In this article
Supported security features
dropdown icon
Phone call security
    Secure conference call identification
    Secure phone call identification
    Provide encryption for barge
dropdown icon
Wireless LAN security
    Set up a Wi-Fi profile
    Install a User Certificate from the phone administration web page
    Install an Authentication Server CA from the phone administration web page
    Manually remove a security certificate from the phone administration web page
    Set up SCEP
Set up a Locally Significant Certificate (LSC)
dropdown icon
802.1X Authentication for wired networks
    Enable 802.1X authentication for wired networks on your phone
    Enable 802.1X authentication for wired networks in Cisco Unified Communications Manager Administration
    Security settings menu on phone
Set up the supported versions of TLS
Turn off speakerphone and headset on Cisco Wireless Phone 9821
Cisco Wireless Phone 9821 security (Unified CM)
list-menuIn this article
list-menuFeedback?

This Help article is for Cisco Wireless Phone 9821 registered to Cisco Unified Communications Manager (Unified CM).

You can enable Cisco Unified Communications Manager (Unified CM) to operate in an enhanced security environment. With these enhancements, your phone network operates under a set of strict security and risk management controls to protect you and your users.

The enhanced security environment includes the following features:

  • Contact search authentication

  • TCP as the default protocol for remote audit logging

  • An improved credentials policy

  • Support for the SHA-2 family of hashes for digital signatures

  • Support for a RSA key size up to 4096 bits

With Cisco Unified CM Release 14.0 or later, the phones support SIP OAuth authentication.

OAuth is supported for Proxy Trivial File Transfer Protocol (TFTP) with Cisco Unified CM Release 14.0(1) SU1 or later.

For additional information about security, see the following guides:

Your phone can only store a limited number of Identity Trust List (ITL) files. ITL files can't exceed 64K on the phone so limit the number of files that Cisco Unified CM sends to the phone.

Supported security features

Security features protect against threats, including threats to the identity of the phone and to data. These features establish and maintain authenticated communication streams between the phone and the Cisco Unified Communications Manager server, and ensure that the phone uses only digitally signed files.

Cisco Unified Communications Manager Release 8.5(1) and later includes Security by default, which provides the following security features for Cisco IP Phones without running the CTL client:

  • Signing of the phone configuration files

  • Phone configuration file encryption

  • HTTPS with Tomcat and other web services

Secure signaling and media features still require you to run the CTL client and use hardware eTokens.

Implementing security in the Cisco Unified Communications Manager system prevents identity theft of the phone and Cisco Unified Communications Manager server, prevents data tampering, and prevents call signaling and media stream tampering.

To alleviate these threats, the Cisco IP telephony network establishes and maintains secure (encrypted) communication streams between a phone and the server, digitally signs files before they are transferred to a phone, and encrypts media streams and call signaling between Cisco IP Phones.

A Locally Significant Certificate (LSC) installs on phones after you perform the necessary tasks that are associated with the Certificate Authority Proxy Function (CAPF). You can use Cisco Unified Communications Manager Administration to configure an LSC, as described in the Cisco Unified Communications Manager Security Guide. Alternatively, you can initiate the installation of an LSC from the Security menu on the phone. This menu also lets you update or remove an LSC.

The phones use the phone security profile, which defines whether the device is nonsecure or secure. For information about applying the security profile to the phone, see the documentation for your particular Cisco Unified Communications Manager release.

If you configure security-related settings in Cisco Unified Communications Manager Administration, the phone configuration file contains sensitive information. To ensure the privacy of a configuration file, you must configure it for encryption. For detailed information, see the documentation for your particular Cisco Unified Communications Manager release.

The following table provides an overview of the security features that the phones support. For more information, see the documentation for your particular Cisco Unified Communications Manager release.

Table 1. Overview of security features

Feature

Description

Image authentication

Signed binary files prevent tampering with the firmware image before the image is loaded on a phone.

Tampering with the image causes a phone to fail the authentication process and reject the new image.

Customer site certificate installation

Each Cisco IP Phone requires a unique certificate for device authentication. Phones include a manufacturing installed certificate (MIC), but for extra security, you can specify certificate installation in Cisco Unified Communications Manager Administration using the Certificate Authority Proxy Function (CAPF). Alternatively, you can install a Locally Significant Certificate (LSC) from the Security menu on the phone.

Device authentication

Occurs between the Cisco Unified Communications Manager server and the phone when each entity accepts the certificate of the other entity. Determines whether a secure connection between the phone and a Cisco Unified Communications Manager should occur; and, if necessary, creates a secure signaling path between the entities by using TLS protocol. Cisco Unified Communications Manager doesn’t register phones unless it can authenticate them.

File authentication

Validates digitally signed files that the phone downloads. The phone validates the signature to make sure that file tampering didn’t occur after file creation. Files that fail authentication aren’t written to Flash memory on the phone. The phone rejects such files without further processing.

File encryption

Encryption prevents sensitive information from being revealed while the file is in transit to the phone. In addition, the phone validates the signature to make sure that file tampering didn’t occur after file creation. Files that fail authentication aren’t written to Flash memory on the phone. The phone rejects such files without further processing.

Signaling authentication

Uses the TLS protocol to validate that no tampering to signaling packets has occurred during transmission.

Manufacturing installed certificate

Each Cisco IP Phone contains a unique manufacturing installed certificate (MIC), which is used for device authentication. The MIC provides permanent unique proof of identity for the phone and allows Cisco Unified Communications Manager to authenticate the phone.

Media encryption

Uses SRTP to ensure that media streams between supported devices prove secure and that only the intended device receives and reads the data. Includes creating a media primary key pair for the devices, delivering the keys to the devices, and securing the delivery of the keys while the keys are in transport.

CAPF (Certificate Authority Proxy Function)

Implements parts of the certificate generation procedure that are too processing-intensive for the phone, and interacts with the phone for key generation and certificate installation. The CAPF can be configured to request certificates from customer-specified certificate authorities on behalf of the phone, or it can be configured to generate certificates locally.

Both EC (Elliptical Curve) and RSA key types are supported. To use the EC key, make sure that the parameter "Endpoint Advanced Encryption Algorithms Support" (from System > Enterprise parameter) is enabled.

For more information about CAPF and related configurations, see the following documents:

Security profile

Defines whether the phone is nonsecure, authenticated, encrypted, or protected. Other entries in this table describe security features.

Encrypted configuration files

Lets you ensure the privacy of phone configuration files.

Optional web server disabling for a phone

For security purposes, you can prevent access to the web pages for a phone (which display various operational statistics for the phone) and Self Care Portal.

Phone hardening

Additional security options, which you control from Cisco Unified Communications Manager Administration:

  • Disabling Gratuitous ARP (GARP)
  • Disabling access to the Setting menu or providing restricted access
  • Disabling access to phone administration web pages
  • Disabling Bluetooth Accessory Port
  • Restricting TLS ciphers

Secure SIP Failover for SRST

After you configure a Survivable Remote Site Telephony (SRST) reference for security and then reset the dependent devices in Cisco Unified Communications Manager Administration, the TFTP server adds the SRST certificate to the phone cnf.xml file and sends the file to the phone. A secure phone then uses a TLS connection to interact with the SRST-enabled router.

Signaling encryption

Ensures that all SIP signaling messages that are sent between the device and the Cisco Unified Communications Manager server are encrypted.

Trust List update alarm

When the Trust List updates on the phone, the Cisco Unified Communications Manager receives an alarm to indicate the success or failure of the update. See the following table for more information.

AES 256 Encryption

When connected to Cisco Unified Communications Manager Release 10.5(2) and later, the phones support AES 256 encryption support for TLS and SIP for signaling and media encryption. This enables phones to initiate and support TLS 1.2 connections using AES-256 based ciphers that conform to SHA-2 (Secure Hash Algorithm) standards and are Federal Information Processing Standards (FIPS) compliant. The ciphers include:

  • For TLS connections:
    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • For sRTP:
    • AEAD_AES_256_GCM
    • AEAD_AES_128_GCM

For more information, see the Cisco Unified Communications Manager documentation.

Elliptic Curve Digital Signature Algorithm (ECDSA) certificates

As part of Common Criteria (CC) certification, Cisco Unified Communications Manager; added ECDSA certificates in version 11.0. This affects all Voice Operating System (VOS) products running CUCM 11.5 and later versions.

Multi-server (SAN) Tomcat Certificate with Cisco UCM

The phone supports Cisco UCM with Multi-server (SAN) Tomcat Certificates configured. The correct TFTP server address can be found in the phone ITL file for phone's registration.

For more information about the feature, see the following:

The following table contains the Trust List update alarm messages and meaning. For more information, see the Cisco Unified Communications Manager documentation.

Table 2. Trust list update alarm messages
Code and message Description

1 - TL_SUCCESS

Received new CTL and/or ITL

2 - CTL_INITIAL_SUCCESS

Received new CTL, no existing TL

3 - ITL_INITIAL_SUCCESS

Received new ITL, no existing TL

4 - TL_INITIAL_SUCCESS

Received new CTL and ITL, no existing TL

5 - TL_FAILED_OLD_CTL

Update to new CTL failed, but have previous TL

6 - TL_FAILED_NO_TL

Update to new TL failed, and have no old TL

7 - TL_FAILED

Generic failure

8 - TL_FAILED_OLD_ITL

Update to new ITL failed, but have previous TL

9 - TL_FAILED_OLD_TL

Update to new TL failed, but have previous TL

Phone call security

When security is implemented for a phone, you can identify secure phone calls by icons on the phone screen. You can also determine whether the connected phone is secure and protected if a security tone plays at the beginning of the call.

In a secure call, all call signaling and media streams are encrypted. A secure call offers a high level of security, providing integrity and privacy to the call. When a call in progress is encrypted, you can see the secure icon 9821 secure call icon on the line.

  • If the call is routed through non-IP call legs, for example, PSTN, the call may be nonsecure even though it is encrypted within the IP network and has a lock icon associated with it.

  • Secure calling is supported for connections between two phones only. Some features, such as conference calling and shared lines, are not available when secure calling is configured.

In Cisco Unified Communications Manager, phones configured as secure (encrypted and trusted) can be assigned a protected status. Once protected, these devices can be configured to play a security tone at the beginning of each call.

  • Protected Device:

    To change the status of a secure phone to protected:

    1. In Cisco Unified Communications Manager Administration, select Device > Phone.
    2. Locate the phone that you will set up.
    3. In the Phone Configuration window, select the Protected Device check box.
    4. Click Save.
  • Play Secure Indication Tone:

    To enable the protected phone to play a secure or nonsecure indication tone:

    1. In Cisco Unified Communications Manager Administration, select System > Service Parameters.
    2. Select the server and then the Cisco CallManager service.
    3. In the Clusterwide Parameters (Feature - Secure Tone) area, set the Play Tone to Indicate Secure/Non-Secure Call Status setting to True.
    4. Click Save.

Secure conference call identification

You can initiate a secure conference call and monitor the security level of participants. A secure conference call is established by using this process:

  1. A user initiates the conference from a secure phone.

  2. Cisco Unified Communications Manager assigns a secure conference bridge to the call.

  3. As participants are added, Cisco Unified Communications Manager verifies the security mode of each phone and maintains the secure level for the conference.

  4. The phone displays the security level of the conference call. A secure conference displays the secure icon 9821 secure call icon.

Secure calling is supported between two phones. For protected phones, some features, such as conference calling, shared lines, and Extension Mobility, are not available when secure calling is configured.

The following table provides information about changes to conference security levels depending on the initiator phone security level, the security levels of participants, and the availability of secure conference bridges.

Table 3. Security restrictions with conference calls

Initiator Phone Security Level

Feature Used

Security Level of Participants

Results of Action

Nonsecure

Conference

Secure

Nonsecure conference bridge

Nonsecure conference

Secure

Conference

At least one member is nonsecure.

Secure conference bridge

Nonsecure conference

Secure

Conference

Secure

Secure conference bridge

Secure encrypted level conference

Nonsecure

Meet Me

Minimum security level is encrypted.

Initiator receives re-order tone.

Secure

Meet Me

Minimum security level is nonsecure.

Secure conference bridge

Conference accepts all calls.

Secure phone call identification

A secure call is established when your phone, and the phone on the other end, is configured for secure calling. The other phone can be in the same Cisco IP network, or on a network outside the IP network. Secured calls can only be made between two phones. Conference calls should support secure call after secure conference bridge set up.

A secured call is established using this process:

  1. A user initiates the call from a secured phone (secured security mode).

  2. The phone displays the secure icon 9821 secure call icon on the phone screen. This icon indicates that the phone is configured for secure calls, but this does not mean that the other connected phone is also secured.

  3. The user hears a security tone if the call connects to another secured phone, indicating that both ends of the conversation are encrypted and secured. If the call connects to a nonsecure phone, the user does not hear the security tone.

Secure calling is supported between two phones. For protected phones, some features, such as conference calling, shared lines, and Extension Mobility, are not available when secure calling is configured.

Only protected phones play these secure or nonsecure indication tones. Nonprotected phones never play tones. If the overall call status changes during the call, the indication tone changes and the protected phone plays the appropriate tone.

When the Play Tone to Indicate Secure/Non-Secure Call Status option is set to True:

  • When end-to-end secure media is established and the call status is secure, the phone plays the secure indication tone (three long beeps with pauses).

  • When end-to-end nonsecure media is established and the call status is nonsecure, the phone plays the nonsecure indication tone (six short beeps with brief pauses).

If the the Play Tone to Indicate Secure/Non-Secure Call Status option is set to False, no tone plays.

Provide encryption for barge

Cisco Unified Communications Manager checks the phone security status when conferences are established and changes the security indication for the conference or blocks the completion of the call to maintain integrity and security in the system.

A user cannot barge into an encrypted call if the phone that is used to barge is not configured for encryption. When barge fails in this case, a reorder (fast busy) tone plays on the phone that the barge was initiated.

If the initiator phone is configured for encryption, the barge initiator can barge into a nonsecure call from the encrypted phone. After the barge occurs, Cisco Unified Communications Manager classifies the call as nonsecure.

If the initiator phone is configured for encryption, the barge initiator can barge into an encrypted call, and the phone indicates that the call is encrypted.

Wireless LAN security

Because all WLAN devices that are within range can receive all other WLAN traffic, securing voice communications is critical in WLANs. To ensure that intruders don’t manipulate nor intercept voice traffic, the Cisco SAFE Security architecture supports the phone. For more information about security in networks, see http://www.cisco.com/en/US/netsol/ns744/networking_solutions_program_home.html.

The Cisco Wireless IP telephony solution provides wireless network security that prevents unauthorized sign-ins and compromised communications by using the following authentication methods that the phone supports.

  • Open Authentication: Any wireless device can request authentication in an open system. The AP that receives the request may grant authentication to any requestor or only to requestors that are found on a list of users. Communication between the wireless device and Access Point (AP) could be nonencrypted.

  • Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST) Authentication: This client-server security architecture encrypts EAP transactions within a Transport Level Security (TLS) tunnel between the AP and the RADIUS server, such as Identity Services Engine (ISE).

    The TLS tunnel uses Protected Access Credentials (PACs) for authentication between the client (phone) and the RADIUS server. The server sends an Authority ID (AID) to the client (phone), which in turn selects the appropriate PAC. The client (phone) returns a PAC-Opaque to the RADIUS server. The server decrypts the PAC with the primary key. Both endpoints now contain the PAC key and a TLS tunnel is created. EAP-FAST supports automatic PAC provisioning, but you must enable it on the RADIUS server.

    In ISE, by default, the PAC expires in one week. If the phone has an expired PAC, authentication with the RADIUS server takes longer while the phone gets a new PAC. To avoid PAC provisioning delays, set the PAC expiration period to 90 days or longer on the ISE or RADIUS server.

  • Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) Authentication: EAP-TLS requires a client certificate for authentication and network access. For wireless EAP-TLS, the client certificate can be MIC, LSC, or user-installed certificate.

  • Protected Extensible Authentication Protocol (PEAP): Cisco proprietary password-based mutual authentication scheme between the client (phone) and a RADIUS server. The phone can use PEAP for authentication with the wireless network. Both PEAP-MSCHAPV2 and PEAP-GTC authentication methods are supported.

  • Pre-Shared Key (PSK): The phone supports ASCII and hexadecimal (HEX) formats. You must use these formats when setting up a WPA2/SAE Pre-shared key.

    ASCII: An ASCII-character string with 8 to 63 characters in length (0-9, lowercase a-z, uppercase A-Z, and special characters). For example, GREG123567@9ZX&W.

    HEX: A HEX-character string with 64 hex digits in length (0-9, a-f or A-F).

The following authentication schemes use the RADIUS server to manage authentication keys:

  • WPA2/WPA3: Uses RADIUS server information to generate unique keys for authentication. Because these keys are generated at the centralized RADIUS server, WPA2/WPA3 provides more security than WPA preshared keys that are stored on the AP and phone.

  • Fast Secure Roaming: Uses RADIUS server and a wireless domain server (WDS) information to manage and authenticate keys. The WDS creates a cache of security credentials for FT-enabled client devices for fast and secure reauthentication.

With WPA2/WPA3, encryption keys aren’t entered on the phone, but are automatically derived between the AP and phone. But the EAP username and password that are used for authentication must be entered on each phone.

To help protect voice traffic over the wireless link, the phone supports AES-based encryption for WPA2/WPA3 authentication. AES is a symmetric block cipher standardized by NIST. AES uses a fixed 128-bit block size and supports key sizes of 128 bits, 192 bits, and 256 bits. In Wi-Fi networks, AES is used by cipher suites such as CCMP or GCMP, while authentication is provided separately by PSK, SAE, or 802.1X/EAP, depending on the configured WLAN security mode. The supported cipher suite and key size depend on the phone model and WLAN configuration.

When the phone uses AES encryption, both the signaling SIP packets and voice Real-Time Transport Protocol (RTP) packets are encrypted between the AP and the phone.

Authentication and encryption schemes are set up within the wireless LAN. VLANs are configured in the network and on the APs and specify different combinations of authentication and encryption. An SSID associates with a VLAN and the particular authentication and encryption scheme. For wireless client devices to authenticate successfully, you must configure the same SSIDs with their authentication and encryption schemes on the APs and on the phone.

Some authentication schemes require specific types of encryption.

When you use WPA2 pre-shared key or SAE, the pre-shared key must be statically set on the phone. These keys must match the keys that are on the AP.

The authentication and encryption schemes in the following table shows the network configuration options for Cisco Wireless Phone 9821 that corresponds to AP configuration.

Table 4. Authentication and encryption schemes
FSR TypeAuthenticationKey ManagementEncryptionProtected Management Frame (PMF)
802.11r (FT)PSK

WPA-PSK

WPA-PSK-SHA256

FT-PSK

AESNo
802.11r (FT)WPA3

SAE

FT-SAE

AESYes
802.11r (FT)EAP-TLS

WPA-EAP

FT-EAP

AESNo
802.11r (FT)EAP-TLS (WPA3)

WPA-EAP-SHA256

FT-EAP

AESYes
802.11r (FT)EAP-FAST

WPA-EAP

FT-EAP

AESNo
802.11r (FT)EAP-FAST (WPA3)

WPA-EAP-SHA256

FT-EAP

AESYes
802.11r (FT)EAP-PEAP

WPA-EAP

FT-EAP

AESNo
802.11r (FT)EAP-PEAP (WPA3)

WPA-EAP-SHA256

FT-EAP

AESYes
non-FTSuite-BWPA-EAP-SUITE-BGCMPYes
non-FTSuite-B-192WPA-EAP-SUITE-B-192GCMPYes

Set up a Wi-Fi profile

You can configure a Wi-Fi profile and assign it to Cisco Wireless Phone 9821. This profile contains the necessary parameters for the phone to establish a Wi-Fi connection and subsequently register with Cisco Unified CM. When you create and use a Wi-Fi profile, you or your users do not need to configure the wireless network for individual phones.

We recommend that you use a secure profile with TFTP encryption enabled to protect keys and passwords when you use a Wi-Fi profile.

The phones support one server certificate per install method (manual, SCEP, or TFTP).

Keep the following notes in mind before you configure the WLAN profile:

  • Username and password

    • When your network uses EAP-FAST and PEAP for user authentication, you must configure both the username and password if required on the Remote Authentication Dial-In User Service (RADIUS) and the phone.

    • The credentials that you enter in the wireless LAN profile must be identical with the credentials that you configured on the RADIUS server.
    • If you use domains within your network, you must enter the username with the domain name, in the format: domain\username.

  • The following actions could result in the existing Wi-Fi password being cleared:

    • Entering an invalid user id or password
    • Installing an invalid or expired Root CA when the EAP type is set to PEAP-MSCHAPV2 or PEAP-GTC
    • Disabling the in-use EAP type on the RADIUS server before switching the phone to the new EAP type
  • To change the EAP type, make sure that you enable the new EAP type on the RADIUS server first, then switch the phone to the EAP type. When all the phones have been changed to the new EAP type, you can disable the previous EAP type if you want.
1

In Cisco Unified Communications Manager Administration, select Device > Device Settings > Wireless LAN Profile.

2

Click Add New.

3

In the Wireless LAN Profile Information section, set the parameters:

  • Name—Enter a unique name for the Wi-Fi profile. This name displays on the phone.

  • Description—Enter a description for the Wi-Fi profile to help you differentiate this profile from other Wi-Fi profiles.

  • User Modifiable—Select an option:

    • Allowed—Indicates that the user can make changes to the Wi-Fi settings from their phone. This option is selected by default.

    • Disallowed—Indicates that the user cannot make any changes to the Wi-Fi settings on their phone.

    • Restricted—Indicates that the user can change the Wi-Fi username and password on their phone. But users are not allowed to make changes to other Wi-Fi settings on the phone. When your network uses EAP-TLS for user authentication, the user can choose the certificate type (MIC, LSC or User installed).

4

In the Wireless Settings section, set the parameters:

  • SSID (Network Name)—Enter the network name available in the user environment to which the phone can be connected. This name is displayed under the available network list on the phone and the phone can connect to this wireless network.

  • Frequency Band—Available options are Auto, 2.4 GHz, and 5 GHz. This field determines the frequency band that the wireless connection uses. If you select Auto, the phone attempts to use the 5 GHz or 6 GHz band first and only uses the 2.4 GHz band when 5 GHz or 6 GHz is not available.

5

In the Authentications Settings section, set the Authentication Method to one of these authentication methods: EAP-FAST, EAP-TLS, PEAP-MSCHAPv2, PEAP-GTC, PSK, and None.

Cisco Wireless Phone 9821 does not support WEP.

After you set this field, you may see extra fields that you need to set.

  • User certificate—Required for EAP-TLS authentication. Select MIC, LSC, or User installed. The phone requires a certificate to be installed, either automatically from the SCEP or manually from the administration page on the phone.

  • PSK passphrase—Required for PSK authentication. Enter the 8- 63 character ASCII or 64 HEX character pass phrase.

  • Provide Shared Credentials: Required for EAP-FAST, PEAP-MSCHAPv2, and PEAP-GTC authentication.

    • If the user manages the username and password, leave the Username and Password fields blank.

    • If all your users share the same username and password, you can input the information in the Username and Password fields.

    • Enter a description in the Password Description field.

    If you need to assign each user a unique username and password, you need to create a profile for each user.

Cisco Wireless Phone 9821 does not support the Network Access Profile field.

6

Click Save.

What to do next

Bind the Wireless LAN Profile to a WLAN Profile Group and then apply the WLAN Profile Group to a device pool (System > Device Pool) or directly to the phone (Device > Phone).

Install a User Certificate from the phone administration web page

You can manually install a User Certificate on the phone if Simple Certificate Enrollment Protocol (SCEP) is not available.

The preinstalled Manufacturing Installed Certificate (MIC) can be used as the User Certificate for EAP-TLS.

After the User Certificate installs, you need to add the CA chain that issued the User Certificate to RADIUS server's trust list.

Before you begin

Before you can install a User Certificate for a phone, you must have:

  • A User Certificate saved on your PC. The certificate must be in PKCS #12 format.

  • The certificate's extract password. The password length must not exceed 32 characters.

1

From the phone administration web page, select Certificates.

2

Locate the User installed field and click Install.

3

Browse to the certificate on your PC.

4

In the Extract password field, enter the certificate extract password.

5

Click Upload.

6

Restart the phone after the upload is complete.

Install an Authentication Server CA from the phone administration web page

You can manually install an Authentication Server CA on the phone if Simple Certificate Enrollment Protocol (SCEP) is not available.

The root CA certificate that issued the RADIUS server certificate must be installed.

Before you begin

Before you can install a certificate on a phone, you must have an Authentication Server CA saved on your PC. The certificate must be encoded in PEM (Base-64) or DER.

1

From the phone administration web page, select Certificates.

2

Locate the Authentication server CA field and click Install.

3

Browse to the certificate on your PC.

4

Click Upload.

5

Restart the phone after the upload is complete.

Manually remove a security certificate from the phone administration web page

You can manually remove a security certificate from a phone if Simple Certificate Enrollment Protocol (SCEP) is not available.

1

From the phone administration web page, select Certificates.

2

Locate the certificate on the Certificates page.

3

Click Delete.

4

Restart the phone after the deletion process completes.

Set up SCEP

Simple Certificate Enrollment Protocol (SCEP) is the standard for automatically provisioning and renewing certificates. It avoids manual installation of certificates on your phones.

Activate the SCEP product specific configuration parameters

You must configure the following SCEP parameters on Cisco Unified Communications Manager (Unified CM).

  • RA IP address or hostname

  • SHA-1 or SHA-256 fingerprint of the root CA certificate for the SCEP server

The Cisco IOS Registration Authority (RA) serves as a proxy to the SCEP server. The SCEP client on the phone use the parameters that are downloaded from Cisco Unified CM. After you configure the parameters, the phone sends a SCEP getcs request to the RA and the root CA certificate is validated using the defined fingerprint.

1

From Cisco Unified Communications Manager Administration, select Device > Phone.

2

Locate the phone.

3

Scroll to the Product Specific Configuration Layout area.

4

Select the WLAN SCEP Server check box to activate the SCEP parameter.

5

Select the WLAN Root CA Fingerprint (SHA256 or SHA1) check box to activate the SCEP QED parameter.

SCEP server support

If you are using a Simple Certificate Enrollment Protocol (SCEP) server, the server can automatically maintain your user and server certificates. On the SCEP server, configure the SCEP Registration Agent (RA) to:

  • Act as a PKI trust point

  • Act as a PKI RA

  • Perform device authentication using a RADIUS server

For more information, see your SCEP server documentation.

Set up a Locally Significant Certificate (LSC)

There are a few methods to install an LSC. This sample task applies to setting up a LSC with the authentication string method on Cisco Wireless Phone 9821.

Before you begin

Make sure that the appropriate Cisco Unified CM and the Certificate Authority Proxy Function (CAPF) security configurations are complete.

  • The CTL or ITL file has a CAPF certificate.

  • In Cisco Unified Communications Operating System Administration, verify that the CAPF certificate is installed.

  • The CAPF is running and configured.

For more information about these settings, see the documentation for your particular Cisco Unified CM release.

1

Obtain the CAPF authentication string that was set when the CAPF was configured.

2

On the phone, access the Settings 9821 Settings app icon app.

3

Select Admin settings > System configuration > Security > LSC.

4

Enter the authentication string.

5

Press More 9821 More button and select Submit.

The phone begins to install, update, or remove the LSC, depending on how the CAPF is configured. When the procedure is complete, Installed or Not Installed displays on the phone.

The LSC install, update, or removal process can take a long time to complete.

When the phone installation procedure is successful, the Installed message displays. If the phone displays Not Installed, then the authorization string may be incorrect or the phone upgrade may not be enabled. If the CAPF operation deletes the LSC, the phone displays Not Installed to indicate that the operation succeeded. The CAPF server logs the error messages. See the CAPF server documentation to locate the logs and to understand the meaning of the error messages.

802.1X Authentication for wired networks

Cisco Wireless Phone 9821 supports 802.1X authentication for wired networks. This is typically used during automatic provisioning when the phone is connected to the desktop charger via a supported USB-to-Ethernet adapter.

Support for 802.1X authentication on wired networks requires several components as follows:

  • Cisco IP Phone: The phone initiates the request to access the network. Cisco IP Phones contain an 802.1X supplicant. This supplicant allows network administrators to control the connectivity of IP phones to the LAN switch ports. The current release of the phone 802.1X supplicant uses the EAP-FAST and EAP-TLS options for network authentication.

  • Authentication server: The authentication server and the switch must both be configured with a RADIUS shared secret.

  • Switch: The switch must support 802.1X, so it can act as the authenticator and relay the EAP messages between the phone and the authentication server. After the exchange completes, the switch grants or denies the phone access to the network.

Cisco IP Phones and Cisco Catalyst switches traditionally use Cisco Discovery Protocol (CDP) to identify each other and determine parameters such as VLAN allocation and inline power requirements.

You must perform the following actions to configure 802.1X.

  • Configure CDP/LLDP voice VLAN bypass.

  • Configure the authentication server and the switch before you enable 802.1X authentication for wired networks on the phone.

  • Configure Voice VLAN: Because the 802.1X standard doesn't account for VLANs, you should configure this setting based on the switch support.

    • Enabled: If you’re using a switch that supports multidomain authentication, you can configure it to use the voice VLAN.
    • Disabled: If the switch doesn’t support multidomain authentication, disable the Voice VLAN and consider assigning the port to the native VLAN.
  • Cisco Wireless Phone 9821 has a different prefix in the PID from that for the other Cisco phones. To enable your phone to pass 802.1X authentication, set the Radius·User-Name parameter to include your Cisco Wireless Phone 9821.

    For example, the PID of Cisco Wireless Phone 9821 is WP-9821. You can set Radius·User-Name to Start with WP or Contains WP in both of the following sections:

    • Policy > Conditions > Library Conditions

    • Policy > Policy Sets > Authorization Policy > Authorization Rule 1

Enable 802.1X authentication for wired networks on your phone

Follow these steps to enable 802.1X authentication for wired networks on your phone. Note that 802.1X authentication for Wi-Fi is enabled by default and requires no manual configuration.

1

Access the Settings 9821 Settings app icon app.

2

If prompted, enter the password to access the Settings menu. You can get the password from your administrator.

3

Select Admin settings > Security setup > 802.1X Authentication.

4

Highlight Device authentication and press On.

Enable 802.1X authentication for wired networks in Cisco Unified Communications Manager Administration

Follow these steps to enable 802.1X authentication for wired networks on Cisco Unified CM. Note that 802.1X authentication for Wi-Fi is enabled by default and requires no manual configuration.

You can view the transaction status and security settings on the phone screen menu. For more information, see Security settings menu on phone.

1

In Cisco Unified Communications Manager Administration, select Device > Phone.

2

Locate the phone that you will set up.

3

Navigate to the Product Specific Configuration Layout area.

4

Select Enabled from the 802.1x Authentication drop-down menu.

When configured to Enabled or Disabled, the Device authentication option on Cisco Wireless Phone 9821 becomes read-only, preventing users from modifying 802.1X authentication settings.

5

Select Save.

