By default, Unified CM in Dedicated Instance is set to Mixed Mode, which enables Security by Default. Older phone models like the 7925, 7940, and 7960 do not support these security features, leading to registration failures.

Changing the Unified CM cluster security from mixed mode to non-secure mode, you can register older model phones to Dedicated Instance.

Prerequisties:

• Access to Unified CM publisher CLI.

• Understanding of services restart implications.

To change Unified CM cluster security to non-secure mode:

1. Login to the Publisher CLI of your Unified CM cluster.

2. Execute the command: utils ctl set-cluster non-secure-mode

   When you set the cluster to default (non-secure) mode, the system ignores all TLS settings, and all communication occurs without transport security.

3. Restart the TFTP and Cisco CallManager services on all nodes in the cluster that run these services.

4. (if applicable) Configure TFTP File Signature Algorithm:

   1. On the source cluster, go to Enterprise Parameter → Security Parameter, if the TFTP File Signature Algorithm is set to SHA-1 algorithm, configure the same (SHA-1) on the Dedicated Instance destination cluster.

      Dedicated Instance by default is set to SHA-512 (recommended), but 7925/7940/60 phones do not support SHA-512.

5. (if applicable) Configure TLS version for Corporate Directory Access.

   Perform this step only if Corporate Directory is accessed from these older phone models on the source.

   1. On all the nodes in the Dedicated Instance Unified CM cluster, run the CLI command: show tls min-version

   2. If the TLS version is not set to 1.0, run the CLI command: set tls min-version 1.0

   Running set tls min-version 1.0 will cause the nodes to automatically reboot. Plan this during a maintenance window.

Impact:

• Since Unified CM is now in non-secure mode, other endpoints/devices on Unified CM cannot support CAPF-based security and encryption.

• This change does not impact any OAuth security and encryption on the latest phone models.