Solved: There are 3rd party tools to

james_be_81 · ‎05-01-2014

Hi Community,

I'm preparing for the migration of 1000 IP Phones from a CM4 cluster to an exisiting CM 7 cluster.

The problem I'm facing is that security is enabled on the CM4 (not on CM 7) : all phones have CTL file, with servers address configured.

As a test, I tried to manually enter TFTP server of the new cluster on a phone, but I could not save the change as the IP address were not in the CTL list.

What would be my option here considering the phone will switch from the old to the new after a DHCP option 150 update.

The tokens used originally are not available anymore, so I cannot make any change to the existing CTL file. (my first guess was to add new TFTP address).

Can security be disable on all phones/cluster without the token/CTL client ?

Thanks

James

Manish Gogna · ‎05-01-2014

Hi James,

As per the security guide for cucm 4.x

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/4_1_3/sec413/secutrbl.html#wp1029242

Delete the CTL file on the Cisco IP Phone if the following cases occur:

•You lose all security tokens that signed the CTL file.

•The security tokens that signed the CTL file appear compromised.

•You move a phone out of a secure cluster; for example, to a storage area, to a nonsecure cluster, or to another secure cluster in a different domain.

•You move a phone from an area with an unknown security policy to a secure cluster.

•You change the alternate TFTP server address to a server that does not exist in the CTL file.

HTH

Manish

View solution in original post

Manish Gogna · ‎05-01-2014

Hi James,

As per the security guide for cucm 4.x

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/4_1_3/sec413/secutrbl.html#wp1029242

Delete the CTL file on the Cisco IP Phone if the following cases occur:

•You lose all security tokens that signed the CTL file.

•The security tokens that signed the CTL file appear compromised.

•You move a phone out of a secure cluster; for example, to a storage area, to a nonsecure cluster, or to another secure cluster in a different domain.

•You move a phone from an area with an unknown security policy to a secure cluster.

•You change the alternate TFTP server address to a server that does not exist in the CTL file.

HTH

Manish

james_be_81 · ‎05-02-2014

Thanks Manish,

Really no other alternatives than manually delete CTL file on 1000 phones?

I know there is also (expensive?) software such as phoneview that can help doing this but I have no budget for this.

What about bringing "new" tokens to resign all certificates? and eventually disable everything.

Thanks

James

Manish Gogna · ‎05-02-2014

Hi James,

I am not sure about any other options or the cost involved in using any third party app. Let's see if someone else wants to provide inputs on this one.

Manish

Kevin Przybylowski · ‎06-05-2014

There are 3rd party tools to do this for 5.x and up, I have not seen one for 4.x.

Jaime Valencia · ‎05-02-2014

Nope, you have no other option other than deleting the CTL from every single phone. You can blame whoever misplaced, or whatever that may have happened to the tokens.

What about bringing "new" tokens to resign all certificates? and eventually disable everything.
NO, because the phones already have a list of what to trust, signed by a token, which you no longer have, and is the only one they trust. If you do that, all you'll achieve is to bring down your entire infrastructure as phones will no longer even trust the TFTPs and CUCMs as they do now.

HTH

java

if this helps, please rate

Manish Gogna · ‎05-02-2014

Thanks for confirming the same Jaime [+5].

Manish

CM 4 with Security (CTL list) migration