•You move a phone out of a secure cluster; for example, to a storage area, to a nonsecure cluster, or to another secure cluster in a different domain.
•You move a phone from an area with an unknown security policy to a secure cluster.
•You change the alternate TFTP server address to a server that does not exist in the CTL file.
HTH
Manish
05-02-2014 01:55 AM
Thanks Manish,
Really no other alternatives than manually delete CTL file on 1000 phones?
I know there is also (expensive?) software such as phoneview that can help doing this but I have no budget for this.
What about bringing "new" tokens to resign all certificates? and eventually disable everything.
Thanks
James
05-02-2014 05:56 AM
Hi James,
I am not sure about any other options or the cost involved in using any third party app. Let's see if someone else wants to provide inputs on this one.
Manish
06-05-2014 02:11 PM
There are 3rd party tools to do this for 5.x and up, I have not seen one for 4.x.
05-02-2014 08:03 AM
Nope, you have no other option other than deleting the CTL from every single phone. You can blame whoever misplaced, or whatever that may have happened to the tokens.
What about bringing "new" tokens to resign all certificates? and eventually disable everything.
NO, because the phones already have a list of what to trust, signed by a token, which you no longer have, and is the only one they trust. If you do that, all you'll achieve is to bring down your entire infrastructure as phones will no longer even trust the TFTPs and CUCMs as they do now.
05-02-2014 10:25 AM
Thanks for confirming the same Jaime [+5].
Manish
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide