Home » Cisco Manuals » Telephony » Cisco SPA525G » Manual Viewer

Cisco SPA525G Administration Guide - Page 147

Using HTTPS, Server Certificates, Client Certificates

UPC - 882658261688

Add to My Manuals
Save this manual to your list of manuals

Page 147 highlights

Provisioning Basics Using HTTPS 7 Using HTTPS The Cisco IP phone provides a reliable and secure provisioning strategy based on HTTPS requests from the Cisco IP phone to the provisioning server, using both server and client certificates for authenticating the client to the server and the server to the client. To use HTTPS with Cisco IP phones, you must generate a Certificate Signing Request (CSR) and submit it to Cisco. The Cisco IP phone generates a certificate for installation on the provisioning server that is accepted by Cisco IP phones when they seek to establish an HTTPS connection with the provisioning server. The Cisco IP phone implements up to 256-bit symmetric encryption, using the American Encryption Standard (AES), in addition to 128-bit RC4. The Cisco IP phone supports the Rivest, Shamir, and Adelman (RSA) algorithm for public/ private key cryptography. Server Certificates Each secure provisioning server is issued an secure sockets layer (SSL) server certificate, directly signed by Cisco. The firmware running on the Cisco IP phone clients recognizes only these certificates as valid. The clients try to authenticate the server certificate when connecting via HTTPS, and reject any server certificate not signed by Cisco. This mechanism protects the service provider from unauthorized access to the Cisco IP phone endpoint, or any attempt to spoof the provisioning server. This might allow the attacker to reprovision the Cisco IP phone to gain configuration information, or to use a different VoIP service. Without the private key corresponding to a valid server certificate, the attacker is unable to establish communication with a Cisco IP phone. Client Certificates In addition to a direct attack on the Cisco IP phone, an attacker might attempt to contact a provisioning server using a standard web browser, or other HTTPS client, to obtain the Cisco IP phone configuration profile from the provisioning server. To prevent this kind of attack, each Cisco IP phone also carries a unique client certificate, also signed by Cisco, including identifying information about Cisco SPA and Wireless IP Phone Administration Guide 145

