Cisco 8941, 8945 User Manual
Cisco Unified IP Phone 8941 and 8945
Administration Guide for Cisco Unified
Communications Manager 8.5 (SCCP and
SIP)
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Text Part Number: OL-20851-01
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant
to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial
environment. This equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause
harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required
to correct the interference at their own expense.
The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it is not
installed in accordance with Cisco’s installation instructions, it may cause interference with radio and television reception. This equipment has been tested and found to
comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable
protection against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation.
Modifying the equipment without Cisco’s written authorization may result in the equipment no longer complying with FCC requirements for Class A or Class B digital
devices. In that event, your right to use the equipment may be limited by FCC regulations, and you may be required to correct any interference to radio or television
communications at your own expense.
You can determine whether your equipment is causing interference by turning it off. If the interference stops, it was probably caused by the Cisco equipment or one of its
peripheral devices. If the equipment causes interference to radio or television reception, try to correct the interference by using one or more of the following measures:
• Turn the television or radio antenna until the interference stops.
• Move the equipment to one side or the other of the television or radio.
• Move the equipment farther away from the television or radio.
• Plug the equipment into an outlet that is on a different circuit from the television or radio. (That is, make certain the equipment and the television or radio are on circuits
controlled by different circuit breakers or fuses.)
Modifications to this product not authorized by Cisco Systems, Inc. could void the FCC approval and negate your authority to operate the product.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public
domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Nurse Connect, Cisco Pulse, Cisco SensorBase, Cisco StackPower,
Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra,
Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital,
Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, Flip Gift Card, and One Million Acts of Green are service marks; and Access Registrar, Aironet, AllTouch,
AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo,
Cisco IOS, Cisco Lumin, Cisco Nexus, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation,
Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Follow Me Browsing, GainMaker, iLYNX, IOS, iPhone, IronPort, the IronPort logo, Laser Link, LightStream,
Linksys, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design),
PowerVu, Prisma, ProConnect, ROSA, SenderBase, SMARTnet, Spectrum Expert, StackWise, WebEx, and the WebEx logo are registered t
and/or its affiliates in the United States and certain other countries.
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at
www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership
relationship between Cisco and any other company. (1005R)
rademarks of Cisco Systems, Inc.
The Java logo is a trademark or registered trademark of Sun Microsystems, Inc. in the U.S. or other countries.
CONTENTS
Preface ix
Overview ix
Audience ix
Organization ix
Related Documentation x
Obtaining Documentation, Obtaining Support, and Security Guidelines xi
Document Conventions xi
CHAPTER
1 An Overview of the Cisco Unified IP Phone 1-1
Understanding the Cisco Unified IP Phones 8941 and 8945 1-2
What Networking Protocols are Used? 1-4
What Features are Supported on the Cisco Unified IP Phone 8941 and 8945? 1-7
Feature Overview 1-8
Configuring Telephony Features 1-8
Configuring Network Parameters Using the Cisco Unified IP Phone 1-9
Providing Users with Feature Information 1-9
Understanding Security Features for Cisco Unified IP Phones 1-9
Overview of Supported Security Features 1-11
Understanding Security Profiles 1-13
Identifying Encrypted Phone Calls 1-13
Supporting 802.1X Authentication on Cisco Unified IP Phones 1-16
Security Restrictions 1-17
Overview of Configuring and Installing Cisco Unified IP Phones 1-17
Configuring Cisco Unified IP Phones in Cisco Unified CM 1-18
Installing Cisco Unified IP Phones 1-22
Terminology Differences 1-24
CHAPTER
OL-20851-01
2 Preparing to Install the Cisco Unified IP Phone on Your Network 2-1
Understanding Interactions with Other Cisco Unified IP Telephony Products 2-1
Understanding How the Cisco Unified IP Phone Interacts with Cisco Unified CM 2-2
Understanding How the Cisco Unified IP Phone Interacts with the VLAN 2-2
Providing Power to the Cisco Unified IP Phone 2-3
Power Guidelines 2-4
Cisco Unified IP Phone 8941 and 8945 Administration Guide for Cisco Unified Communications Manager 8.5 (SCCP and SIP)
iii
Contents
Power Outage 2-4
Obtaining Additional Information about Power 2-5
Understanding Phone Configuration Files 2-5
Understanding the Phone Startup Process 2-6
Adding Phones to the Cisco Unified CM Database 2-8
Adding Phones with Auto-Registration 2-8
Adding Phones with Auto-Registration and TAPS 2-9
Adding Phones with Cisco Unified CM Administration 2-10
Adding Phones with BAT 2-10
Determining the MAC Address for a Cisco Unified IP Phone 2-11
CHAPTER
3 Setting Up the Cisco Unified IP Phone 3-1
Before You Begin 3-1
Network Requirements 3-1
Cisco Unified Communications Manager Configuration 3-2
Understanding the Cisco Unified IP Phones 8941 and 8945 Components 3-2
Network and Access Ports 3-2
Handset 3-3
Speakerphone 3-3
Headset 3-3
Installing the Cisco Unified IP Phone 3-5
Reducing Power Consumption on the Phone 3-7
Footstand 3-7
Higher Viewing Angle 3-9
Lower Viewing Angle 3-10
Verifying the Phone Startup Process 3-10
Configuring Startup Network Settings 3-11
Configuring Security on the Cisco Unified IP Phone 3-11
CHAPTER
iv
4 Configuring Settings on the Cisco Unified IP Phone 4-1
Configuration Menus on the Cisco Unified IP Phone 4-1
Displaying a Configuration Menu 4-2
Unlocking and Locking Options 4-3
Editing Values 4-3
Network Setup Menu 4-4
IPv4 Setup Menu Options 4-6
Security Configuration Menu 4-8
Trust List Menu 4-8
Cisco Unified IP Phone 8941 and 8945 Administration Guide for Cisco Unified Communications Manager 8.5 (SCCP and SIP)
OL-20851-01
802.1X Authentication and Status 4-8
Contents
CHAPTER
CHAPTER
5 Configuring Features, Templates, Services, and Users 5-1
Telephony Features Available for the Cisco Unified IP Phone 5-1
Join and Direct Transfer Policy 5-16
Configuring Corporate and Personal Directories 5-17
Configuring Corporate Directories 5-17
Configuring Personal Directory 5-17
Modifying Phone Button Templates 5-18
Modifying a Phone Button Template for Personal Address Book or Speed Dials 5-18
Configuring Softkey Templates 5-20
Setting Up Services 5-21
Adding Users to Cisco Unified Communications Manager 5-22
Managing the User Options Web Pages 5-23
Giving Users Access to the User Options Web Pages 5-23
Specifying Options that Appear on the User Options Web Pages 5-24
6 Customizing the Cisco Unified IP Phone 6-1
Customizing and Modifying Configuration Files 6-1
CHAPTER
CHAPTER
Creating Custom Phone Rings 6-2
DistinctiveRingList File Format Requirements 6-2
PCM File Requirements for Custom Ring Types 6-3
