This document provides steps to configure authentication and encryption on Cisco CUCM. It activates the Cisco CTL Provider service, installs the Cisco CTL client and eToken USB key on a Windows client, and tests the impact of the configuration by capturing voice calls before encryption is enabled. The steps configure the cluster security mode for mixed mode operation, add certificates to the CTL client, and investigate security settings on IP phones.
This document provides steps to configure authentication and encryption on Cisco CUCM. It activates the Cisco CTL Provider service, installs the Cisco CTL client and eToken USB key on a Windows client, and tests the impact of the configuration by capturing voice calls before encryption is enabled. The steps configure the cluster security mode for mixed mode operation, add certificates to the CTL client, and investigate security settings on IP phones.
This document provides steps to configure authentication and encryption on Cisco CUCM. It activates the Cisco CTL Provider service, installs the Cisco CTL client and eToken USB key on a Windows client, and tests the impact of the configuration by capturing voice calls before encryption is enabled. The steps configure the cluster security mode for mixed mode operation, add certificates to the CTL client, and investigate security settings on IP phones.
This document provides steps to configure authentication and encryption on Cisco CUCM. It activates the Cisco CTL Provider service, installs the Cisco CTL client and eToken USB key on a Windows client, and tests the impact of the configuration by capturing voice calls before encryption is enabled. The steps configure the cluster security mode for mixed mode operation, add certificates to the CTL client, and investigate security settings on IP phones.
1 Overview In this lab authentication and encryption will be deployed.
2 Activate Services The following services need to be running to support authentication and encryption:
Cisco CTL Provider
Step 1 Using the Navigation Drop Down menu and the Go button navigate to Cisco Unified Serviceability on your Publisher.
Step 2 Navigate to Tools Service Activation. Select your Publisher server at
10.1.100.81 and activate the Cisco CTL Provider located under the Security Services section. Click Save.
Step 3 Using the Navigation Drop Down menu and the Go button navigate to Cisco Unified CallManager Administration.
Alejandro Fernández de la Cueva Pedroche
alejandro.pedroche@hotmail.com
Step 4 Navigate to System Service Parameters. Select your Publisher server at
10.1.100.81 and the Cisco CTL Provider Service. Note the Port Number.
Step 5 Repeat steps 1 through 3 for your Subscriber and enable the Cisco CTL Provider.
Alejandro Fernández de la Cueva Pedroche
alejandro.pedroche@hotmail.com
3 Install Cisco CTL Client and eToken USB
Key Warning Do not insert the USB token at this time. The driver for this token is installed when the CTL client is installed. Insert the USB token when instructed to do so.
3.1 Installation The CTL Client and eToken USB key need to be installed. Step 6 The CTL client must be installed on the Windows 7 client. Step 7 Assign the appropriate IP address, subnet mask, default gateway and DNS server. Step 8 Launch Internet Explorer on Laptop and navigate to your Publisher Server at https://10.1.100.81/ccmadmin. Ignore the security warnings and select Continue to this website. Login as CUCMos with the password xxxxxx.
Step 9 Navigate to Application Plugins Find. Select Download next to the Cisco CTL Client. When prompted with a security warning to run or save the file select Run. When the second security warning appears select Run once more.
Step 10 When the Welcome screen appears click Next. Accept the license and all defaults clicking Next throughout the installation. Click Finish when done. Reboot the computer if prompted to do so.
Alejandro Fernández de la Cueva Pedroche
alejandro.pedroche@hotmail.com
Step 11 When the installation completes double click on the Cisco CTL Client shortcut on the desktop. Enter the IP address of your CallManager server: 10.1.100.81. The Username should be CUCMos and the Password xxxxxx. Click Next.
Step 12 A screen will appear which asked if you want to set Cisco Unified Communication Manger Cluster to Mixed Mod or Update the CTL File. Select Set Unified Communication Manager Cluster to Mixed Mode and click on next.
Alejandro Fernández de la Cueva Pedroche
alejandro.pedroche@hotmail.com
Step 13 You will be asked to insert a Security Token at this time. You will need two tokens for this process to complete but you will only use one at a time. Be sure to write down the serial numbers of the tokens you are using. Step 14 A screen will appear asking you to add the security token. Click on Add.
Step 15 Another screen (show below) will now appear and give you the option of adding security tokens. Select the option to add a security token and follow the onscreen instructions. Remove the original token and insert another security token. Be sure to keep track of the tokens you are using!! Repeat Step and add select Add.
Alejandro Fernández de la Cueva Pedroche
alejandro.pedroche@hotmail.com
Step 16 When you have added the second security token select finish on the splash screen that appears. This will be the same screen as show in above step. Step 17 Click Next. Step 18 You will now be asked to Login to your eToken to enable your private key. Enter the User Password Cisco123 exactly like this with Cisco capitalized. Click OK.