Section	Page
Audience	12
Organization	13
Read Me First	14
Finding Information in PDF Files	14
Finding Text in a PDF	14
Finding Text in Multiple PDF Files	15
Getting Started	17
Overview	17
Cisco SPA932 Attendant Console	19
Network Configurations	19
Cisco SPA9000 Voice System	19
Cisco Unified Communications 500 Series for Small Business	21
Other SIP IP PBX Call Control Systems	22
Prerequisites	22
Upgrading Firmware	22
Determining the Current Firmware Version	23
Determining Your IP Address	24
Downloading the Firmware	25
Installing the Firmware (SPA9X2)	25
Installing the Firmware (SPA525G)	26
Installing the Firmware (WIP310)	26
Using the Web Administration User Interface	27
Understanding Administrator and User Views	29
Accessing Administrative Options	29
Understanding Basic and Advanced Views	29
Using the Web Administration Tabs	30
Roadmap to Web UI Features	30
Viewing Phone Information	33
Configuring Lines and Extensions	35
Configuring Lines	35
Shared Line Appearances	36
Configuring a Line	36
Configuring Shared Line Appearance	38
Assigning Busy Lamp Field, Call Pickup, and Speed Dial Functions to Unused Lines on a SPA525G, SPA962 or SPA942	39
Configuring Unused Line Keys for Call Park on the SPA525G (MetaSwitch)	41
Configuring Unused Line Keys to Access Services (SPA525G)	42
Configuring Line Key LED Patterns (SPA9X2/525G only)	44
Configuring Extensions	46
Customizing Cisco SPA and Wireless IP Phones	49
Configuring Phone Information and Display Settings	49
Configuring the Phone Name	50
Configuring Voice Mail	50
Customizing the Startup Screen	51
Changing the Display Background (SPA942/962/525G)	52
Configuring the Screen Saver	54
Configuring the Phone Display Menu Color Settings (SPA962 Only)	56
Configuring the LCD Contrast	56
Configuring Back Light Settings (SPA525G)	57
Configuring Linksys Key System Parameters	58
Enabling Call Features	58
Enabling Anonymous Call and Caller ID Blocking	58
Enabling Automatic Call Distribution (ACD)	59
Enabling Call Back	59
Enabling Call Park and Call Pickup	60
Enabling Call Transfer and Call Forwarding	61
Enabling Call Waiting	61
Enabling Conferencing	62
Enabling Dial Assistance	62
Enabling Do Not Disturb	62
Enabling the Missed Call Shortcut	63
Logging Missed Calls (SPA9X2/SPA525G Only)	63
Enabling Paging (Intercom)	64
Enabling Secure Call	66
Enabling Service Announcements	67
Configuring Phone Features	67
Configuring the Message Waiting Indicator	67
Configuring Ring Tones	68
Configuring RSS Newsfeeds on the SPA962/SPA525G Phone	72
Configuring Traffic Information Settings on the SPA9X2 Phone	73
Configuring Audio Settings	74
Enabling Wireless (SPA525G only)	75
Enabling Bluetooth (SPA525G only)	76
Enabling SMS Messaging	76
Enabling the Web Server	78
Configuring Lightweight Directory Access Protocol (LDAP)	79
Configuring BroadSoft Settings (SPA525G)	83
Configuring BroadSoft Directory	83
Configuring Synchronization of Do Not Disturb and Call Forward	84
Configuring XML Services (SPA525G)	84
Configuring Music On Hold	85
Configuring Extension Mobility with a BroadSoft Server	86
Configuring SIP, SPCP, and NAT	89
Session Initiation Protocol and Cisco IP Phones	89
SIP Over TCP	90
SIP Proxy Redundancy	91
RFC3311 Support	91
Configuring SIP	91
Configuring SIP Parameters	92
Configuring SIP Timer Values	95
Configuring Response Status Code Handling	98
Configuring RTP Parameters	99
Configuring SDP Payload Types	100
Configuring SIP Settings for Extensions	103
Configuring SPCP on the SPA525G	111
Network Address Translation (NAT) and Cisco IP Phones	111
NAT Mapping with Session Border Controller	112
NAT Mapping with SIP-ALG Router	112
Configuring NAT Mapping with a Static IP Address	112
Configuring NAT Mapping with STUN	113
Determining Whether the Router Uses Symmetric or Asymmetric NAT	115
Configuring Security, Quality, and Network Features	117
Setting Security Features	117
SIP Initial INVITE and MWI Challenge	117
SIP Over TLS	118
SRTP and Securing Calls	119
Ensuring Voice Quality	120
Supported Codecs	120
Bandwidth Requirements	122
Factors Affecting Voice Quality	123
Configuring Voice Codecs	125
Configuring Domain and Internet Settings	128
Configuring Restricted Access Domains	128
Configuring DHCP, Static IP, and PPPoE Information	128
Setting Optional Network Parameters	131
Configuring VLAN Settings	133
Using the IP Phones in a VLAN	133
Provisioning Basics	135
Provisioning Capabilities	136
Provisioning Configuration from Phone Keypad	136
IP Phone Configuration Profiles	138
General Purpose Parameters	139
Sample Configuration File	140
Upgrading, Resyncing, and Rebooting Phones	140
Upgrading Firmware on a Phone	141
Firmware Upgrade Parameters	142
Resyncing a Phone	143
Rebooting a Phone	144
Redundant Provisioning Servers	144
Retail Provisioning	145
Automatic In-House Preprovisioning	145
Configuration Access Control	146
Using HTTPS	147
Server Certificates	147
Client Certificates	147
Obtaining a Server Certificate	148
Configuring Regional Parameters and Supplementary Services	149
Advanced Scripting for Cadences, Call Progress Tones, and Ring Tones	150
Example 1: Normal Ring	150
Example 2: Distinctive Ring (short,short,short,long)	150
Example 1: Dial Tone	151
Example 3: SIT Tone	151
Example 1: SIT Tone	152
Call Progress Tones	153
Distinctive Ring Patterns	153
Ring Pattern Notes	153
Control Timer Values (sec)	154
Control Timer Value Notes	154
Configuring Supplementary Services (Star Codes)	155
Entering Star Code Values	155
Activating or Deactivating Supplementary Services	160
Vertical Service Announcement Codes (SPA 9X2 only)	160
Vertical Service Announcement Notes	161
Outbound Call Codec Selection Codes	163
Outbound Call Codec Selection Notes	163
Using a Dial Plan	163
Miscellaneous Parameters	166
DTMF Notes	166
Localizing Your IP Phone	167
Managing the Time and Date	169
Configuring Daylight Savings Time	169
Selecting a Display Language	171
Creating a Dictionary Server Script	173
Configuring the SPA932 Attendant Console	175
SPA932 Features	176
Setting Up the SPA932 Attendant Console	177
Configuring the SPA9000 for the SPA932	178
Configuring the BroadSoft Server for the SPA932	178
Configuring the Asterisk Server for the SPA932	179
Configuring the SPA932	180
Unit/Key Configuration Scripts	181
Configuring BroadSoft Busy Lamp Field Auto-Configuration (SPA525G)	184
SPA932 Parameter Notes	185
Monitoring the SPA932	186
SPA932 Unit Monitoring Notes	187
Creating an LED Script	189
LED Script	189
LED Script Examples	190
LED Pattern	190
SPA and Wireless IP Phone Field Reference	192
Info Tab	193
System Information	193
Product Information	195
Phone Status	195
Ext Status	197
Line/Call Status	197
Downloaded Ring Tone	198
System Tab	199
System Configuration	199
Internet Connection Type and Static IP Settings	200
PPPoE Settings	201
Optional Network Configuration	201
VLAN Settings	203
Wi-Fi Settings (SPA525G only)	203
Bluetooth Settings (SPA525G only)	203
SIP Tab	204
SIP Parameters	204
SIP Timer Values (sec)	207
Response Status Code Handling	210
RTP Parameters	211
SDP Payload Types	213
NAT Support Parameters	216
Linksys Key System Parameters	218
Provisioning Tab	218
Regional Tab	218
Call Progress Tones	219
Distinctive Ring Patterns	221
Control Timer Values (sec)	222
Vertical Service Activation Codes	223
Vertical Service Announcement Codes	229
Outbound Call Codec Selection Codes	229
Time (SPA525G Only)	232
Language (SPA525G only)	232
Miscellaneous	233
Phone Tab	238
General	238
Line Key	241
Miscellaneous Line Key Settings	242
Line Key LED Pattern	243
Supplementary Services	245
Ring Tone (SPA9X2/SPA525G)	247
Ring Tone (WIP310)	248
Auto Input Gain (dB)	248
Extension Mobility	249
BroadSoft Settings (SPA525G)	249
XML Services (SPA525G)	250
Lightweight Directory Access Protocol (LDAP) Corporate Directory Search	251
Ext Tab	254
General	254
Share Line Appearance	255
NAT Settings	255
Network Settings	256
SIP Settings	257
Call Feature Settings	260
Proxy and Registration	262
Subscriber Information	264
Audio Configuration	265
Dial Plan	267
User Tab	268
Call Forward	269
Speed Dial	269
Supplementary Services	269
Web Information Service Settings (SPA962/SPA525G)	270
Traffic Service Information Settings (SPA962)	270
Audio Volume	271
Screen (SPA525G)	271
Phone GUI Menu Color Settings (SPA962 only)	273
932 Tab (SPA962/SPA525G only)	273
General	274
Unit 2	275
SPA932 Status	275
SPA525G-Specific Tabs	276
Wi-Fi	276
Bluetooth (SPA525G)	277
Personal Address Book	277
Call History	277
Speed Dials	277
Firmware Upgrade	277
Where to Go From Here	278
Product Resources	278

