Cisco 8941, 8945 User Manual

Cisco Unified IP Phone 8941 and 8945 Administration Guide for Cisco Unified Communications Manager 8.5 (SCCP and SIP)

Americas Headquarters

Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000

800 553-NETS (6387)

Fax: 408 527-0883

Text Part Number: OL-20851-01

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense.

The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it is not installed in accordance with Cisco’s installation instructions, it may cause interference with radio and television reception. This equipment has been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation.

Modifying the equipment without Cisco’s written authorization may result in the equipment no longer complying with FCC requirements for Class A or Class B digital devices. In that event, your right to use the equipment may be limited by FCC regulations, and you may be required to correct any interference to radio or television communications at your own expense.

You can determine whether your equipment is causing interference by turning it off. If the interference stops, it was probably caused by the Cisco equipment or one of its peripheral devices. If the equipment causes interference to radio or television reception, try to correct the interference by using one or more of the following measures:

• Turn the television or radio antenna until the interference stops.

• Move the equipment to one side or the other of the television or radio.

• Move the equipment farther away from the television or radio.

• Plug the equipment into an outlet that is on a different circuit from the television or radio. (That is, make certain the equipment and the television or radio are on circuits controlled by different circuit breakers or fuses.)

Modifications to this product not authorized by Cisco Systems, Inc. could void the FCC approval and negate your authority to operate the product.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Nurse Connect, Cisco Pulse, Cisco SensorBase, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, Flip Gift Card, and One Million Acts of Green are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Lumin, Cisco Nexus, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Follow Me Browsing, GainMaker, iLYNX, IOS, iPhone, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, SenderBase, SMARTnet, Spectrum Expert, StackWise, WebEx, and the WebEx logo are registered t and/or its affiliates in the United States and certain other countries.

Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at

www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership

relationship between Cisco and any other company. (1005R)

rademarks of Cisco Systems, Inc.

The Java logo is a trademark or registered trademark of Sun Microsystems, Inc. in the U.S. or other countries.

Preface ix

Overview ix

Audience ix

Organization ix

Preface

Cisco Unified IP Phone 8941 and 8945 Administration Guide for Cisco Unified Communications Manager 8.5 (SCCP and SIP) provides the information you need to understand, install, configure,

manage, and troubleshoot the phones on a Voice-over-IP (VoIP) network.

Because of the complexity of an IP telephony network, this guide does not provide complete and detailed information for procedures that you need to perform in Cisco Unified Communications Manager (Cisco Unified CM) or other network devices. See the “Obtaining Documentation, Obtaining Support, and

Security Guidelines” section on page xi.

Audience

Network engineers, system administrators, or telecom engineers should review this guide to learn the steps required to properly set up the Cisco Unified IP Phone on the network.

The tasks described are administration-level tasks and are not intended for end-users of the phones. Many of the tasks involve configuring network settings and affect the phone’s ability to function in the network.

Because of the close interaction between the Cisco Unified IP Phone and Cisco Unified CM, many of the tasks in this manual require familiarity with Cisco Unified CM.

Organization

This manual is organized as follows.

Chapter Description

Chapter 1, “An Overview of the Cisco Unified IP Phone”

Chapter 2, “Preparing to Install the Cisco Unified IP Phone on Your Network”

Chapter 3, “Setting Up the Cisco Unified IP Phone” Describes how to install and configure the Cisco Unified IP Phone on

Provides a conceptual overview and description of the Cisco Unified IP Phone.

Describes how the Cisco Unified IP Phone interacts with other key IP telephony components, and provides an overview of the tasks required prior to installation.

your network properly and safely.

OL-20851-01

Cisco Unified IP Phone 8941 and 8945 Administration Guide for Cisco Unified Communications Manager 8.5 (SCCP and SIP)

Chapter 4, “Configuring Settings on the Cisco Unified IP Phone”

Chapter 5, “Configuring Features, Templates, Services, and Users”

Chapter 6, “Customizing the Cisco Unified IP Phone”

Chapter 7, “Viewing Model Information, Status, and Statistics on the Cisco Unified IP Phone”

Chapter 8, “Monitoring the Cisco Unified IP Phone Remotely”

Chapter 9, “Troubleshooting and Maintenance” Provides tips for troubleshooting the Cisco Unified IP Phone and the

Appendix A, “Providing Information to Users Via a Website”

Appendix B, “Supporting International Users” Provides information about setting up phones in non–English

Appendix C, “Technical Specifications” Provides technical specifications of the Cisco Unified IP Phone.

Appendix D, “Basic Phone Administration Steps” Provides procedures for basic administration tasks such as adding a

Describes how to configure network settings, verify status, and make global changes to the Cisco Unified IP Phone.

Provides an overview of procedures for configuring telephony features, configuring directories, configuring phone button and softkey templates, setting up services, and adding users to Cisco Unified Communications Manager.

Explains how to customize phone ring sounds and the phone idle display at your site.

Explains how to view model information, status messages, network statistics, and firmware information from the Cisco Unified IP Phone.

Describes the information that you can obtain from the phone’s web page to remotely monitor the operation of a phone and to assist with troubleshooting.

Cisco Unified IP Phone Expansion Modules.

Provides suggestions for setting up a website for providing users with important information about their Cisco Unified IP Phones.

environments.

user and phone to Cisco Unified CM and then associating the user to the phone.

An Overview of the Cisco Unified IP Phone

The Cisco Unified IP Phones 8941 and 8945 provide voice communication over an IP network. The Cisco Unified IP Phone functions much like a digital business phone, allowing you to place and receive phone calls and to access features such as mute, hold, transfer, speed dial, call forward, and more. In addition, because the phone is connected to your data network, it offers enhanced IP telephony features, including access to network information and services, and customizeable features and services.

A Cisco Unified IP Phone, like other network devices, must be configured and managed. These phones encode G.711a, G.711µ, G.729, G.729a, G.729ab, iLBC, and decode G.711a, G.711µ, G.729, G.729a, G.729ab, and iLBC.

This chapter includes the following topics:

• Understanding the Cisco Unified IP Phones 8941 and 8945, page 1-2

• What Networking Protocols are Used?, page 1-4

• What Features are Supported on the Cisco Unified IP Phone 8941 and 8945?, page 1-7

• Overview of Configuring and Installing Cisco Unified IP Phones, page 1-17

• Terminology Differences, page 1-24

OL-20851-01

Caution Using a cell, mobile, or GSM phone, or two-way radio in close proximity to a Cisco Unified IP Phone

may cause interference. For more information, refer to the manufacturer’s documentation of the interfering device.

Cisco Unified IP Phone 8941 and 8945 Administration Guide for Cisco Unified Communications Manager 8.5 (SCCP and SIP)

1-1

Understanding the Cisco Unified IP Phones 8941 and 8945

Figure 1-1 shows the main components of the Cisco Unified IP Phone 8941 and 8945.

Figure 1-1 Cisco Unified IP Phone 8941 and 8945

1 2 3

Chapter

13 12 9

236961

Table 1-1 describes the buttons on the Cisco Unified IP Phone 8941 and 8945.

Table 1-1 Features on the Cisco Unified IP Phone 8941 and 8945

1 Phone screen Shows information about your phone, including directory number, call

information (for example caller ID, icons for an active call or call on hold) and available softkeys.

2 Video Camera Connects to your Cisco Unified IP Phone and allows you to make a

point-to-point video call with another Cisco Unified IP Phone.

1-2

Lens Cover button Integrated lens cover protects the camera lens.

4 Softkey buttons Allows you to access the softkey options (for the selected call or menu item)

displayed on your phone screen.

Cisco Unified IP Phone 8941 and 8945 Administration Guide for Cisco Unified Communications Manager 8.5 (SCCP and SIP)

OL-20851-01

Chapter

Understanding the Cisco Unified IP Phones 8941 and 8945

Table 1-1 Features on the Cisco Unified IP Phone 8941 and 8945

5 Navigation pad

and Select button

The two-way Navigation pad allows you to scroll through menus, highlight items, and move within a text input field.

The Select button (center of the Navigation pad) allows you to select a highlighted item.

The Select button is lit (white) when the phone is in power-save mode.

6 Conference button Creates a conference call.

7 Hold button Places a connected call on hold.

8 Transfer button Transfers a call.

9 Redial button Redials a call.

10 Keypad Allows you to dial phone numbers, enter letters, and choose menu items (by

entering the item number).

11 Speakerphone

button

Selects the speakerphone as the default audio path and initiates a new call, picks up an incoming call, or ends a call. During a call, the button is lit green.

The speakerphone audio path does not change until a new default audio path is selected (for example, by picking up the handset).

If external speakers are connected, the Speakerphone button selects them as the default audio path.

12 Video Mute button

Mutes the video from the phone screen during a video call. When Video Mute is on, the Video Mute button is lit red.

13 Mute button Toggles the microphone on or off during a call. When the microphone is

muted, the button is lit red.

14 Headset button Selects the headset as the default audio path and initiates a new call, picks up

an incoming call, or ends a call. During a call, the button is lit green.

A headset icon in the phone screen header line indicates the headset is the default audio path. This audio path does not change until a new default audio path is selected (for example, by picking up the handset).

15 Volume button Controls the handset, headset, and speakerphone volume (off hook) and the

ringer volume (on hook).

Silences the ringer on the phone if an incoming call is ringing.

16 Messages button Auto-dials your voicemail system (varies by system).

OL-20851-01

Cisco Unified IP Phone 8941 and 8945 Administration Guide for Cisco Unified Communications Manager 8.5 (SCCP and SIP)

1-3

What Networking Protocols are Used?

Table 1-1 Features on the Cisco Unified IP Phone 8941 and 8945

Chapter

17 Applications

button

18 Contacts button Opens the Contacts menu. Depending on how your system administrator sets

19 Phone Speaker Speaker for the phone.

20 Programmable

feature buttons (also called Line buttons)

21 Handset rest To rest the phone handset.

Opens the Applications menu. Depending on how your system administrator sets up the phone, use it to access applications such as call history, preferences, and phone information.

up the phone, use it to access personal directory, corporate directory, or call history.

Each corresponds with a phone line, speed dial, and calling feature.

Pressing a button for a phone line displays the active calls for that line.

Color LEDs indicate the line state:

• Amber —Ringing call on this line

• Green —Active or held call on this line

• Red —Shared line in-use remotely

What Networking Protocols are Used?

Cisco Unified IP Phones support several industry-standard and Cisco networking protocols required for voice communication. Table 1-2 provides an overview of the networking protocols that the Cisco Unified IP Phones 8941 and 8945 support.

Table 1-2 Supported Networking Protocols on the Cisco Unified IP Phone

Networking Protocol Purpose Usage Notes

Bootstrap Protocol (BootP)

Cisco Audio Session Tunneling (CAST)

BootP enables a network device such as the Cisco Unified IP Phone to discover certain startup information, such as its IP address.

The CAST protocol allows IP phones and associated applications behind the phone to discover and communicate with the remote endpoints without requiring changes to the traditional signaling components like Cisco Unified Communications Manager (Cisco Unified CM) and gateways. The Cast protocol allows separate hardware devices to synchronize related media and it allows PC applications to augment non Video capable phones to become video enabled by using the PC as the video resource.

—

1-4

Cisco Unified IP Phone 8941 and 8945 Administration Guide for Cisco Unified Communications Manager 8.5 (SCCP and SIP)

OL-20851-01

Chapter

What Networking Protocols are Used?

Table 1-2 Supported Networking Protocols on the Cisco Unified IP Phone (continued)

Networking Protocol Purpose Usage Notes

Cisco Discovery Protocol (CDP)

CDP is a device-discovery protocol that runs on all Cisco-manufactured equipment.

Using CDP, a device can advertise its existence to other devices and receive information about other devices in the network.

Dynamic Host Configuration Protocol (DHCP)

DHCP dynamically allocates and assigns an IP address to network devices.

DHCP enables you to connect an IP phone into the network and have the phone become operational without your needing to manually assign an IP address or to configure additional network parameters.

Hypertext Transfer Protocol (HTTP)

HTTP is the standard way of transferring information and moving documents across the Internet and the web.

IEEE 802.1X The IEEE 802.1X standard defines a

client-server-based access control and authentication protocol that restricts unauthorized clients from connecting to a LAN through publicly accessible ports.

Until the client is authenticated, 802.1X access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port to which the client is connected. After authentication is successful, normal traffic can pass through the port.

Internet Protocol (IP) IP is a messaging protocol that addresses

and sends packets across the network.

Link Layer Discovery Protocol (LLDP)

LLDP is a standardized network discovery protocol (similar to CDP) that is supported on some Cisco and third-party devices.

The Cisco Unified IP Phone uses CDP to communicate information such as auxiliary VLAN ID, per port power management details, and Quality of Service (QoS) configuration information with the Cisco Catalyst switch.

DHCP is enabled by default. If disabled, you must manually configure the IP address, subnet mask, gateway, and a TFTP server on each phone locally.

Cisco recommends that you use DHCP custom option 150. With this method, you configure the TFTP server IP address as the option value. For additional supported DHCP configurations, go to the Dynamic Host Configuration Protocol chapter and the Cisco TFTP chapter in the Cisco Unified Communications Manager System Guide.

Note If you cannot use option 150, you may try

using DHCP option 66.

Cisco Unified IP Phones use HTTP for the XML services and for troubleshooting purposes.

The Cisco Unified IP Phone implements the IEEE

802.1X standard by providing support for the following authentication methods: EAP-FAST, EAP-TLS, and EAP-MD5.

When 802.1X authentication is enabled on the phone, you should disable the PC port and voice VLAN. Refer to the “Supporting 802.1X

Authentication on Cisco Unified IP Phones” section on page 1-16 for additional information.

To communicate using IP, network devices must have an assigned IP address, subnet, and gateway.

IP addresses, subnets, and gateways identifications are automatically assigned if you are using the Cisco Unified IP Phone with Dynamic Host Configuration Protocol (DHCP). If you are not using DHCP, you must manually assign these properties to each phone locally.

The Cisco Unified IP Phone supports LLDP on the PC port.

OL-20851-01

Cisco Unified IP Phone 8941 and 8945 Administration Guide for Cisco Unified Communications Manager 8.5 (SCCP and SIP)

1-5

What Networking Protocols are Used?

Table 1-2 Supported Networking Protocols on the Cisco Unified IP Phone (continued)

Networking Protocol Purpose Usage Notes

Link Layer Discovery Protocol-Media Endpoint Devices (LLDP-MED)

Real-Time Transport Protocol (RTP)

Real-Time Control Protocol (RTCP)

Session Initiation Protocol (SIP)

Skinny Client Control Protocol (SCCP)

Secure Real-Time Transfer protocol (SRTP)

Transmission Control Protocol (TCP)

LLDP-MED is an extension of the LLDP standard developed for voice products.

RTP is a standard protocol for transporting real-time data, such as interactive voice and video, over data networks.

RTCP works in conjunction with RTP to provide QoS data (such as jitter, latency, and round trip delay) on RTP streams.

SIP is the Internet Engineering Task Force (IETF) standard for multimedia conferencing over IP. SIP is an ASCII-based application-layer control

protocol (defined in RFC 3261) that can be used to establish, maintain, and terminate calls between two or more endpoints.

SCCP includes a messaging set that allows communications between call control servers and endpoint clients such as IP Phones. SCCP is proprietary to Cisco Systems.

SRTP is an extension of the Real-Time Protocol (RTP) Audio/Video Profile and ensures the integrity of RTP and Real-Time Control Protocol (RTCP) packets providing authentication, integrity, and encryption of media packets between two endpoints.

TCP is a connection-oriented transport protocol.

The Cisco Unified IP Phone supports LLDP-MED on the SW port to communicate information such as:

• Voice VLAN configuration

• Device discovery

• Power management

• Inventory management

For more information about LLDP-MED support, see the LLDP-MED and Cisco Discovery Protocol white paper:

http://www.cisco.com/en/US/tech/tk652/tk701/tech nologies_white_paper0900aecd804cd46d.shtml

Cisco Unified IP Phones use the RTP protocol to send and receive real-time voice traffic from other phones and gateways.

RTCP is disabled by default, but you can enable it on a per phone basis by using Cisco Unified CM.

Like other VoIP protocols, SIP is designed to address the functions of signaling and session management within a packet telephony network. Signaling allows call information to be carried across network boundaries. Session management provides the ability to control the attributes of an end-to-end call.

You can configure the Cisco Unified IP Phone to use either SIP or Skinny Client Control Protocol (SCCP). Cisco Unified IP Phones do not support the SIP protocol when the phones are operating in IPv6 address mode.

Cisco Unified IP Phone 8941 and 8945 use SCCP, version 20 for call control.

Cisco Unified IP Phones use SRTP for media encryption.

Cisco Unified IP Phones use TCP to connect to Cisco Unified CM and to access XML services.

Chapter

1-6

Cisco Unified IP Phone 8941 and 8945 Administration Guide for Cisco Unified Communications Manager 8.5 (SCCP and SIP)

OL-20851-01

Chapter

What Features are Supported on the Cisco Unified IP Phone 8941 and 8945?

Table 1-2 Supported Networking Protocols on the Cisco Unified IP Phone (continued)

Networking Protocol Purpose Usage Notes

Transport Layer Security (TLS)

Trivial File Transfer Protocol (TFTP)

User Datagram Protocol (UDP)

TLS is a standard protocol for securing and authenticating communications.

TFTP allows you to transfer files over the network.

On the Cisco Unified IP Phone, TFTP enables you to obtain a configuration file specific to the phone type.

UDP is a connectionless messaging protocol for delivery of data packets.

When security is implemented, Cisco Unified IP Phones use the TLS protocol when securely registering with Cisco Unified CM.

For more information, refer to the Cisco Unified

Communications Manager Security Guide.

TFTP requires a TFTP server in your network, which can be automatically identified from the DHCP server. If you want a phone to use a TFTP server other than the one specified by the DHCP server, you must manually assign the IP address of the TFTP server by using the Network Setup menu on the phone.

For more information, refer to the Cisco TFTP chapter in the Cisco Unified Communications Manager System Guide.

Cisco Unified IP Phones transmit and receive RTP streams, which utilize UDP.

Related Topics

• Understanding Interactions with Other Cisco Unified IP Telephony Products, page 2-1

• Understanding the Phone Startup Process, page 2-6

• Network Setup Menu, page 4-4

What Features are Supported on the Cisco Unified

Phone 8941 and 8945?

Cisco Unified IP Phones function much like a digital business phone, allowing you to place and receive phone calls. In addition to traditional telephony features, the Cisco Unified IP Phone includes features that enable you to administer and monitor the phone as a network device.

This section includes the following topics:

• Feature Overview, page 1-8

• Configuring Telephony Features, page 1-8

• Configuring Network Parameters Using the Cisco Unified IP Phone, page 1-9

• Providing Users with Feature Information, page 1-9

OL-20851-01

Cisco Unified IP Phone 8941 and 8945 Administration Guide for Cisco Unified Communications Manager 8.5 (SCCP and SIP)

1-7

What Features are Supported on the Cisco Unified IP Phone 8941 and 8945?

Feature Overview

Cisco Unified IP Phones provide traditional telephony functionality, such as call forwarding and transferring, redialing, speed dialing, conference calling, and voice messaging system access. Cisco Unified IP phones also provide a variety of other features. For an overview of the telephony features that the Cisco Unified IP Phone supports and for tips on configuring them, see the “Telephony

Features Available for the Cisco Unified IP Phone” section on page 5-1.

As with other network devices, you must configure Cisco Unified IP Phones to prepare them to access Cisco Unified CM and the rest of the IP network. By using DHCP, you have fewer settings to configure on a phone, but if your network requires it, you can manually configure an IP address, TFTP server, subnet information, and so on. For instructions on configuring the network settings on the Cisco Unified IP Phones, see Chapter 4, “Configuring Settings on the Cisco Unified IP Phone.”

Cisco Unified IP Phones can interact with other services and devices on your IP network to provide enhanced functionality. For example, you can integrate Cisco Unified CM with the corporate Lightweight Directory Access Protocol 3 (LDAP3) standard directory to enable users to search for co-worker contact information directly from their IP phones. You can also use XML to enable users to access information such as weather, stocks, quote of the day, and other web-based information. For information about configuring such services, see the “Join and Direct Transfer Policy” section on

page 5-16 and the “Setting Up Services” section on page 5-21.

Finally, because the Cisco Unified IP Phone is a network device, you can obtain detailed status information from it directly. This information can assist you with troubleshooting any problems users might encounter when using their IP phones. See Chapter 7, “Viewing Model Information, Status, and

Statistics on the Cisco Unified IP Phone,” for more information.

Chapter

Related Topics

• Configuring Settings on the Cisco Unified IP Phone, page 4-1

• Configuring Features, Templates, Services, and Users, page 5-1

• Troubleshooting and Maintenance, page 9-1

Configuring Telephony Features

You can modify additional settings for the Cisco Unified IP Phone from Cisco Unified CM Administration. Use Cisco Unified CM Administration to set up phone registration criteria and calling search spaces, to configure corporate directories and services, and to modify phone button templates, among other tasks. See the “Telephony Features Available for the Cisco Unified IP Phone” section on

page 5-1 and the Cisco Unified CM documentation for additional information.

For more information about Cisco Unified CM Administration, refer to Cisco Unified CM documentation, including Cisco Unified Communications Manager Administration Guide. You can also use the context-sensitive help available within the application for guidance.

You can access Cisco Unified CM documentation at this location:

http://www.cisco.com/en/US/products/sw/voicesw/ps556/tsd_products_support_series_home.html

You can access Cisco Unified Communications Manager Business Edition documentation at this location:

http://www.cisco.com/en/US/products/ps7273/tsd_products_support_series_home.html

1-8

Understanding Security Features for Cisco Unified IP Phones

Configuring Network Parameters Using the Cisco Unified IP Phone

You can configure parameters such as DHCP, TFTP, and IP settings on the phone itself. You can also obtain statistics about a current call or firmware versions on the phone.

For more information about configuring features and viewing statistics from the phone, see Chapter 4,

“Configuring Settings on the Cisco Unified IP Phone” and see Chapter 7, “Viewing Model Information, Status, and Statistics on the Cisco Unified IP Phone.”

Providing Users with Feature Information

If you are a system administrator, you are likely the primary source of information for Cisco Unified IP Phone users in your network or company. To ensure that you distribute the most current feature and procedural information, familiarize yourself with Cisco Unified IP Phone documentation on the Cisco Unified IP Phone web site:

http://www.cisco.com/en/US/products/ps10451/tsd_products_support_series_home.html

From this site, you can view various user documentation.

In addition to providing documentation, it is important to inform users of available Cisco Unified IP Phone features—including those specific to your company or network—and of how to access and customize those features, if appropriate.

For a summary of some of the key information that phone users need their system administrators to provide, see Appendix A, “Providing Information to Users Via a Website.”

Understanding Security Features for Cisco Unified IP Phones

Implementing security in the Cisco Unified CM system prevents identity theft of the phone and Cisco Unified CM server, prevents data tampering, and prevents call signaling and media stream tampering.

To alleviate these threats, the Cisco IP telephony network establishes and maintains secure communication streams between a phone and the server, digitally signs files before they are transferred to a phone, and encrypts media streams and call signaling between Cisco Unified IP phones.

The Cisco Unified IP Phone 8941 and 8945 use the Phone security profile, which defines whether the device is nonsecure or encrypted. For information on applying the security profile to the phone, refer to the Cisco Unified Communications Manager Security Guide.

If you configure security-related settings in Cisco Unified CM Administration, the phone configuration file will contain sensitive information. To ensure the privacy of a configuration file, you must configure it for encryption. For detailed information, refer to the “Configuring Encrypted Phone Configuration Files” chapter in Cisco Unified Communications Manager Security Guide.

Table 1-3 shows where you can find additional information about security in this and other documents.

OL-20851-01

Cisco Unified IP Phone 8941 and 8945 Administration Guide for Cisco Unified Communications Manager 8.5 (SCCP and SIP)

1-9

Chapter

Understanding Security Features for Cisco Unified IP Phones

Table 1-3 Cisco Unified IP Phone and Cisco Unified CM Security Topics

Topic Reference

Detailed explanation of security, including set up, configuration, and troubleshooting information for Cisco Unified CM and Cisco Unified IP Phones

Security features supported on the Cisco Unified IP Phone

Restrictions regarding security features See the “Security Restrictions” section on page 1-17

Viewing a security profile name See the “Understanding Security Profiles” section on page 1-13

Identifying phone calls for which security is implemented

TLS connection

Security and the phone startup process See the “Understanding the Phone Startup Process” section on page 2-6

Security and phone configuration files See the “Adding Phones to the Cisco Unified CM Database” section on

Changing the TFTP Server 1 or TFTP Server 2 option on the phone when security is implemented

Items on the Security Configuration menu that you access from the Device Configuration menu on the phone

Items on the Security Configuration menu that you access from the Settings menu on the phone

Applying a password to the phone so that no changes can be made to the administrative options

Disabling access to a phone’s web pages See the “Disabling and Enabling Web Page Access” section on page 8-3

Troubleshooting

Deleting the CTL file from the phone See the “Resetting or Restoring the Cisco Unified IP Phone” section on

Refer to the Cisco Unified Communications Manager Security Guide.

See the “Overview of Supported Security Features” section on page 1-11

See the “Identifying Encrypted Phone Calls” section on page 1-13

• See the “What Networking Protocols are Used?” section on page 1-4

• See the “Adding Phones to the Cisco Unified CM Database” section on

page 2-8

See Table 4- 2 , in the “Network Setup Menu” section on page 4-4

See the “Security Configuration Menu” section on page 4-8

See the “Unlocking and Locking Options” section on page 4-3

• See the “Troubleshooting Cisco Unified IP Phone Security” section on

page 9-8

• Refer to the Troubleshooting Guide for Cisco Unified

Communications Manager

page 9-12

1-10

Cisco Unified IP Phone 8941 and 8945 Administration Guide for Cisco Unified Communications Manager 8.5 (SCCP and SIP)

OL-20851-01

Chapter

Understanding Security Features for Cisco Unified IP Phones

Table 1-3 Cisco Unified IP Phone and Cisco Unified CM Security Topics (continued)

Topic Reference

Resetting or restoring the phone See the “Resetting or Restoring the Cisco Unified IP Phone” section on

page 9-12

802.1X Authentication for Cisco Unified IP Phones

All Cisco Unified IP Phones that support Cisco Unified CM use a security profile, which defines whether the phone is nonsecure or secure.

For information about configuring the security profile and applying the profile to the phone, refer to Cisco Unified Communications Manager Security Guide.

See these sections:

• “Supporting 802.1X Authentication on Cisco Unified IP Phones”

section on page 1-16

• “Security Configuration Menu” section on page 4-8

• “Status Menu” section on page 7-2

• “Troubleshooting Cisco Unified IP Phone Security” section on

page 9-8

Overview of Supported Security Features

Table 1-4 provides an overview of the security features that the Cisco Unified IP Phone 8941 and 8945

support. For more information about these features and about Cisco Unified CM and Cisco Unified IP Phone security, refer to Cisco Unified Communications Manager Security Guide.

For information about current security settings on a phone, choose Applications > Administrator Settings > Security Setup. For more information, see the “Security Configuration Menu” section on

page 4-8.

Note Most security features are available only if a certificate trust list (CTL) is installed on the phone. For

more information about the CTL, refer to “Configuring the Cisco CTL Client” chapter in Cisco Unified Communications Manager Security Guide.

Table 1-4 Overview of Security Features

Feature Description

Image authentication Signed binary files (with the extension .sgn) prevent tampering with the

firmware image before it is loaded on a phone. Tampering with the image causes a phone to fail the authentication process and reject the new image.