You may get a warning indicating that your e-token password has expired. The current password should be Cisco123 but it is possible that it may be cisco, or Cisco, or cisco1234 or Cisco1234. Please do not change the password: just click Cancel.
Warning The security tokens ship with a default password of Cisco123. It seems that this password has a lifetime of about 1 year. We are just now seeing the “Change Password” pop up windows appearing.
Alejandro Fernández de la Cueva Pedroche
alejandro.pedroche@hotmail.com
Step 19 Note the list of certificates. Click Done.
Step 20 Navigate to System Enterprise Parameters. The Cluster Security Mode is now set to Mixed Mode (the value 1).
Alejandro Fernández de la Cueva Pedroche
alejandro.pedroche@hotmail.com
3.2 Testing Investigate the impact of the configuration so far. Step 21 Double click on the Wireshark shortcut on your desktop. Wireshark will start up.
Step 22 Navigate to Capture Interfaces. The following popup window will appear. Click on Options to the right of the Intel 82566MM Gigabit Network Connection.
Alejandro Fernández de la Cueva Pedroche
alejandro.pedroche@hotmail.com
Step 23 In the drop down box you should see the Intel 82566 Gigabit Network Connection Driver selected. Check the box beside Update list of packets in real time and Automatic scrolling in live capture. Click Start.
Step 24 Make a call from the Left Phone to the Right Phone. Look for Skinny signaling packets and packets representing the RTP stream. Notice that the skinny protocol uses TCP port 2000. The response to this message, the OpenReceiveChannelAck message, provides the Cisco Unified Communications Manager with the IP address and Port information that the Left Phone wants to use to receive the RTP stream. This information will be signaled to the Right Phone in a StartMediaTransmission message. We do not want these messages to be so easily caught and interpreted. The figure below displays some of the skinny signaling between the Cisco IP Phone and the CallManager service.
Alejandro Fernández de la Cueva Pedroche
alejandro.pedroche@hotmail.com
Step 25 Investigate settings on the Inside Phones. Press Settings Status Status Messages. You should see the name of the file the IP Phone tried to download. Note the .XML extension. These files are in clear text.
Step 26 Investigate settings on the Inside Phones.
Step 27 Investigate settings on the Inside Phones. Press Settings Model Information. Scroll down to find the settings for CTL, MIC and LSC. Your phone may have an LSC installed from a previous class.
Step 28 Investigate settings on the Inside Phones. Press Settings Security Configuration. Find the settings for Security Mode, MIC, LSC, CTL File, Trust List and CAPF.
Alejandro Fernández de la Cueva Pedroche
alejandro.pedroche@hotmail.com
3.3 Capture and Playback Before Encryption
A voice call will be captured and played back before encryption to demonstrate the ability of hackers to record VoIP calls.
**NOTE: Cisco has disabled spanning to the PC port on new model phones such as the 7965. For the purpose of this lap we will enable the spanning of the PC port to illustrate the possible effects of not securing older phone models. Spanning to the PC port allows the RTP streams to be captured and replayed. _________________________________________________________________________
Step 29 Navigate to Device Phone Find. Select your Left Phone. When the Phone configuration page opens scroll down to the setting Span to PC Port and select Enable. Also scroll down a bit farther on the same screen and find Advertise G.722 Codec*. You will want to disable the G.722 codec and force the phones to use G.711 for our test.
Alejandro Fernández de la Cueva Pedroche
alejandro.pedroche@hotmail.com
Step 30 Start a new capture using Wireshark. Make a call from your Left to Right Phone. You should see RTP packets captured. Be sure to capture the call setup, media, and call teardown.
Step 31 Navigate to Statistics RTP Show All Streams. Select a stream and click Analyze.
Alejandro Fernández de la Cueva Pedroche
alejandro.pedroche@hotmail.com
Step 32 On the next screen click on Save Payload.
Step 33 Save the payload to the desktop. For Channels select forward. Enter a filename with a .au extension.
Step 34 Find the file on the desktop and click on it. Windows media player will launch. The captured conversation should play out.
Alejandro Fernández de la Cueva Pedroche
alejandro.pedroche@hotmail.com
4 Enable the Certificate Authority Proxy
Function Service The Cisco Certificate Authority Proxy Function (CAPF) service needs to be enabled so that phones can acquire certificates. Step 35 Using the Navigation Drop Down menu and the Go button navigate to Cisco Unified CallManager Serviceability.
Step 36 Navigate to Tools Service Activation. Select Publisher server. Activate the Cisco Certificate Authority Proxy Function service.
Step 37 You may have to update the CTL file for a number of scenarios: New CUCM is added to the cluster Name or IP address of CUCM server is changed TFTP server is added or deleted CUCM server is restored
Step 38 Using the Navigation Drop Down menu and the Go button navigate to Cisco Unified CallManager Administration.
Alejandro Fernández de la Cueva Pedroche
alejandro.pedroche@hotmail.com
Step 39 Navigate to System Service Parameters. Select your PodN-Pub server and the Cisco Certificate Authority Proxy Function. Inspect the parameters.
