Cisco CallManager allows authentication of calls. When you are configuring devices for authenticated calls, two services are provided:
Certificate Exchange in TLS
At the beginning of a TLS session, the Cisco CallManager server and the IP phone exchange certificates using the messages shown in Figure 26-11.
Figure 26-11. Certificate Exchange Process
The certificate exchange process occurs as follows:
At this point, both the IP phone and the server validate the certificates they just received over the network:
The next stage of the TLS handshake is authentication of the server by the IP phone. A simplified version of the authentication steps is shown in Figure 26-12.
Figure 26-12. Server-to-Phone Authentication
The CallManager-to-Phone authentication occurs as follows:
After the server has authenticated to the IP phone, the IP phone needs to authenticate to the server. A simplified version of the authentication steps is shown in Figure 26-13.
Figure 26-13. Phone-to-Server Authentication
The Phone-to-CallManager authentication occurs as follows:
In the certificate of the IP phone, the public key of the IP phone is tied to the identity of the IP phone. Because Cisco CallManager identifies an IP phone by MAC address and not by IP address or name, the MAC address of the phone is used as the identifier in the certificate of the IP phone.
TLS SHA-1 Session Key Exchange
After the bidirectional authentication, a SHA-1 session key is exchanged using these steps:
The IP phone generates a session key for SHA-1 hashing.
The IP phone encrypts it using the public RSA key of the server and sends it to the server.
The server decrypts the message and thus also knows which key to use for SHA-1 hashing of the TLS packets.
The IP phone and the server can now exchange signaling messages over authenticated TLS packets, ensuring the integrity and authenticity of each signaling message exchanged between the two.
Part I: Cisco CallManager Fundamentals
Introduction to Cisco Unified Communications and Cisco Unified CallManager
Cisco Unified CallManager Clustering and Deployment Options
Cisco Unified CallManager Installation and Upgrades
Part II: IPT Devices and Users
Cisco IP Phones and Other User Devices
Configuring Cisco Unified CallManager to Support IP Phones
Cisco IP Telephony Users
Cisco Bulk Administration Tool
Part III: IPT Network Integration and Route Plan
Cisco Catalyst Switches
Configuring Cisco Gateways and Trunks
Cisco Unified CallManager Route Plan Basics
Cisco Unified CallManager Advanced Route Plans
Configuring Hunt Groups and Call Coverage
Implementing Telephony Call Restrictions and Control
Implementing Multiple-Site Deployments
Part IV: VoIP Features
Configuring User Features, Part 1
Configuring User Features, Part 2
Configuring Cisco Unified CallManager Attendant Console
Configuring Cisco IP Manager Assistant
Part V: IPT Security
Securing the Windows Operating System
Securing Cisco Unified CallManager Administration
Preventing Toll Fraud
Hardening the IP Phone
Understanding Cryptographic Fundamentals
Understanding the Public Key Infrastructure
Understanding Cisco IP Telephony Authentication and Encryption Fundamentals
Configuring Cisco IP Telephony Authentication and Encryption
Part VI: IP Video
Introducing IP Video Telephony
Configuring Cisco VT Advantage
Part VII: IPT Management
Introducing Database Tools and Cisco Unified CallManager Serviceability
Configuring Alarms and Traces
Using Additional Management and Monitoring Tools
Part VIII: Appendix
Appendix A. Answers to Review Questions