Customer-site certificate installation Each Cisco Unified IP Phone requires a unique certificate for device

authentication. Phones include a manufacturing installed certificate (MIC), but for additional security, you can specify in Cisco Unified CM Administration that a certificate be installed by using the Certificate Authority Proxy Function (CAPF). Alternatively, you can install a Locally Significant Certificate (LSC) from the Security Configuration menu on the phone. See the “Configuring

Security on the Cisco Unified IP Phone” section on page 3-11 for more

information.

OL-20851-01

Cisco Unified IP Phone 8941 and 8945 Administration Guide for Cisco Unified Communications Manager 8.5 (SCCP and SIP)

1-11

Chapter

Understanding Security Features for Cisco Unified IP Phones

Table 1-4 Overview of Security Features (continued)

Feature Description

Device authentication Occurs between the Cisco Unified CM server and the phone when each entity

accepts the certificate of the other entity. Determines whether a secure connection between the phone and a Cisco Unified CM should occur; and, if necessary, creates a secure signaling path between the entities by using TLS protocol. Cisco Unified CM will not register phones unless they can be authenticated by the Cisco Unified CM.

File authentication Validates digitally signed files that the phone downloads. The phone validates

the signature to make sure that file tampering did not occur after the file creation. Files that fail authentication are not written to Flash memory on the phone. The phone rejects such files without further processing.

Signaling Authentication Uses the TLS protocol to validate that no tampering has occurred to signaling

packets during transmission.

Manufacturing installed certificate Each Cisco Unified IP Phone contains a unique manufacturing installed

certificate (MIC), which is used for device authentication. The MIC is a permanent unique proof of identity for the phone, and allows Cisco Unified CM to authenticate the phone.

Secure SRST reference After you configure a SRST reference for security and then reset the dependent

devices in Cisco Unified CM Administration, the TFTP server adds the SRST certificate to the phone cnf.xml file and sends the file to the phone. A secure phone then uses a TLS connection to interact with the SRST-enabled router.

Media encryption Uses SRTP to ensure that the media streams between supported devices proves

secure and that only the intended device receives and reads the data. Includes creating a media master key pair for the devices, delivering the keys to the devices, and securing the delivery of the keys while the keys are in transport.

Signaling encryption Ensures that all SCCP signaling messages that are sent between the device and

the Cisco Unified CM server are encrypted.

CAPF (Certificate Authority Proxy Function)

Security profiles Defines whether the phone is nonsecure or encrypted. See the “Understanding

Encrypted configuration files Lets you ensure the privacy of phone configuration files.

Optional disabling of the web server functionality for a phone

Implements parts of the certificate generation procedure that are too processing-intensive for the phone, and interacts with the phone for key generation and certificate installation. The CAPF can be configured to request certificates from customer-specified certificate authorities on behalf of the phone, or it can be configured to generate certificates locally.

Security Profiles” section on page 1-13 for more information.

You can prevent access to a phone’s web page, which displays a variety of operational statistics for the phone. See the “Disabling and Enabling Web Page

Access” section on page 8-3.

1-12

Cisco Unified IP Phone 8941 and 8945 Administration Guide for Cisco Unified Communications Manager 8.5 (SCCP and SIP)

OL-20851-01

Chapter

Understanding Security Features for Cisco Unified IP Phones

Table 1-4 Overview of Security Features (continued)

Feature Description

Phone hardening Additional security options, which you control from Cisco Unified CM

Administration:

• Disabling PC port

• Disabling PC Voice VLAN access

• Disabling access to web pages for a phone

Note You can view current settings for the PC Port Disabled, GARP Enabled,

and Voice VLAN enabled options by looking at the phone’s Security Configuration menu. For more information, see the “Security

Configuration Menu” section on page 4-8.

802.1X Authentication The Cisco Unified IP Phone can use 802.1X authentication to request and gain access to the network. See the “Supporting 802.1X Authentication on Cisco

Unified IP Phones” section on page 1-16 for more information.

Related Topics

• Understanding Security Profiles, page 1-13

• Identifying Encrypted Phone Calls, page 1-13

• Security Restrictions, page 1-17

Understanding Security Profiles

All Cisco Unified IP Phones that support Cisco Unified CM use a security profile, which defines whether the phone is nonsecure or encrypted. For information about configuring the security profile and applying the profile to the phone, refer to Cisco Unified Communications Manager Security Guide.

To view the security mode that is set for the phone, look at the Security Mode setting in the Security Configuration menu. For more information, see the “Security Configuration Menu” section on page 4-8.

Related Topics

• Identifying Encrypted Phone Calls, page 1-13

• Security Restrictions, page 1-17

Identifying Encrypted Phone Calls

When security is implemented for a phone, you can identify encrypted phone audio calls by icons on the screen on the phone. You can also determine if the connected phone is secure and protected if a security tone plays at the beginning of the call.

In a secure call, all call signaling and media streams are encrypted. An encrypted call offers a high level of security, providing integrity and privacy to the call. When a call in progress is being encrypted, the call progress icon to the right of the call duration timer in the phone LCD screen changes to the lock icon: .

If the call is routed through non-IP call legs, for example, PSTN, the call may be nonsecure even though it is encrypted within the IP network and has a lock icon associated with it.

OL-20851-01

Cisco Unified IP Phone 8941 and 8945 Administration Guide for Cisco Unified Communications Manager 8.5 (SCCP and SIP)

1-13

Understanding Security Features for Cisco Unified IP Phones

In a secure call, a security tone plays at the beginning of a call to indicate that the other connected phone is also receiving and transmitting encrypted audio. For video calls, the user may first hear secure indication tone for the audio portion of the call and then nonsecure indication tone for overall nonsecure media. If your call is connected to a non-protected phone, the security tone does not play.