Alejandro Fernández de la Cueva Pedroche
alejandro.pedroche@hotmail.com
5 Enabling Authentication and Encryption
At some point you may want to try to authenticate or encrypt something.
5.1 Get Certificate Trust List Out to the Phones
Step 40 On your Left or Right Phone navigate to Settings Security Configuration CTL File. Note that there is no CTL File present at this point. Restart the TFTP service and reset the phone to get the CTL File downloaded. Inspect the CTL File on the phone.
5.2 Create a Security Profile
Step 41 Navigate to System Security Profile Phone Security Profile Find. Have a look at the list.
Step 42 Click Add New to add a Security Profile named Protected. Select Cisco 6921, as applicable to your pod. Click Next.
Step 43 Select SCCP as the phone security profile protocol and click Next.
Alejandro Fernández de la Cueva Pedroche
alejandro.pedroche@hotmail.com
Step 44 Configure the profile with the following attributes and click Save.
Name: Protected Description: Authentication and encryption Device Security Mode: Encrypted Authentication Mode: By Authentication String Key Size: 1024
Alejandro Fernández de la Cueva Pedroche
alejandro.pedroche@hotmail.com
5.3 Get Certificates Out to the Phones
Step 45 We need to get certificates onto the phones. Navigate to the HQ-Left Phone configuration window. Scroll down to find the Certificate Authority Proxy Function (CAPF) Information settings. Set the Certificate Operation to Install/Upgrade. Set the Authentication Mode to By Authentication String. Set the Authentication String to 12345. Click Save. Do not Reset the phone.
Warning Do not reset the phone or you may get the hated That Key is Not Active Here error, which you may also get for other unknown reasons.
Step 46 Download an X.509v3 certificate to the Left Phone. Press Settings Security Configuration. Press **# to unlock the settings. Scroll down to LSC and press the Update softkey. Enter 12345 as the Authentication Key and click Submit. The LSC setting will change to Pending and the phone will display a message Generating keys. It will take some time for the keys to be generated. The phone configuration page will also show the operation as Operation Pending.
Alejandro Fernández de la Cueva Pedroche
alejandro.pedroche@hotmail.com
Step 47 Once the key has been generated the LSC value will change to Installed. On the phone configuration page have another look at the Certificate Authority Proxy Function (CAPF) Information settings. These settings should now be reset as shown below.
Step 48 On the Left Phone navigate to Settings Security LSC to confirm the LSC is Installed. Step 49 Navigate to Device Phone Find. Select the Left Phone. Find the Device Security Profile parameter and set the value to Protected. Click Save and Reset the phone.
Step 50 You will need to restart the CallManager service. (Recommended) To realize the operation in schedule out of office. Step 51 Place a call from the Left Phone to the Right Phone. It should work fine but there will be no authentication or encryption for the RTP stream. On the Left Phone navigate to Settings Security Security Mode to confirm the mode is encrypted. Check the security settings on the Right Phone and notice that the Security Mode is Non Secure. Step 52 Repeat section 5.3 of this lab on the Right Phone. The Right phone will need the Device Security Profile parameter set to Protected and the CAPF information set to Install/Upgrade a certificate by an Authentication String of 12345. Click Save. Reset the phone.
Alejandro Fernández de la Cueva Pedroche
alejandro.pedroche@hotmail.com
5.4 Verify Authentication and Encryption
We need to verify that authentication and encryption are working. Step 53 We need to enable Authentication on the any Phones. Select Settings Security Configuration 802.1X Authentication Device Authentication. From this screen you can enable or disable authentication. Step 54 Start Wireshark on the laptop. Make a call from the one phone to the other. Look for Skinny messages. You may find some registration messages but mostly you will find the unknown messages associated with TCP using random port numbers. After the port numbers you will see cisco-sccp. Test this without making a call, simply go off hook on one phone while capturing packets. Earlier in the lab when you captured SCCP packets they showed up as SKINNY.
Step 55 Make a call from the Right Phone to the Left Phone. Notice the lock indicating the call is encrypted on the phone display.
Alejandro Fernández de la Cueva Pedroche
alejandro.pedroche@hotmail.com
5.5 Capture and Playback of Encrypted Call
We need to verify that authentication and encryption are working. A voice call will be captured and played back after encryption to demonstrate that the ability of hackers to record VoIP calls has been thwarted. Step 56 Place a call from the Left to the Right Phone and capture the conversation using Wireshark.
Step 57 Repeat steps and capture another conversation. Remember to actually speak for at least 30 seconds so you will have enough packets to make the test worthwhile.
Step 58 When you plan back your recording this time you will hear white noise.
Step 59 Investigate the Phone Security settings on the 6921 Phones. Select Settings Security Configuration Trust List. Notice that all of the trusted TFTP servers, Communication Managers and CAPF Server show up with a yellow certificate.