Configuring a Custom Phone Ring 6-3
Configuring the Idle Display 6-4
Automatically Disabling the Cisco Unified IP Phone Backlight 6-4
7 Viewing Model Information, Status, and Statistics on the Cisco Unified IP Phone 7-1
Model Information Screen 7-1
Status Menu 7-2
Status Messages Screen 7-2
Network Statistics Screen 7-6
Call Statistics Screen 7-8
Security Configuration 7-10
8 Monitoring the Cisco Unified IP Phone Remotely 8-1
Accessing the Web Page for a Phone 8-2
Disabling and Enabling Web Page Access 8-3
OL-20851-01
Cisco Unified IP Phone 8941 and 8945 Administration Guide for Cisco Unified Communications Manager 8.5 (SCCP and SIP)
v
Contents
Device Information 8-3
Network Setup 8-4
Network Statistics 8-7
Device Logs 8-9
Streaming Statistics 8-9
CHAPTER
9 Troubleshooting and Maintenance 9-1
Resolving Startup Problems 9-1
Symptom: The Cisco Unified IP Phone Does Not Go Through its Normal Startup Process 9-2
Symptom: The Cisco Unified IP Phone Does Not Register with Cisco Unified Communications
Manager
9-2
Symptom: Cisco Unified IP Phone Unable to Obtain IP Address 9-5
Cisco Unified IP Phone Resets Unexpectedly 9-6
Verifying the Physical Connection 9-6
Identifying Intermittent Network Outages 9-6
Verifying DHCP Settings 9-6
Checking Static IP Address Settings 9-7
Verifying the Voice VLAN Configuration 9-7
Verifying that the Phones Have Not Been Intentionally Reset 9-7
Eliminating DNS or Other Connectivity Errors 9-7
Checking Power Connection 9-8
Troubleshooting Cisco Unified IP Phone Security 9-8
General Troubleshooting Tips 9-9
Resetting or Restoring the Cisco Unified IP Phone 9-12
Performing a Basic Reset 9-12
Performing a Factory Reset 9-12
APPENDIX
vi
Monitoring the Voice Quality of Calls 9-13
Troubleshooting Tips 9-14
Where to Go for More Troubleshooting Information 9-15
Cleaning the Cisco Unified IP Phone 9-15
A Providing Information to Users Via a Website A-1
How Users Obtain Support for the Cisco Unified IP Phone A-1
Giving Users Access to the User Options Web Pages A-1
How Users Subscribe to Services and Configure Phone Features A-2
How Users Access a Voice Messaging System A-2
How Users Configure Personal Directory Entries A-3
Installing and Configuring the Cisco Unified IP Phone Address Book Synchronizer A-3
Cisco Unified IP Phone 8941 and 8945 Administration Guide for Cisco Unified Communications Manager 8.5 (SCCP and SIP)
OL-20851-01
Contents
APPENDIX
APPENDIX
APPENDIX
B Supporting International Users B-A
Installing the Cisco Unified CM Locale Installer B-A
Support for International Call Logging B-A
C Technical Specifications C-1
Physical and Operating Environment Specifications C-1
Cable Specifications C-2
Network and Access Port Pinouts C-2
D Basic Phone Administration Steps D-1
Example User Information for these Procedures D-1
Adding a User to Cisco Unified CM D-2
Adding a User From an External LDAP Directory D-2
Adding a User Directly to Cisco Unified Communications Manager D-2
Configuring the Phone D-3
Performing Final End User Configuration Steps D-6
APPENDIX
I
NDEX
E Feature Support by Protocol for the Cisco Unified IP Phone 8941 and 8945 E-1
OL-20851-01
Cisco Unified IP Phone 8941 and 8945 Administration Guide for Cisco Unified Communications Manager 8.5 (SCCP and SIP)
vii
Contents
viii
Cisco Unified IP Phone 8941 and 8945 Administration Guide for Cisco Unified Communications Manager 8.5 (SCCP and SIP)
OL-20851-01
Overview
Preface
Cisco Unified IP Phone 8941 and 8945 Administration Guide for Cisco Unified Communications
Manager 8.5 (SCCP and SIP) provides the information you need to understand, install, configure,
manage, and troubleshoot the phones on a Voice-over-IP (VoIP) network.
Because of the complexity of an IP telephony network, this guide does not provide complete and detailed
information for procedures that you need to perform in Cisco Unified Communications Manager (Cisco
Unified CM) or other network devices. See the “Obtaining Documentation, Obtaining Support, and
Security Guidelines” section on page xi.
Audience
Network engineers, system administrators, or telecom engineers should review this guide to learn the
steps required to properly set up the Cisco Unified IP Phone on the network.
The tasks described are administration-level tasks and are not intended for end-users of the phones.
Many of the tasks involve configuring network settings and affect the phone’s ability to function in the
network.
Because of the close interaction between the Cisco Unified IP Phone and Cisco Unified CM, many of
the tasks in this manual require familiarity with Cisco Unified CM.
Organization
This manual is organized as follows.
Chapter Description
Chapter 1, “An Overview of the Cisco
Unified IP Phone”
Chapter 2, “Preparing to Install the Cisco Unified IP
Phone on Your Network”
Chapter 3, “Setting Up the Cisco Unified IP Phone” Describes how to install and configure the Cisco Unified IP Phone on
Provides a conceptual overview and description of the Cisco
Unified IP Phone.
Describes how the Cisco Unified IP Phone interacts with other key
IP telephony components, and provides an overview of the tasks
required prior to installation.
your network properly and safely.
OL-20851-01
Cisco Unified IP Phone 8941 and 8945 Administration Guide for Cisco Unified Communications Manager 8.5 (SCCP and SIP)
ix
Chapter 4, “Configuring Settings on the Cisco
Unified IP Phone”
Chapter 5, “Configuring Features, Templates,
Services, and Users”
Chapter 6, “Customizing the Cisco
Unified IP Phone”
Chapter 7, “Viewing Model Information, Status, and
Statistics on the Cisco Unified IP Phone”
Chapter 8, “Monitoring the Cisco Unified IP Phone
Remotely”
Chapter 9, “Troubleshooting and Maintenance” Provides tips for troubleshooting the Cisco Unified IP Phone and the
Appendix A, “Providing Information to Users Via a
Website”
Appendix B, “Supporting International Users” Provides information about setting up phones in non–English
Appendix C, “Technical Specifications” Provides technical specifications of the Cisco Unified IP Phone.
Appendix D, “Basic Phone Administration Steps” Provides procedures for basic administration tasks such as adding a
Describes how to configure network settings, verify status, and make
global changes to the Cisco Unified IP Phone.
Provides an overview of procedures for configuring telephony
features, configuring directories, configuring phone button and
softkey templates, setting up services, and adding users to Cisco
Unified Communications Manager.
Explains how to customize phone ring sounds and the phone idle
display at your site.
Explains how to view model information, status messages, network
statistics, and firmware information from the Cisco Unified
IP Phone.
Describes the information that you can obtain from the phone’s web
page to remotely monitor the operation of a phone and to assist with
troubleshooting.
Cisco Unified IP Phone Expansion Modules.
Provides suggestions for setting up a website for providing users
with important information about their Cisco Unified IP Phones.
environments.
user and phone to Cisco Unified CM and then associating the user to
the phone.
Related Documentation
For more information about Cisco Unified IP Phones or Cisco Unified CM, refer to the
following publications.
Cisco Unified IP Phone 8900 Series
These publications are available at the following URL:
http://www.cisco.com/en/US/products/ps10451/tsd_products_support_series_home.html
• Cisco Unified IP Phone 8941 and 8945 User Guide for Cisco Unified Communications Manager 8.5
(SCCP and SIP)
• Quick Start Guide for the Cisco Unified IP Phone 8941 and 8945.
• Regulatory Compliance and Safety Information for Cisco Unified IP Phones
Cisco Unified Communications Manager Administration
Related publications are available at the following URL:
http://www.cisco.com/en/US/products/sw/voicesw/ps556/tsd_products_support_series_home.html
Cisco Unified Communications Manager Business Edition
Related publications are available at the following URL:
Cisco Unified IP Phone 8941 and 8945 Administration Guide for Cisco Unified Communications Manager 8.5 (SCCP and SIP)
x
OL-20851-01
http://www.cisco.com/en/US/products/ps7273/tsd_products_support_series_home.html
Obtaining Documentation, Obtaining Support, and Security
Guidelines
For information on obtaining documentation, obtaining support, providing documentation feedback,
security guidelines, and also recommended aliases and general Cisco documents, see the monthly
What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical
documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Cisco Product Security Overview
This product contains cryptographic features and is subject to United States and local country laws
governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors
and users are responsible for compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local
laws, return this product immediately.
Further information regarding U.S. export regulations may be found at
http://www.access.gpo.gov/bis/ear/ear_data.html.
Document Conventions
This document uses the following conventions:
Convention Description
boldface font Commands and keywords are in boldface.
italic font Arguments for which you supply values are in italics.
[ ] Elements in square brackets are optional.
{ x | y | z } Alternative keywords are grouped in braces and separated by vertical bars.
[ x | y | z ] Optional alternative keywords are grouped in brackets and separated by
string A nonquoted set of characters. Do not use quotation marks around the string
screen font Terminal sessions and information the system displays are in screen font.
boldface screen font Information you must enter is in boldface screen font.
italic screen font Arguments for which you supply values are in italic screen font.
vertical bars.
or the string will include the quotation marks.
OL-20851-01
Cisco Unified IP Phone 8941 and 8945 Administration Guide for Cisco Unified Communications Manager 8.5 (SCCP and SIP)
xi
Convention Description
^ The symbol ^ represents the key labeled Control—for example, the key
combination ^D in a screen display means hold down the Control key while
you press the D key.
< > Nonprinting characters, such as passwords are in angle brackets.
Note Means reader take note. Notes contain helpful suggestions or references to material not covered in the
publication.
Caution Means reader be careful. In this situation, you might do something that could result in equipment
damage or loss of data.
Warnings use the following convention:
Warning
IMPORTANT SAFETY INSTRUCTIONS
This warning symbol means danger. You are in a situation that could cause
bodily injury. Before you work on any equipment, be aware of the hazards
involved with electrical circuitry and be familiar with standard practices for
preventing accidents. Use the statement number provided at the end of each
warning to locate its translation in the translated safety warnings that
accompanied this device.
SAVE THESE INSTRUCTIONS
Statement 1071
xii
Cisco Unified IP Phone 8941 and 8945 Administration Guide for Cisco Unified Communications Manager 8.5 (SCCP and SIP)
OL-20851-01
CHAP T ER
1
An Overview of the Cisco Unified IP Phone
The Cisco Unified IP Phones 8941 and 8945 provide voice communication over an IP network. The
Cisco Unified IP Phone functions much like a digital business phone, allowing you to place and receive
phone calls and to access features such as mute, hold, transfer, speed dial, call forward, and more. In
addition, because the phone is connected to your data network, it offers enhanced IP telephony features,
including access to network information and services, and customizeable features and services.
A Cisco Unified IP Phone, like other network devices, must be configured and managed. These
phones encode G.711a, G.711µ, G.729, G.729a, G.729ab, iLBC, and decode G.711a, G.711µ, G.729,
G.729a, G.729ab, and iLBC.
This chapter includes the following topics:
• Understanding the Cisco Unified IP Phones 8941 and 8945, page 1-2
• What Networking Protocols are Used?, page 1-4
• What Features are Supported on the Cisco Unified IP Phone 8941 and 8945?, page 1-7
• Overview of Configuring and Installing Cisco Unified IP Phones, page 1-17
• Terminology Differences, page 1-24
OL-20851-01
Caution Using a cell, mobile, or GSM phone, or two-way radio in close proximity to a Cisco Unified IP Phone
may cause interference. For more information, refer to the manufacturer’s documentation of the
interfering device.
Cisco Unified IP Phone 8941 and 8945 Administration Guide for Cisco Unified Communications Manager 8.5 (SCCP and SIP)
1-1
Understanding the Cisco Unified IP Phones 8941 and 8945
Understanding the Cisco Unified IP Phones 8941 and 8945
Figure 1-1 shows the main components of the Cisco Unified IP Phone 8941 and 8945.
Figure 1-1 Cisco Unified IP Phone 8941 and 8945
1 2 3
21
20
Chapter
19
18
17
16
15
14
13 12 9
11
10
8
4
5
6
7
236961
Table 1-1 describes the buttons on the Cisco Unified IP Phone 8941 and 8945.
Table 1-1 Features on the Cisco Unified IP Phone 8941 and 8945
1 Phone screen Shows information about your phone, including directory number, call
information (for example caller ID, icons for an active call or call on hold)
and available softkeys.
2 Video Camera Connects to your Cisco Unified IP Phone and allows you to make a
point-to-point video call with another Cisco Unified IP Phone.
1-2
Lens Cover button Integrated lens cover protects the camera lens.
3
4 Softkey buttons Allows you to access the softkey options (for the selected call or menu item)
displayed on your phone screen.
Cisco Unified IP Phone 8941 and 8945 Administration Guide for Cisco Unified Communications Manager 8.5 (SCCP and SIP)
OL-20851-01
Chapter
Understanding the Cisco Unified IP Phones 8941 and 8945
Table 1-1 Features on the Cisco Unified IP Phone 8941 and 8945
5 Navigation pad
and Select button
The two-way Navigation pad allows you to scroll through menus, highlight
items, and move within a text input field.
The Select button (center of the Navigation pad) allows you to select a
highlighted item.
The Select button is lit (white) when the phone is in power-save mode.
6 Conference button Creates a conference call.
7 Hold button Places a connected call on hold.
8 Transfer button Transfers a call.
9 Redial button Redials a call.
10 Keypad Allows you to dial phone numbers, enter letters, and choose menu items (by
entering the item number).
11 Speakerphone
button
Selects the speakerphone as the default audio path and initiates a new call,
picks up an incoming call, or ends a call. During a call, the button is lit green.
The speakerphone audio path does not change until a new default audio path
is selected (for example, by picking up the handset).
If external speakers are connected, the Speakerphone button selects them as
the default audio path.
12 Video Mute button
Mutes the video from the phone screen during a video call. When Video
Mute is on, the Video Mute button is lit red.
13 Mute button Toggles the microphone on or off during a call. When the microphone is
muted, the button is lit red.
14 Headset button Selects the headset as the default audio path and initiates a new call, picks up
an incoming call, or ends a call. During a call, the button is lit green.
A headset icon in the phone screen header line indicates the headset is the
default audio path. This audio path does not change until a new default audio
path is selected (for example, by picking up the handset).
15 Volume button Controls the handset, headset, and speakerphone volume (off hook) and the
ringer volume (on hook).