Note Secured calling is supported for connections between two phones only. Some features, such as

conference calling, shared lines, and Cisco Extension Mobilityare not available when secured calling is configured.

Establishing and Identifying Secure Audio Conference Calls

You can initiate a secure conference audio call and monitor the security level of participants. A secure conference call is established using this process:

Chapter

1. A user initiates the conference from a secure phone.

2. Cisco Unified CM assigns a secure conference bridge to the call.

3. As participants are added, Cisco Unified CM verifies the security mode of each phone and maintains

the secure level for the conference.

4. The phone displays the security level of the conference call. A secure conference displays the

to the right of “Conference” on the phone screen.

Note There are interactions, restrictions, and limitations that affect the security level of the audio conference

call depending on the security mode of the participant’s phones and the availability of secure conference bridges. See Tabl e 1-5 and Tab l e 1-6 for information about these interactions.

Establishing and Identifying Protected Calls

A protected call is established when your phone, and the phone on the other end, is configured for protected calling. The other phone can be in the same Cisco IP network, or on a network outside the IP network. Protected calls can only be made between two phones. Conference calls and other multiple-line calls are not supported.

A protected call is established using this process:

1. A user initiates the call from a protected phone (protected security mode).

2. The phone displays the icon (encrypted) on the phone screen. This icon indicates that the phone

is configured for secure (encrypted) calls, but this does not mean that the other connected phone is also protected.

1-14

3. A security tone plays if the call is connected to another protected phone, indicating that both ends

of the conversation are encrypted and protected. For video calls, the user may first hear secure indication tone for the audio portion of the call and then nonsecure indication tone for overall nonsecure media. If the call is connected to a non-protected phone, then the secure tone is not played.

Cisco Unified IP Phone 8941 and 8945 Administration Guide for Cisco Unified Communications Manager 8.5 (SCCP and SIP)

OL-20851-01

Chapter

Note Protected calling is supported for conversations between two phones. Some features, such as conference

calling, shared lines, Cisco Extension Mobility, and Join Across Lines are not available when protected calling is configured.

Call Security Interactions and Restrictions

Cisco Unified CM checks the phone security status when audio conferences are established and changes the security indication for the conference or blocks the completion of the call to maintain integrity and also security in the system. using Barge.

Table 1-5 Call Security Interactions When Using Barge

Initiator’s Phone Security Level Feature Used Call Security Level Results of Action

Non-secure cBarge Encrypted call Call barged and identified as nonsecure call

Secure cBarge Secure call Call barged and identified as Secure call

Table 1-5 provides information about changes to call security levels when

Understanding Security Features for Cisco Unified IP Phones

Table 1-6 provides information about changes to conference security levels depending on the initiator’s

phone security level, the security levels of participants, and the availability of secure conference bridges.

Table 1-6 Security Restrictions with Conference Calls

Initiator’s Phone Security Level Feature Used Security Level of Participants Results of Action

Non-secure Conference Encrypted Nonsecure conference bridge

Nonsecure conference

Secure Conference At least one member is

non-secure

Secure conference bridge

Nonsecure conference

Secure Conference All participants are encrypted Secure conference bridge

Secure encrypted level conference

Secure Join Encrypted Secure conference bridge

Conference remains secure

Non-secure cBarge All participants are encrypted Secure conference bridge

Conference changes to non-secure

Non-secure MeetMe Minimum security level is

encrypted

Only non-secure conference bridge is available and used

Non-secure conference

Secure MeetMe Minimum security level is

nonsecure

Only secure conference bridge available and used

Conference accepts all calls

OL-20851-01

Cisco Unified IP Phone 8941 and 8945 Administration Guide for Cisco Unified Communications Manager 8.5 (SCCP and SIP)

1-15

Understanding Security Features for Cisco Unified IP Phones

Supporting 802.1X Authentication on Cisco Unified IP Phones

These sections provide information about 802.1X support on the Cisco Unified IP Phones:

• Overview, page 1-16

• Required Network Components, page 1-16

• Best Practices—Requirements and Recommendations, page 1-16

Overview

Cisco Unified IP phones and Cisco Catalyst switches have traditionally used Cisco Discovery Protocol (CDP) to identify each other and determine parameters such as VLAN allocation and inline power requirements. However, CDP is not used to identify any locally attached PCs; therefore, Cisco Unified IP Phones provide an EAPOL pass-through mechanism, whereby a PC locally attached to the IP phone, may pass through EAPOL messages to the 802.1X authenticator in the LAN switch. This prevents the IP phone from having to act as the authenticator, yet allows the LAN switch to authenticate a data end point prior to accessing the network.

In conjunction with the EAPOL pass-through mechanism, Cisco Unified IP Phones provide a proxy EAPOL-Logoff mechanism. In the event that the locally attached PC is disconnected from the IP phone, the LAN switch would not see the physical link fail, because the link between the LAN switch and the IP phone is maintained. To avoid compromising network integrity, the IP phone sends an EAPOL-Logoff message to the switch, on behalf of the downstream PC, which triggers the LAN switch to clear the authentication entry for the downstream PC.

The Cisco Unified IP phones also contain an 802.1X supplicant, in addition to the EAPOL pass-through mechanism. This supplicant allows network administrators to control the connectivity of IP phones to the LAN switch ports. The current release of the phone 802.1X supplicant uses the EAP-FAST, EAP-TLS, and EAP-MD5 options for network authentication.

Chapter

Required Network Components

Support for 802.1X authentication on Cisco Unified IP Phones requires several components, including:

• Cisco Unified IP Phone—The phone acts as the 802.1X supplicant, which initiates the request to

access the network.

• Cisco Secure Access Control Server (ACS) (or other third-party authentication server)—The

authentication server and the phone must both be configured with a shared secret that is used to authenticate the phone.

