Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

SIP softphone register with CME without username/password

I set up a SIP-SIP gateway on a C2821, this C2821 routes all outbound calls from CUCM to an ITSP (both over SIP trunk), C2821 itself does
not act a CME, i.e, there are no SCCP or SIP clients registered to it, in fact I do not have any configuration that would allow a SCCP/SIP
phone to register/authenticate, however, I found that a software SIP phone that has IP connectivity to this C2821 can register to it with random username/direcotry number/password and therefore make outbound phone calls. I am puzzled, did I miss anything obvious?

Everyone's tags (4)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Gold

Re: SIP softphone register with CME without username/password

Registering and making calls are two different things.

The phone probably is not registering, but yes it is normal that if you do not put an ACL on the interface, anyone on the interned will be able to toll-fraud yourself.

Re: SIP softphone register with CME without username/password

I would look at using ACLs to protect the solution from the network side.  I would also look at implementing the security guidelines outlined in the following doc:

http://www.cisco.com/en/US/docs/voice_ip_comm/cucme/srnd/design/guide/security.html

There is a way to restrict registration from phones (primarily SCCP).

With CME 4.x and later you can also enable Digest Authentication.  I would think that using ACLs as the primary defence, configuring digest auth as a secondary, and then turning off/blocking/disabling other sub-features in CME would be the path you should look into.

Regards,
Bill

HTH -Bill (b) http://ucguerrilla.com (t) @ucguerrilla

Please remember to rate helpful responses and identify

3 REPLIES
Hall of Fame Super Gold

Re: SIP softphone register with CME without username/password

Registering and making calls are two different things.

The phone probably is not registering, but yes it is normal that if you do not put an ACL on the interface, anyone on the interned will be able to toll-fraud yourself.

Re: SIP softphone register with CME without username/password

I would look at using ACLs to protect the solution from the network side.  I would also look at implementing the security guidelines outlined in the following doc:

http://www.cisco.com/en/US/docs/voice_ip_comm/cucme/srnd/design/guide/security.html

There is a way to restrict registration from phones (primarily SCCP).

With CME 4.x and later you can also enable Digest Authentication.  I would think that using ACLs as the primary defence, configuring digest auth as a secondary, and then turning off/blocking/disabling other sub-features in CME would be the path you should look into.

Regards,
Bill

HTH -Bill (b) http://ucguerrilla.com (t) @ucguerrilla

Please remember to rate helpful responses and identify

New Member

Re: SIP softphone register with CME without username/password

Thank you both for the quick replies, I now understand where my problem was.

1964
Views
0
Helpful
3
Replies
CreatePlease to create content