Silences the ringer on the phone if an incoming call is ringing.
16 Messages button Auto-dials your voicemail system (varies by system).
OL-20851-01
Cisco Unified IP Phone 8941 and 8945 Administration Guide for Cisco Unified Communications Manager 8.5 (SCCP and SIP)
1-3
What Networking Protocols are Used?
Table 1-1 Features on the Cisco Unified IP Phone 8941 and 8945
Chapter
17 Applications
button
18 Contacts button Opens the Contacts menu. Depending on how your system administrator sets
19 Phone Speaker Speaker for the phone.
20 Programmable
feature buttons
(also called Line
buttons)
21 Handset rest To rest the phone handset.
Opens the Applications menu. Depending on how your system administrator
sets up the phone, use it to access applications such as call history,
preferences, and phone information.
up the phone, use it to access personal directory, corporate directory, or call
history.
Each corresponds with a phone line, speed dial, and calling feature.
Pressing a button for a phone line displays the active calls for that line.
Color LEDs indicate the line state:
• Amber —Ringing call on this line
• Green —Active or held call on this line
• Red —Shared line in-use remotely
What Networking Protocols are Used?
Cisco Unified IP Phones support several industry-standard and Cisco networking protocols required for
voice communication. Table 1-2 provides an overview of the networking protocols that the Cisco Unified
IP Phones 8941 and 8945 support.
Table 1-2 Supported Networking Protocols on the Cisco Unified IP Phone
Networking Protocol Purpose Usage Notes
Bootstrap Protocol
(BootP)
Cisco Audio Session
Tunneling (CAST)
BootP enables a network device such as
the Cisco Unified IP Phone to discover
certain startup information, such as its IP
address.
The CAST protocol allows IP phones and
associated applications behind the phone
to discover and communicate with the
remote endpoints without requiring
changes to the traditional signaling
components like Cisco Unified
Communications Manager (Cisco Unified
CM) and gateways. The Cast protocol
allows separate hardware devices to
synchronize related media and it allows
PC applications to augment non Video
capable phones to become video enabled
by using the PC as the video resource.
—
—
1-4
Cisco Unified IP Phone 8941 and 8945 Administration Guide for Cisco Unified Communications Manager 8.5 (SCCP and SIP)
OL-20851-01
Chapter
What Networking Protocols are Used?
Table 1-2 Supported Networking Protocols on the Cisco Unified IP Phone (continued)
Networking Protocol Purpose Usage Notes
Cisco Discovery Protocol
(CDP)
CDP is a device-discovery protocol that
runs on all Cisco-manufactured
equipment.
Using CDP, a device can advertise its
existence to other devices and receive
information about other devices in the
network.
Dynamic Host
Configuration Protocol
(DHCP)
DHCP dynamically allocates and assigns
an IP address to network devices.
DHCP enables you to connect an IP phone
into the network and have the phone
become operational without your needing
to manually assign an IP address or to
configure additional network parameters.
Hypertext Transfer
Protocol (HTTP)
HTTP is the standard way of transferring
information and moving documents across
the Internet and the web.
IEEE 802.1X The IEEE 802.1X standard defines a
client-server-based access control and
authentication protocol that restricts
unauthorized clients from connecting to a
LAN through publicly accessible ports.
Until the client is authenticated, 802.1X
access control allows only Extensible
Authentication Protocol over LAN
(EAPOL) traffic through the port to which
the client is connected. After
authentication is successful, normal traffic
can pass through the port.
Internet Protocol (IP) IP is a messaging protocol that addresses
and sends packets across the network.
Link Layer Discovery
Protocol (LLDP)
LLDP is a standardized network discovery
protocol (similar to CDP) that is supported
on some Cisco and third-party devices.
The Cisco Unified IP Phone uses CDP to
communicate information such as auxiliary VLAN ID,
per port power management details, and Quality of
Service (QoS) configuration information with the
Cisco Catalyst switch.
DHCP is enabled by default. If disabled, you must
manually configure the IP address, subnet mask,
gateway, and a TFTP server on each phone locally.
Cisco recommends that you use DHCP custom
option 150. With this method, you configure the
TFTP server IP address as the option value. For
additional supported DHCP configurations, go to
the Dynamic Host Configuration Protocol chapter
and the Cisco TFTP chapter in the Cisco Unified
Communications Manager System Guide.
Note If you cannot use option 150, you may try
using DHCP option 66.
Cisco Unified IP Phones use HTTP for the XML
services and for troubleshooting purposes.
The Cisco Unified IP Phone implements the IEEE
802.1X standard by providing support for the
following authentication methods: EAP-FAST,
EAP-TLS, and EAP-MD5.
When 802.1X authentication is enabled on the
phone, you should disable the PC port and voice
VLAN. Refer to the “Supporting 802.1X
Authentication on Cisco Unified IP Phones” section
on page 1-16 for additional information.
To communicate using IP, network devices must
have an assigned IP address, subnet, and gateway.
IP addresses, subnets, and gateways identifications
are automatically assigned if you are using the
Cisco Unified IP Phone with Dynamic Host
Configuration Protocol (DHCP). If you are not
using DHCP, you must manually assign these
properties to each phone locally.
The Cisco Unified IP Phone supports LLDP on the
PC port.
OL-20851-01
Cisco Unified IP Phone 8941 and 8945 Administration Guide for Cisco Unified Communications Manager 8.5 (SCCP and SIP)
1-5
What Networking Protocols are Used?
Table 1-2 Supported Networking Protocols on the Cisco Unified IP Phone (continued)
Networking Protocol Purpose Usage Notes
Link Layer Discovery
Protocol-Media Endpoint
Devices (LLDP-MED)
Real-Time Transport
Protocol (RTP)
Real-Time Control
Protocol (RTCP)
Session Initiation Protocol
(SIP)
Skinny Client Control
Protocol (SCCP)
Secure Real-Time
Transfer protocol (SRTP)
Transmission Control
Protocol (TCP)
LLDP-MED is an extension of the LLDP
standard developed for voice products.
RTP is a standard protocol for transporting
real-time data, such as interactive voice
and video, over data networks.
RTCP works in conjunction with RTP to
provide QoS data (such as jitter, latency,
and round trip delay) on RTP streams.
SIP is the Internet Engineering Task Force
(IETF) standard for multimedia
conferencing over IP. SIP is an
ASCII-based application-layer control
protocol (defined in RFC 3261) that can be
used to establish, maintain, and terminate
calls between two or more endpoints.
SCCP includes a messaging set that allows
communications between call control
servers and endpoint clients such as
IP Phones. SCCP is proprietary to Cisco
Systems.
SRTP is an extension of the Real-Time
Protocol (RTP) Audio/Video Profile and
ensures the integrity of RTP and
Real-Time Control Protocol (RTCP)
packets providing authentication,
integrity, and encryption of media packets
between two endpoints.
TCP is a connection-oriented transport
protocol.
The Cisco Unified IP Phone supports LLDP-MED
on the SW port to communicate information such as:
• Voice VLAN configuration
• Device discovery
• Power management
• Inventory management
For more information about LLDP-MED support,
see the LLDP-MED and Cisco Discovery Protocol
white paper:
http://www.cisco.com/en/US/tech/tk652/tk701/tech
nologies_white_paper0900aecd804cd46d.shtml
Cisco Unified IP Phones use the RTP protocol to
send and receive real-time voice traffic from other
phones and gateways.