• Cisco Catalyst Switch (or other third-party switch)—The switch must support 802.1X, so it can act

as the authenticator and pass the messages between the phone and the authentication server. When the exchange is completed, the switch then grants or denies the phone access to the network.

Best Practices—Requirements and Recommendations

• Enable 802.1X Authentication—If you want to use the 802.1X standard to authenticate Cisco

Unified IP Phones, be sure that you have properly configured the other components before enabling it on the phone. See the information.

“802.1X Authentication and Status” section on page 4-8 for more

1-16

Cisco Unified IP Phone 8941 and 8945 Administration Guide for Cisco Unified Communications Manager 8.5 (SCCP and SIP)

OL-20851-01

Chapter

Overview of Configuring and Installing Cisco Unified IP Phones

• Configure PC Port—The 802.1X standard does not take into account the use of VLANs and thus

recommends that only a single device should be authenticated to a specific switch port. However, some switches (including Cisco Catalyst switches) support multi-domain authentication. The switch configuration determines whether you can connect a PC to the phone’s PC port.

–

Enabled—If you are using a switch that supports multi-domain authentication, you can enable the PC port and connect a PC to it. In this case, Cisco Unified IP Phones support proxy EAPOL-Logoff to monitor the authentication exchanges between the switch and the attached PC. For more information about IEEE 802.1X support on the Cisco Catalyst switches, refer to the Cisco Catalyst switch configuration guides at:

http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home. html

–

Disabled—If the switch does not support multiple 802.1X-compliant devices on the same port, you should disable the PC Port when 802.1X authentication is enabled. See the

Configuration Menu” section on page 4-8 for more information. If you do not disable this port

and subsequently attempt to attach a PC to it, the switch will deny network access to both the phone and the PC.

• Configure Voice VLAN—Because the 802.1X standard does not account for VLANs, you should

configure this setting based on the switch support.

“Security

–

Enabled—If you are using a switch that supports multi-domain authentication, you can continue to use the voice VLAN.

–

Disabled—If the switch does not support multi-domain authentication, disable the Voice VLAN and consider assigning the port to the native VLAN. See the

section on page 4-8 for more information.

• Enter MD5 Shared Secret—If you disable 802.1X authentication or perform a factory reset on the

phone, the previously configured MD5 shared secret is deleted. See the

Status” section on page 4-8 for more information.

“Security Configuration Menu”

“802.1X Authentication and

Security Restrictions

A user cannot barge into an encrypted call if the phone that is used to barge is not configured for encryption. When barge fails in this case, a reorder tone (fast busy tone) plays on the phone on which the user initiated the barge.

If the initiator phone is configured for encryption, the barge initiator can barge into a nonsecure call from the encrypted phone. After the barge occurs, Cisco Unified CM classifies the call as nonsecure.

If the initiator phone is configured for encryption, the barge initiator can barge into an encrypted call, and the phone indicates that the call is encrypted.

Overview of Configuring and Installing Cisco Unified IP Phones

OL-20851-01

When deploying a new IP telephony system, system administrators and network administrators must complete several initial configuration tasks to prepare the network for IP telephony service. For information and a checklist for setting up and configuring a Cisco IP telephony network, go to the

System Configuration Overview chapter in Cisco Unified Communications Manager System Guide.

After you have set up the IP telephony system and configured system-wide features in Cisco Unified CM, you can add IP phones to the system.

Cisco Unified IP Phone 8941 and 8945 Administration Guide for Cisco Unified Communications Manager 8.5 (SCCP and SIP)

1-17

Overview of Configuring and Installing Cisco Unified IP Phones

The following topics provide an overview of procedures for adding Cisco Unified IP Phones to your network:

• Configuring Cisco Unified IP Phones in Cisco Unified CM, page 1-18

• Installing Cisco Unified IP Phones, page 1-22

Configuring Cisco Unified IP Phones in Cisco Unified CM

To add phones to the Cisco Unified CM database, you can use:

• Auto-registration

• Cisco Unified CM Administration

• Bulk Administration Tool (BAT)

• BAT and the Tool for Auto-Registered Phones Support (TAPS)

For more information about these choices, see the “Adding Phones to the Cisco Unified CM Database”

section on page 2-8.

For general information about configuring phones in Cisco Unified CM, refer to the following documentation:

• Cisco Unified IP Phones, Cisco Unified Communications Manager System Guide

• Cisco Unified IP Phone Configuration, Cisco Unified Communications Manager Administration

Guide

Chapter

• Autoregistration Configuration, Cisco Unified Communications Manager Administration Guide

1-18

Cisco Unified IP Phone 8941 and 8945 Administration Guide for Cisco Unified Communications Manager 8.5 (SCCP and SIP)

OL-20851-01

+ 140 hidden pages

Cisco 8941, 8945 User Manual

CONTENTS

Preface

An Overview of the Cisco Unified IP Phone

Understanding the Cisco Unified IP Phones 8941 and 8945

What Networking Protocols are Used?

What Features are Supported on the Cisco Unified IP Phone 8941 and 8945?

Feature Overview

Configuring Telephony Features

Understanding Security Features for Cisco Unified IP Phones

Configuring Network Parameters Using the Cisco Unified IP Phone

Providing Users with Feature Information

Overview of Supported Security Features

Understanding Security Profiles

Identifying Encrypted Phone Calls

Establishing and Identifying Secure Audio Conference Calls

Establishing and Identifying Protected Calls

Call Security Interactions and Restrictions

Supporting 802.1X Authentication on Cisco Unified IP Phones

Overview

Required Network Components

Overview of Configuring and Installing Cisco Unified IP Phones

Security Restrictions

Configuring Cisco Unified IP Phones in Cisco Unified CM