Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
767
Views
20
Helpful
5
Replies

[SOLVED] IP-Phone CSR generation on freshly installed CUCM

Arvyr
Level 1
Level 1

‎03-03-2021 02:58 AM - edited ‎03-22-2021 06:03 AM

Hello,

 

I got a CUCM cluster version 11.5 and a test installation of a CUCM version 12.5 where none of the connected phones would generate a certificate signing request.

 

Since I couldn't find any guide on the internet I wanna ask here, if there's a comprehensive step-by-step guide on how to enable

CUCM and Phones to work with certificates?

 

It's primarily needed for 802.1x authentication but secure voice later on with an Offline CA (Windows Server based).

FYI: The 11.5 cluster already uses valid certificates from a Windows CA, the 12.5 is still "virgin" in this regard.

 

Any help is appreciated.

Labels:
0 Helpful
5 Replies 5

Gregory Brunn
Spotlight
Spotlight

‎03-03-2021 07:50 AM - edited ‎03-03-2021 07:51 AM

This require mix mode in CUCM for secure voice.  Also for the LSC you need mix mode. 

 

For 802.1X typically the LSC is used which is signed by the CAPF.   

 

Have you read the following

https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html

 

Also check out the cisco live sessions for CUCM security there are some good sessions done on this topic on how phones use certificates.

 

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/12_5_1/cucm_b_security-guide-1251.html

 

Also there are some great session for

Arvyr
Level 1
Level 1
In response to Gregory Brunn

‎03-03-2021 08:27 AM - edited ‎03-03-2021 08:27 AM

Thanks for the links, I will look into them.

 

One thing however, I read in another document I can't find right now, that mixed-mode isn't needed for phones when only 802.1x is wanted and not secure voice.

Is this correct?

 

Also, since my 12.5 CUCM is in eval mode, I can't activate mixed-mode.

On my 11.5 cluster, mixed-mode is enabled however, still no CSRs are generated.

 

Is there a way to see what's happening?

With RTMT or via CLI?

0 Helpful

Roger Kallberg
VIP
VIP
In response to Arvyr

‎03-03-2021 10:07 AM

You should read the documents provided by @Gregory Brunn and then if you still have questions please get back in this post. There is an obvious lack of understanding on your end for how certificates are used and handled in CM.



Response Signature


0 Helpful

Gregory Brunn
Spotlight
Spotlight
In response to Roger Kallberg

‎03-03-2021 10:45 AM

There is a great cisco live on demand session that has a presentation video on the basics

 

Introduction to Cisco UC Security - BRKCOL-2014

 

 

Arvyr
Level 1
Level 1
In response to Gregory Brunn

‎03-22-2021 06:02 AM

Hello again,

 

so I watched that cisco live session and it was indeed a good source of theoretical information.

It's lacking practical parts however.

 

I found a solution to my problem though. 

After searching other posts in this forum I stumbled across: https://community.cisco.com/t5/ip-telephony-and-phones/phones-don-t-install-lsc-after-mixed-mode-configuration/td-p/2931516

and indeed, switching from dns to ip helped in generating LSCs. I need to check my dns configuration in the future.

 

So phones now have a valid certificate and are able to communicate encrypted.

 

Thanks for all the hints.

 

 

Customers Also Viewed These Support Documents