Cisco Unified IP Phone Security Problems

The following sections provide troubleshooting information for the security features on the Cisco Unified IP Phone. 

CTL File Problems

The following sections describe problems with the CTL file:

Authentication Error, Phone Cannot Authenticate CTL File

Problem

A device authentication error occurs.

 

Cause

CTL file does not have a Cisco Unified Communications Manager certificate or has an incorrect certificate.

 

Solution

Install a correct certificate.

Phone Cannot Authenticate CTL File

Problem

Phone cannot authenticate the CTL file.

 

Cause

The security token that signed the updated CTL file does not exist in the CTL file on the phone.

 

Solution

Change the security token in the CTL file and install the new file on the phone.

CTL File Authenticates but Other Configuration Files Do Not Authenticate

Problem

Phone cannot authenticate any configuration files other than the CTL file.

 

Cause

A bad TFTP record exists, or the configuration file may not be signed by the corresponding certificate in the phone Trust List.

 

Solution

Check the TFTP record and the certificate in the Trust List.

ITL File Authenticates but Other Configuration Files Do Not Authenticate

Problem

Phone cannot authenticate any configuration files other than the ITL file.

 

Cause

The configuration file may not be signed by the corresponding certificate in the phone Trust List.

 

Solution

Re-sign the configuration file by using the correct certificate.

Phone Does Not Register

Problem

Phone does not register with Cisco Unified Communications Manager.

 

Cause

The CTL file does not contain the correct information for the Cisco Unified Communications Manager server.

 

Solution

Change the Cisco Unified Communications Manager server information in the CTL file.

Signed Configuration Files Are Not Requested

Problem

Phone does not request signed configuration files.

 

Cause

The CTL file does not contain any TFTP entries with certificates.

 

Solution

Configure TFTP entries with certificates in the CTL file.

802.1X Authentication Problems

802.1X authentication problems can be broken down into the categories described in the following table:

If all the following conditions apply	See
Phone cannot obtain a DHCP-assigned IP address   Phone does not register with Cisco Unified Communications Manager Phone status display as Configuring IP or Registering 802.1X Authentication Status displays as Held (see 802.1X Authentication and Status). Status menu displays 802.1x status as Failed (see Call Statistics Screen).	802.1X Enabled on Phone but Phone Does Not Authenticate
Phone cannot obtain a DHCP-assigned IP address  Phone does not register with Cisco Unified Communications Manager Phone status display as Configuring IP or Registering 802.1X Authentication Status displays as Disabled (see 802.1X Authentication and Status). Status menu displays DHCP status as timing out (see Call Statistics Screen).	802.1X Not Enabled
Phone cannot obtain a DHCP-assigned IP address Phone does not register with Cisco Unified Communications Manager Phone status display as Configuring IP or Registering Cannot access phone menus to verify 802.1X status	Factory Reset of Phone has Deleted 802.1X Shared Secret

802.1X Enabled on Phone but Phone Does Not Authenticate

Problem

The phone cannot authenticate.

 

Cause

These errors typically indicate that 802.1X is enabled on the phone, but the phone is unable to authenticate.

 

Solution

1 Verify that you have properly configured the required components. See 802.1X Authentication for more information

 

2 Confirm that the shared secret is configured on the phone. See Security Configuration Menu for more information.

• If the shared secret is configured, verify that you have the same shared secret entered on the authentication server. 
• If the shared secret is not configured, enter it, and ensure that it matches the shared secret on the authentication server.

802.1X Not Enabled

Problem

The phone does not have 802.1X configured.

Cause

These errors typically indicate that 802.1X is not enabled on the phone.

 

Solution

To enable it, see Security Configuration Menu for information on enabling 802.1X on the phone.

Factory Reset of Phone has Deleted 802.1X Shared Secret

Problem

After a reset, the phone does not authenticate.

 

Cause

These errors typically indicate that the phone has completed a factory reset while 802.1X was enabled. A factory reset deletes the shared secret, which is required for 802.1X authentication and network access.

 

Solution

To resolve this, you have two options:

• Temporarily disable 802.1X on the switch.
• Temporarily move the phone to a network environment that is not using 802.1X authentication.

After the phone starts up normally in one of these conditions, you can access the 802.1X configuration menus and re-enter the shared secret.