RTCP is disabled by default, but you can enable it
on a per phone basis by using Cisco Unified CM.
Like other VoIP protocols, SIP is designed to
address the functions of signaling and session
management within a packet telephony network.
Signaling allows call information to be carried
across network boundaries. Session management
provides the ability to control the attributes of an
end-to-end call.
You can configure the Cisco Unified IP Phone to use
either SIP or Skinny Client Control Protocol
(SCCP). Cisco Unified IP Phones do not support the
SIP protocol when the phones are operating in IPv6
address mode.
Cisco Unified IP Phone 8941 and 8945 use SCCP,
version 20 for call control.
Cisco Unified IP Phones use SRTP for media
encryption.
Cisco Unified IP Phones use TCP to connect to
Cisco Unified CM and to access XML services.
Chapter
1-6
Cisco Unified IP Phone 8941 and 8945 Administration Guide for Cisco Unified Communications Manager 8.5 (SCCP and SIP)
OL-20851-01
Chapter
What Features are Supported on the Cisco Unified IP Phone 8941 and 8945?
Table 1-2 Supported Networking Protocols on the Cisco Unified IP Phone (continued)
Networking Protocol Purpose Usage Notes
Transport Layer Security
(TLS)
Trivial File Transfer
Protocol (TFTP)
User Datagram Protocol
(UDP)
TLS is a standard protocol for securing
and authenticating communications.
TFTP allows you to transfer files over the
network.
On the Cisco Unified IP Phone, TFTP
enables you to obtain a configuration file
specific to the phone type.
UDP is a connectionless messaging
protocol for delivery of data packets.
When security is implemented, Cisco
Unified IP Phones use the TLS protocol when
securely registering with Cisco Unified CM.
For more information, refer to the Cisco Unified
Communications Manager Security Guide.
TFTP requires a TFTP server in your network,
which can be automatically identified from the
DHCP server. If you want a phone to use a TFTP
server other than the one specified by the DHCP
server, you must manually assign the IP address of
the TFTP server by using the Network Setup menu
on the phone.
For more information, refer to the Cisco TFTP
chapter in the Cisco Unified Communications
Manager System Guide.
Cisco Unified IP Phones transmit and receive RTP
streams, which utilize UDP.
Related Topics
• Understanding Interactions with Other Cisco Unified IP Telephony Products, page 2-1
• Understanding the Phone Startup Process, page 2-6
• Network Setup Menu, page 4-4
What Features are Supported on the Cisco Unified
Phone 8941 and 8945?
IP
Cisco Unified IP Phones function much like a digital business phone, allowing you to place and receive
phone calls. In addition to traditional telephony features, the Cisco Unified IP Phone includes features
that enable you to administer and monitor the phone as a network device.
This section includes the following topics:
• Feature Overview, page 1-8
• Configuring Telephony Features, page 1-8
• Configuring Network Parameters Using the Cisco Unified IP Phone, page 1-9
• Providing Users with Feature Information, page 1-9
OL-20851-01
Cisco Unified IP Phone 8941 and 8945 Administration Guide for Cisco Unified Communications Manager 8.5 (SCCP and SIP)
1-7
What Features are Supported on the Cisco Unified IP Phone 8941 and 8945?
Feature Overview
Cisco Unified IP Phones provide traditional telephony functionality, such as call forwarding and
transferring, redialing, speed dialing, conference calling, and voice messaging system access.
Cisco Unified IP phones also provide a variety of other features. For an overview of the telephony
features that the Cisco Unified IP Phone supports and for tips on configuring them, see the “Telephony
Features Available for the Cisco Unified IP Phone” section on page 5-1.
As with other network devices, you must configure Cisco Unified IP Phones to prepare them to access
Cisco Unified CM and the rest of the IP network. By using DHCP, you have fewer settings to configure
on a phone, but if your network requires it, you can manually configure an IP address, TFTP server,
subnet information, and so on. For instructions on configuring the network settings on the Cisco Unified
IP Phones, see Chapter 4, “Configuring Settings on the Cisco Unified IP Phone.”
Cisco Unified IP Phones can interact with other services and devices on your IP network to provide
enhanced functionality. For example, you can integrate Cisco Unified CM with the corporate
Lightweight Directory Access Protocol 3 (LDAP3) standard directory to enable users to search for
co-worker contact information directly from their IP phones. You can also use XML to enable users to
access information such as weather, stocks, quote of the day, and other web-based information. For
information about configuring such services, see the “Join and Direct Transfer Policy” section on
page 5-16 and the “Setting Up Services” section on page 5-21.
Finally, because the Cisco Unified IP Phone is a network device, you can obtain detailed status
information from it directly. This information can assist you with troubleshooting any problems users
might encounter when using their IP phones. See Chapter 7, “Viewing Model Information, Status, and
Statistics on the Cisco Unified IP Phone,” for more information.
Chapter
Related Topics
• Configuring Settings on the Cisco Unified IP Phone, page 4-1
• Configuring Features, Templates, Services, and Users, page 5-1
• Troubleshooting and Maintenance, page 9-1
Configuring Telephony Features
You can modify additional settings for the Cisco Unified IP Phone from Cisco Unified CM
Administration. Use Cisco Unified CM Administration to set up phone registration criteria and calling
search spaces, to configure corporate directories and services, and to modify phone button templates,
among other tasks. See the “Telephony Features Available for the Cisco Unified IP Phone” section on
page 5-1 and the Cisco Unified CM documentation for additional information.
For more information about Cisco Unified CM Administration, refer to Cisco Unified CM
documentation, including Cisco Unified Communications Manager Administration Guide. You can also
use the context-sensitive help available within the application for guidance.
You can access Cisco Unified CM documentation at this location:
http://www.cisco.com/en/US/products/sw/voicesw/ps556/tsd_products_support_series_home.html
You can access Cisco Unified Communications Manager Business Edition documentation at
this location:
http://www.cisco.com/en/US/products/ps7273/tsd_products_support_series_home.html
1-8
Related Topic
• Telephony Features Available for the Cisco Unified IP Phone, page 5-1
Cisco Unified IP Phone 8941 and 8945 Administration Guide for Cisco Unified Communications Manager 8.5 (SCCP and SIP)
OL-20851-01
Chapter
Understanding Security Features for Cisco Unified IP Phones
Configuring Network Parameters Using the Cisco Unified IP Phone
You can configure parameters such as DHCP, TFTP, and IP settings on the phone itself. You can also
obtain statistics about a current call or firmware versions on the phone.
For more information about configuring features and viewing statistics from the phone, see Chapter 4,
“Configuring Settings on the Cisco Unified IP Phone” and see Chapter 7, “Viewing Model Information,
Status, and Statistics on the Cisco Unified IP Phone.”
Providing Users with Feature Information
If you are a system administrator, you are likely the primary source of information for Cisco Unified IP
Phone users in your network or company. To ensure that you distribute the most current feature and
procedural information, familiarize yourself with Cisco Unified IP Phone documentation on the
Cisco Unified IP Phone web site:
http://www.cisco.com/en/US/products/ps10451/tsd_products_support_series_home.html
From this site, you can view various user documentation.
In addition to providing documentation, it is important to inform users of available Cisco Unified IP
Phone features—including those specific to your company or network—and of how to access and
customize those features, if appropriate.