Match case Limit results 1 per page

Provisioning Basics

Using HTTPS

Cisco SPA and Wireless IP Phone Administration Guide

145

Using HTTPS

The Cisco IP phone provides a reliable and secure provisioning strategy based on

HTTPS requests from the Cisco IP phone to the provisioning server, using both

server and client certificates for authenticating the client to the server and the

server to the client.

To use HTTPS with Cisco IP phones, you must generate a Certificate Signing

Request (CSR) and submit it to Cisco. The Cisco IP phone generates a certificate

for installation on the provisioning server that is accepted by Cisco IP phones

when they seek to establish an HTTPS connection with the provisioning server.

The Cisco IP phone implements up to 256-bit symmetric encryption, using the

American Encryption Standard (AES), in addition to 128-bit RC4. The Cisco IP

phone supports the Rivest, Shamir, and Adelman (RSA) algorithm for public/

private key cryptography.

Server Certificates

Each secure provisioning server is issued an secure sockets layer (SSL) server

certificate, directly signed by Cisco. The firmware running on the Cisco IP phone

clients recognizes only these certificates as valid. The clients try to authenticate

the server certificate when connecting via HTTPS, and reject any server

certificate not signed by Cisco.

This mechanism protects the service provider from unauthorized access to the

Cisco IP phone endpoint, or any attempt to spoof the provisioning server. This

might allow the attacker to reprovision the Cisco IP phone to gain configuration

information, or to use a different VoIP service. Without the private key

corresponding to a valid server certificate, the attacker is unable to establish

communication with a Cisco IP phone.

Client Certificates

In addition to a direct attack on the Cisco IP phone, an attacker might attempt to

contact a provisioning server using a standard web browser, or other HTTPS

client, to obtain the Cisco IP phone configuration profile from the provisioning

server. To prevent this kind of attack, each Cisco IP phone also carries a unique

client certificate, also signed by Cisco, including identifying information about