6

Select Apply Config.

Security settings menu on phone

To view the information about the security settings from the phone menu, access the Settings 9821 Settings app icon app and select Admin settings > Security setup > 802.1X Authentication. The availability of the information depends on the network settings in your organization.

Parameters

Options

Default

Description

Device authentication

On

Off

Off

Enables or disables 802.1X authentication on the phone.

The parameter setting can be kept after the phone's Out-Of-Box (OOB) registration.

Transaction status

Disabled

Displays the state of 802.1X authentication. The state can be (not limited to):

  • Authenticating—Indicates that the authentication process is in progress.
  • Authenticated—Indicates that the phone is authenticated.
  • Disabled—Indicates that 802.1x authentication is disabled on the phone.
  • Connecting—Indicates that the phone is sending EAP start messages to the switch every 30 seconds.
  • Acquired—Indicates that the switch has rejected the phone’s EAP request and the phone receives no EAP-TLS or EAP-FAST challenge from the switch. The phone is retrying to send EAP requests.
  • Disconnected—Indicates that the Ethernet cable is disconnected.
  • Held—Indicates that the switch has processed the phone’s EAP request but rejected the EAP-FAST or EAP-TLS authentication. The phone is retrying to send EAP requests.

Protocol

None

Displays the EAP method that is used for 802.1X authentication. The protocol can be EAP-FAST or EAP-TLS.

Set up the supported versions of TLS

You can set up the minimum version of TLS required for client and server respectively.

By default, the minimum TLS version of server and client is both 1.2. The setting has impacts on the following functions:

  • HTTPS web access connection
  • Onboarding for on-premises phone
  • HTTPS services, such as, the Directory services
  • Datagram Transport Layer Security (DTLS)
  • Port Access Entity (PAE)
  • Extensible Authentication Protocol-Transport Layer Security (EAP-TLS)

For more information about the TLS 1.3 compatibility for Cisco IP Phones, see TLS 1.3 Compatibility Matrix for Cisco Collaboration Products.

1

In Cisco Unified Communications Manager Administration, do one of the following actions as needed:

  • To configure all deployed phones, go to System > Enterprise Phone Configuration.
  • To configure phones sharing the same phone profile, go to Device > Device Settings > Common Phone Profile.
  • To configure an individual phone, go to Device > Phone. Then find your phone and open the Phone Configuration page.

The configuration follows a hierarchical structure:

  • Individual device settings take precedence over settings in the common phone profile and enterprise level
  • Common phone profile settings override enterprise-level settings

2

Set up the TLS Client Min Version field:

The TLS 1.3 option is available on Cisco Unified CM 15SU2, or later.

  • TLS 1.1: The TLS client supports the versions of TLS from 1.1 to 1.3.

    If the TLS version in server is lower than 1.1, for example, 1.0, then the connection can't be established.

  • TLS 1.2 (default): The TLS client supports TLS 1.2 and 1.3.

    If the TLS version in server is lower than 1.2, for example, 1.1 or 1.0, then the connection can't be established.

  • TLS 1.3: The TLS client supports TLS 1.3 only.

    If the TLS version in server is lower than 1.3, for example, 1.2, 1.1 or 1.0, then the connection can't be established.

3

Set up the TLS Server Min Version field:

  • TLS 1.1: The TLS server supports the versions of TLS from 1.1 to 1.3.

    If the TLS version in client is lower than 1.1, for example, 1.0, then the connection can't be established.

  • TLS 1.2 (default): The TLS server supports TLS 1.2 and 1.3.

    If the TLS version in client is lower than 1.2, for example, 1.1 or 1.0, then the connection can't be established.

  • TLS 1.3: The TLS server supports TLS 1.3 only.

    If the TLS version in client is lower than 1.3, for example, 1.2, 1.1 or 1.0, then the connection can't be established.

4

Click Save.

5

Click Apply Config.

6

Restart the phones.

Turn off speakerphone and headset on Cisco Wireless Phone 9821

You have the options to permanently turn off the speakerphone and headset on a Cisco Wireless Phone 9821 for your user. Turning off these audio outputs ensures that conversations are not heard by others nearby, which is important in shared or open office environments.

1

In Cisco Unified Communications Manager Administration, select Device > Phone.

2

Locate the phone that you will set up.

3

Navigate to the Product Specific Configuration Layout area.

4

Check one or more of the following check boxes to turn off the capabilities of the phone:

  • Disable Speakerphone
  • Disable Speakerphone and Headset

By default, these check boxes are unchecked.

5

Select Save.

6

Select Apply Config.

Was this article helpful?
Was this article helpful?