Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

CiscoIPPhoneExecute Dial

Hi All,

I am currently trying to deploy Remote Dialing using POST request with XML command. ( Program Teletrigger which dials remotely from MS Outlook ). Phone Cisco Spa504g

By default, anyone can dial any number just with knowledge of IP adress of the Phone. This is huge security risk . Option that controls authenication is hidden in Advanced Admin tab, but is useless. Can anyone explain me what "Trusted/Local Credential/Remote Credential" means ?

I have tested for 2 days and my results are:

Trusted: dial without authentication - make sense

Remote/Local Credentials: dial with authentication, but refuses any credentials ( user/pass, admin/pass, XML_User_Name/XML_Password, SIP user/pass ).

I have tried firmwares from 7.4.9  to 7.5.5 with no success.

Have anyone troubleshooted this feater too ?

# *** XML Service

XML_Directory_Service_Name "" ;

XML_Directory_Service_URL "" ;

XML_Application_Service_Name "" ;

XML_Application_Service_URL "" ;

XML_User_Name "" ;

XML_Password "" ;

CISCO_XML_EXE_Auth_Mode "Trusted" ; # options:

Trusted/Local Credential/Remote Credential

1 REPLY
VIP Blue

Re: CiscoIPPhoneExecute Dial

Yes, default configuration is very insecure - anyone with physical access to ethernet plug can order any phone to dial any number. Unless you blocked direct inter-phone access on the switch (we did).

According XML_User_Name/XML_Password/CISCO_XML_EXE_Auth_Mode - they are undocumented on SPA5xx. The only information I found is unauthorized description here:

http://www.voip-info.org/wiki/view/Cisco+79XX+XML+Push

But according my observations, the SPA5xx act differently. At least in SIP mode:

CISCO_XML_EXE_Auth_ModeBehavior
TrustedOpen access
Local credentialDigest style authentication using username 'user' and password set by user *). If no password set then open access
Remote credentialDigest style authentication using XML_User_Name/XML_Password required

*) WWW UI Tab 'System' section 'System Configuration' option 'User Password' or via phone menu

2654
Views
4
Helpful
1
Replies
CreatePlease to create content