For a summary of some of the key information that phone users need their system administrators to
provide, see Appendix A, “Providing Information to Users Via a Website.”
Understanding Security Features for Cisco Unified IP Phones
Implementing security in the Cisco Unified CM system prevents identity theft of the phone and
Cisco Unified CM server, prevents data tampering, and prevents call signaling and media stream
tampering.
To alleviate these threats, the Cisco IP telephony network establishes and maintains secure
communication streams between a phone and the server, digitally signs files before they are transferred
to a phone, and encrypts media streams and call signaling between Cisco Unified IP phones.
The Cisco Unified IP Phone 8941 and 8945 use the Phone security profile, which defines whether the
device is nonsecure or encrypted. For information on applying the security profile to the phone, refer to
the Cisco Unified Communications Manager Security Guide.
If you configure security-related settings in Cisco Unified CM Administration, the phone configuration
file will contain sensitive information. To ensure the privacy of a configuration file, you must configure
it for encryption. For detailed information, refer to the “Configuring Encrypted Phone Configuration
Files” chapter in Cisco Unified Communications Manager Security Guide.
Table 1-3 shows where you can find additional information about security in this and other documents.
OL-20851-01
Cisco Unified IP Phone 8941 and 8945 Administration Guide for Cisco Unified Communications Manager 8.5 (SCCP and SIP)
1-9
Chapter
Understanding Security Features for Cisco Unified IP Phones
Table 1-3 Cisco Unified IP Phone and Cisco Unified CM Security Topics
Topic Reference
Detailed explanation of security, including set
up, configuration, and troubleshooting
information for Cisco Unified CM and Cisco
Unified IP Phones
Security features supported on the Cisco Unified
IP Phone
Restrictions regarding security features See the “Security Restrictions” section on page 1-17
Viewing a security profile name See the “Understanding Security Profiles” section on page 1-13
Identifying phone calls for which security is
implemented
TLS connection
Security and the phone startup process See the “Understanding the Phone Startup Process” section on page 2-6
Security and phone configuration files See the “Adding Phones to the Cisco Unified CM Database” section on
Changing the TFTP Server 1 or TFTP Server 2
option on the phone when security is
implemented
Items on the Security Configuration menu that
you access from the Device Configuration menu
on the phone
Items on the Security Configuration menu that
you access from the Settings menu on the phone
Applying a password to the phone so that no
changes can be made to the administrative
options
Disabling access to a phone’s web pages See the “Disabling and Enabling Web Page Access” section on page 8-3
Troubleshooting
Deleting the CTL file from the phone See the “Resetting or Restoring the Cisco Unified IP Phone” section on
Refer to the Cisco Unified Communications Manager Security Guide.
See the “Overview of Supported Security Features” section on page 1-11
See the “Identifying Encrypted Phone Calls” section on page 1-13
• See the “What Networking Protocols are Used?” section on page 1-4
• See the “Adding Phones to the Cisco Unified CM Database” section on
page 2-8
page 2-8
See Table 4- 2 , in the “Network Setup Menu” section on page 4-4
See the “Security Configuration Menu” section on page 4-8
See the “Security Configuration Menu” section on page 4-8
See the “Unlocking and Locking Options” section on page 4-3
• See the “Troubleshooting Cisco Unified IP Phone Security” section on
page 9-8
• Refer to the Troubleshooting Guide for Cisco Unified
Communications Manager
page 9-12
1-10
Cisco Unified IP Phone 8941 and 8945 Administration Guide for Cisco Unified Communications Manager 8.5 (SCCP and SIP)
OL-20851-01
Chapter
Understanding Security Features for Cisco Unified IP Phones
Table 1-3 Cisco Unified IP Phone and Cisco Unified CM Security Topics (continued)
Topic Reference
Resetting or restoring the phone See the “Resetting or Restoring the Cisco Unified IP Phone” section on
page 9-12
802.1X Authentication for Cisco Unified IP
Phones
All Cisco Unified IP Phones that support Cisco Unified CM use a security profile, which defines whether
the phone is nonsecure or secure.
For information about configuring the security profile and applying the profile to the phone, refer to
Cisco Unified Communications Manager Security Guide.
See these sections:
• “Supporting 802.1X Authentication on Cisco Unified IP Phones”
section on page 1-16
• “Security Configuration Menu” section on page 4-8
• “Status Menu” section on page 7-2
• “Troubleshooting Cisco Unified IP Phone Security” section on
page 9-8
Overview of Supported Security Features
Table 1-4 provides an overview of the security features that the Cisco Unified IP Phone 8941 and 8945
support. For more information about these features and about Cisco Unified CM and
Cisco Unified IP Phone security, refer to Cisco Unified Communications Manager Security Guide.
For information about current security settings on a phone, choose Applications > Administrator
Settings > Security Setup. For more information, see the “Security Configuration Menu” section on
page 4-8.
Note Most security features are available only if a certificate trust list (CTL) is installed on the phone. For
more information about the CTL, refer to “Configuring the Cisco CTL Client” chapter in Cisco Unified
Communications Manager Security Guide.
Table 1-4 Overview of Security Features
Feature Description
Image authentication Signed binary files (with the extension .sgn) prevent tampering with the
firmware image before it is loaded on a phone. Tampering with the image causes
a phone to fail the authentication process and reject the new image.
Customer-site certificate installation Each Cisco Unified IP Phone requires a unique certificate for device
authentication. Phones include a manufacturing installed certificate (MIC), but
for additional security, you can specify in Cisco Unified CM Administration that
a certificate be installed by using the Certificate Authority Proxy Function
(CAPF). Alternatively, you can install a Locally Significant Certificate (LSC)
from the Security Configuration menu on the phone. See the “Configuring
Security on the Cisco Unified IP Phone” section on page 3-11 for more
information.
OL-20851-01
Cisco Unified IP Phone 8941 and 8945 Administration Guide for Cisco Unified Communications Manager 8.5 (SCCP and SIP)
1-11
Chapter
Understanding Security Features for Cisco Unified IP Phones
Table 1-4 Overview of Security Features (continued)
Feature Description
Device authentication Occurs between the Cisco Unified CM server and the phone when each entity
accepts the certificate of the other entity. Determines whether a secure
connection between the phone and a Cisco Unified CM should occur; and, if
necessary, creates a secure signaling path between the entities by using TLS
protocol. Cisco Unified CM will not register phones unless they can be
authenticated by the Cisco Unified CM.
File authentication Validates digitally signed files that the phone downloads. The phone validates
the signature to make sure that file tampering did not occur after the file creation.
Files that fail authentication are not written to Flash memory on the phone. The
phone rejects such files without further processing.
Signaling Authentication Uses the TLS protocol to validate that no tampering has occurred to signaling
packets during transmission.
Manufacturing installed certificate Each Cisco Unified IP Phone contains a unique manufacturing installed
certificate (MIC), which is used for device authentication. The MIC is a
permanent unique proof of identity for the phone, and allows Cisco Unified CM
to authenticate the phone.
Secure SRST reference After you configure a SRST reference for security and then reset the dependent
devices in Cisco Unified CM Administration, the TFTP server adds the SRST
certificate to the phone cnf.xml file and sends the file to the phone. A secure
phone then uses a TLS connection to interact with the SRST-enabled router.
