Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Jabber authentication

Hi all,

I have issue with cisco jabber voice that any user can type the server address and  device ID of any other user and can used his extension

Can we sign the end user password/PIN authentication for accessing?

Thanks

Abdul 

3 REPLIES
Hall of Fame Super Silver

Jabber authentication

Which Jabber are you alluding to?

Normally Jabber requires password to authenticate which typically is LDAP password, so not sure what you are seeing.

Chris

Jabber authentication

Hi Chris,

I am using "Cisco jabber Voice" Version: 9.1.5 from Samsung play store

When I install it in  phone services settings  it's only ask for

Device ID:

Server Address:

one time setup then I got the extension of the Device ID there is no any verification LDAP.

Thanks

Abdul

VIP Super Bronze

Jabber authentication

Interesting. It appears this app doesn't query any of the normal Tomcat services (e.g. CCMCIP) that would require End User authentication. The admin guide supports your statement that you only need a TCT device ID and TFTP server address.

Normally, the way to address this would be SIP Digest Authentication. Unfortuantely, Jabber and/or CUCM decide to embed the digest credentials into the TFTP XML config file, rendering the security feature entirely useless without a mixed-mode cluster.

In this instance, I believe you're stuck from a security perspective. Not at all useful but worth noting: this is the same level of security every other CUCM device, including physical phones, have operated under from the beginning. Anyone with any degree of motivation could do emulate another device using [redacted] client application as long as they knew the model and MAC address of the device... which they can get from the webpage of the phone if they know it's IP address... which they can see by calling it and sniffing the RTP traffic when the call connects.

Please remember to rate helpful responses and identify helpful or correct answers.

411
Views
0
Helpful
3
Replies
CreatePlease login to create content