Media encryption Uses SRTP to ensure that the media streams between supported devices proves
secure and that only the intended device receives and reads the data. Includes
creating a media master key pair for the devices, delivering the keys to the
devices, and securing the delivery of the keys while the keys are in transport.
Signaling encryption Ensures that all SCCP signaling messages that are sent between the device and
the Cisco Unified CM server are encrypted.
CAPF (Certificate Authority Proxy
Function)
Security profiles Defines whether the phone is nonsecure or encrypted. See the “Understanding
Encrypted configuration files Lets you ensure the privacy of phone configuration files.
Optional disabling of the web server
functionality for a phone
Implements parts of the certificate generation procedure that are too
processing-intensive for the phone, and interacts with the phone for key
generation and certificate installation. The CAPF can be configured to request
certificates from customer-specified certificate authorities on behalf of the
phone, or it can be configured to generate certificates locally.
Security Profiles” section on page 1-13 for more information.
You can prevent access to a phone’s web page, which displays a variety of
operational statistics for the phone. See the “Disabling and Enabling Web Page
Access” section on page 8-3.
1-12
Cisco Unified IP Phone 8941 and 8945 Administration Guide for Cisco Unified Communications Manager 8.5 (SCCP and SIP)
OL-20851-01
Chapter
Understanding Security Features for Cisco Unified IP Phones
Table 1-4 Overview of Security Features (continued)
Feature Description
Phone hardening Additional security options, which you control from Cisco Unified CM
Administration:
• Disabling PC port
• Disabling PC Voice VLAN access
• Disabling access to web pages for a phone
Note You can view current settings for the PC Port Disabled, GARP Enabled,
and Voice VLAN enabled options by looking at the phone’s Security
Configuration menu. For more information, see the “Security
Configuration Menu” section on page 4-8.
802.1X Authentication The Cisco Unified IP Phone can use 802.1X authentication to request and gain
access to the network. See the “Supporting 802.1X Authentication on Cisco
Unified IP Phones” section on page 1-16 for more information.
Related Topics
• Understanding Security Profiles, page 1-13
• Identifying Encrypted Phone Calls, page 1-13
• Security Restrictions, page 1-17
Understanding Security Profiles
All Cisco Unified IP Phones that support Cisco Unified CM use a security profile, which defines whether
the phone is nonsecure or encrypted. For information about configuring the security profile and applying
the profile to the phone, refer to Cisco Unified Communications Manager Security Guide.
To view the security mode that is set for the phone, look at the Security Mode setting in the Security
Configuration menu. For more information, see the “Security Configuration Menu” section on page 4-8.
Related Topics
• Identifying Encrypted Phone Calls, page 1-13
• Security Restrictions, page 1-17
Identifying Encrypted Phone Calls
When security is implemented for a phone, you can identify encrypted phone audio calls by icons on the
screen on the phone. You can also determine if the connected phone is secure and protected if a security
tone plays at the beginning of the call.
In a secure call, all call signaling and media streams are encrypted. An encrypted call offers a high level
of security, providing integrity and privacy to the call. When a call in progress is being encrypted, the
call progress icon to the right of the call duration timer in the phone LCD screen changes to the lock
icon: .
If the call is routed through non-IP call legs, for example, PSTN, the call may be nonsecure even though
it is encrypted within the IP network and has a lock icon associated with it.
OL-20851-01
Cisco Unified IP Phone 8941 and 8945 Administration Guide for Cisco Unified Communications Manager 8.5 (SCCP and SIP)
1-13
Understanding Security Features for Cisco Unified IP Phones
In a secure call, a security tone plays at the beginning of a call to indicate that the other connected phone
is also receiving and transmitting encrypted audio. For video calls, the user may first hear secure
indication tone for the audio portion of the call and then nonsecure indication tone for overall nonsecure
media. If your call is connected to a non-protected phone, the security tone does not play.
Note Secured calling is supported for connections between two phones only. Some features, such as
conference calling, shared lines, and Cisco Extension Mobilityare not available when secured calling is
configured.
Related Topic
• Understanding Security Profiles, page 1-13
• Understanding Security Features for Cisco Unified IP Phones, page 1-9
• Security Restrictions, page 1-17
Establishing and Identifying Secure Audio Conference Calls
You can initiate a secure conference audio call and monitor the security level of participants. A secure
conference call is established using this process:
Chapter
1. A user initiates the conference from a secure phone.
2. Cisco Unified CM assigns a secure conference bridge to the call.
3. As participants are added, Cisco Unified CM verifies the security mode of each phone and maintains
the secure level for the conference.
4. The phone displays the security level of the conference call. A secure conference displays the
to the right of “Conference” on the phone screen.
Note There are interactions, restrictions, and limitations that affect the security level of the audio conference
call depending on the security mode of the participant’s phones and the availability of secure conference
bridges. See Tabl e 1-5 and Tab l e 1-6 for information about these interactions.
Establishing and Identifying Protected Calls
A protected call is established when your phone, and the phone on the other end, is configured for
protected calling. The other phone can be in the same Cisco IP network, or on a network outside the IP
network. Protected calls can only be made between two phones. Conference calls and other multiple-line
calls are not supported.
A protected call is established using this process:
1. A user initiates the call from a protected phone (protected security mode).
2. The phone displays the icon (encrypted) on the phone screen. This icon indicates that the phone
is configured for secure (encrypted) calls, but this does not mean that the other connected phone is
also protected.
1-14
3. A security tone plays if the call is connected to another protected phone, indicating that both ends
of the conversation are encrypted and protected. For video calls, the user may first hear secure
indication tone for the audio portion of the call and then nonsecure indication tone for overall
nonsecure media. If the call is connected to a non-protected phone, then the secure tone is not
played.
Cisco Unified IP Phone 8941 and 8945 Administration Guide for Cisco Unified Communications Manager 8.5 (SCCP and SIP)
OL-20851-01
Chapter
Note Protected calling is supported for conversations between two phones. Some features, such as conference
calling, shared lines, Cisco Extension Mobility, and Join Across Lines are not available when protected
calling is configured.
Call Security Interactions and Restrictions
Cisco Unified CM checks the phone security status when audio conferences are established and changes
the security indication for the conference or blocks the completion of the call to maintain integrity and
also security in the system.
using Barge.
Table 1-5 Call Security Interactions When Using Barge
Initiator’s Phone
Security Level Feature Used Call Security Level Results of Action
Non-secure cBarge Encrypted call Call barged and identified as nonsecure call
Secure cBarge Secure call Call barged and identified as Secure call
Table 1-5 provides information about changes to call security levels when
Understanding Security Features for Cisco Unified IP Phones
Table 1-6 provides information about changes to conference security levels depending on the initiator’s
phone security level, the security levels of participants, and the availability of secure conference bridges.
Table 1-6 Security Restrictions with Conference Calls
Initiator’s Phone
Security Level Feature Used Security Level of Participants Results of Action
Non-secure Conference Encrypted Nonsecure conference bridge
Nonsecure conference
Secure Conference At least one member is
non-secure
Secure conference bridge
Nonsecure conference
Secure Conference All participants are encrypted Secure conference bridge
Secure encrypted level
conference
Secure Join Encrypted Secure conference bridge
Conference remains secure
Non-secure cBarge All participants are encrypted Secure conference bridge
Conference changes to
non-secure
Non-secure MeetMe Minimum security level is
encrypted
Only non-secure conference
bridge is available and used
Non-secure conference
Secure MeetMe Minimum security level is
nonsecure
Only secure conference bridge
available and used
Conference accepts all calls
OL-20851-01
Cisco Unified IP Phone 8941 and 8945 Administration Guide for Cisco Unified Communications Manager 8.5 (SCCP and SIP)
1-15
Understanding Security Features for Cisco Unified IP Phones
Supporting 802.1X Authentication on Cisco Unified IP Phones
These sections provide information about 802.1X support on the Cisco Unified IP Phones:
• Overview, page 1-16
• Required Network Components, page 1-16
• Best Practices—Requirements and Recommendations, page 1-16
Overview
Cisco Unified IP phones and Cisco Catalyst switches have traditionally used Cisco Discovery Protocol
(CDP) to identify each other and determine parameters such as VLAN allocation and inline power
requirements. However, CDP is not used to identify any locally attached PCs; therefore, Cisco Unified
IP Phones provide an EAPOL pass-through mechanism, whereby a PC locally attached to the IP phone,
may pass through EAPOL messages to the 802.1X authenticator in the LAN switch. This prevents the
IP phone from having to act as the authenticator, yet allows the LAN switch to authenticate a data end
point prior to accessing the network.
In conjunction with the EAPOL pass-through mechanism, Cisco Unified IP Phones provide a proxy
EAPOL-Logoff mechanism. In the event that the locally attached PC is disconnected from the IP phone,
the LAN switch would not see the physical link fail, because the link between the LAN switch and the
IP phone is maintained. To avoid compromising network integrity, the IP phone sends an EAPOL-Logoff
message to the switch, on behalf of the downstream PC, which triggers the LAN switch to clear the
authentication entry for the downstream PC.
The Cisco Unified IP phones also contain an 802.1X supplicant, in addition to the EAPOL pass-through
mechanism. This supplicant allows network administrators to control the connectivity of IP phones to
the LAN switch ports. The current release of the phone 802.1X supplicant uses the EAP-FAST,
EAP-TLS, and EAP-MD5 options for network authentication.
Chapter
Required Network Components
Support for 802.1X authentication on Cisco Unified IP Phones requires several components, including:
• Cisco Unified IP Phone—The phone acts as the 802.1X supplicant, which initiates the request to
access the network.
• Cisco Secure Access Control Server (ACS) (or other third-party authentication server)—The
authentication server and the phone must both be configured with a shared secret that is used to
authenticate the phone.
• Cisco Catalyst Switch (or other third-party switch)—The switch must support 802.1X, so it can act
as the authenticator and pass the messages between the phone and the authentication server. When
the exchange is completed, the switch then grants or denies the phone access to the network.
Best Practices—Requirements and Recommendations
• Enable 802.1X Authentication—If you want to use the 802.1X standard to authenticate Cisco
Unified IP Phones, be sure that you have properly configured the other components before enabling
it on the phone. See the
information.
“802.1X Authentication and Status” section on page 4-8 for more
1-16
Cisco Unified IP Phone 8941 and 8945 Administration Guide for Cisco Unified Communications Manager 8.5 (SCCP and SIP)
OL-20851-01
Chapter
Overview of Configuring and Installing Cisco Unified IP Phones
• Configure PC Port—The 802.1X standard does not take into account the use of VLANs and thus
recommends that only a single device should be authenticated to a specific switch port. However,
some switches (including Cisco Catalyst switches) support multi-domain authentication. The switch
configuration determines whether you can connect a PC to the phone’s PC port.
–
Enabled—If you are using a switch that supports multi-domain authentication, you can enable
the PC port and connect a PC to it. In this case, Cisco Unified IP Phones support proxy
EAPOL-Logoff to monitor the authentication exchanges between the switch and the attached
PC. For more information about IEEE 802.1X support on the Cisco Catalyst switches, refer to
the Cisco Catalyst switch configuration guides at:
http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.
html
–
Disabled—If the switch does not support multiple 802.1X-compliant devices on the same port,
you should disable the PC Port when 802.1X authentication is enabled. See the
Configuration Menu” section on page 4-8 for more information. If you do not disable this port
and subsequently attempt to attach a PC to it, the switch will deny network access to both the
phone and the PC.
• Configure Voice VLAN—Because the 802.1X standard does not account for VLANs, you should
configure this setting based on the switch support.
“Security
–
Enabled—If you are using a switch that supports multi-domain authentication, you can continue
to use the voice VLAN.
–
Disabled—If the switch does not support multi-domain authentication, disable the Voice VLAN
and consider assigning the port to the native VLAN. See the
section on page 4-8 for more information.
• Enter MD5 Shared Secret—If you disable 802.1X authentication or perform a factory reset on the
phone, the previously configured MD5 shared secret is deleted. See the
Status” section on page 4-8 for more information.
“Security Configuration Menu”
“802.1X Authentication and
Security Restrictions
A user cannot barge into an encrypted call if the phone that is used to barge is not configured for
encryption. When barge fails in this case, a reorder tone (fast busy tone) plays on the phone on which
the user initiated the barge.
If the initiator phone is configured for encryption, the barge initiator can barge into a nonsecure call from
the encrypted phone. After the barge occurs, Cisco Unified CM classifies the call as nonsecure.
If the initiator phone is configured for encryption, the barge initiator can barge into an encrypted call,
and the phone indicates that the call is encrypted.
Overview of Configuring and Installing Cisco Unified IP Phones
OL-20851-01
When deploying a new IP telephony system, system administrators and network administrators must
complete several initial configuration tasks to prepare the network for IP telephony service. For
information and a checklist for setting up and configuring a Cisco IP telephony network, go to the
System Configuration Overview chapter in Cisco Unified Communications Manager System Guide.
After you have set up the IP telephony system and configured system-wide features in Cisco Unified
CM, you can add IP phones to the system.
Cisco Unified IP Phone 8941 and 8945 Administration Guide for Cisco Unified Communications Manager 8.5 (SCCP and SIP)
1-17
Overview of Configuring and Installing Cisco Unified IP Phones
The following topics provide an overview of procedures for adding Cisco Unified IP Phones to
your network:
• Configuring Cisco Unified IP Phones in Cisco Unified CM, page 1-18
• Installing Cisco Unified IP Phones, page 1-22
Configuring Cisco Unified IP Phones in Cisco Unified CM
To add phones to the Cisco Unified CM database, you can use:
• Auto-registration
• Cisco Unified CM Administration
• Bulk Administration Tool (BAT)
• BAT and the Tool for Auto-Registered Phones Support (TAPS)
For more information about these choices, see the “Adding Phones to the Cisco Unified CM Database”
section on page 2-8.
For general information about configuring phones in Cisco Unified CM, refer to the
following documentation:
• Cisco Unified IP Phones, Cisco Unified Communications Manager System Guide
• Cisco Unified IP Phone Configuration, Cisco Unified Communications Manager Administration
Guide
Chapter
• Autoregistration Configuration, Cisco Unified Communications Manager Administration Guide
1-18
Cisco Unified IP Phone 8941 and 8945 Administration Guide for Cisco Unified Communications Manager 8.5 (SCCP and SIP)
OL-20851-01
Loading...