[cisco-voip] CUCM 10.5 Mixed Mode change from Hardware Tokens to tokenless CTL

Brian Meade bmeade90 at vt.edu
Tue Jan 9 16:38:18 EST 2018


Deleting the LSCs from the phones is not necessary.  Neither is changing
the phone security profiles.

Even changing the cluster back to non-secure will not delete the CTLs from
the phones.

You must try to update the CTL instead or use a tool to bulk delete the
CTLs from the phones.

On Tue, Jan 9, 2018 at 4:30 PM, Reto Gassmann <voip at mrga.ch> wrote:

> Hello Brian
>
> Thanks for your Feedback. All the phones are authenticated and have a LCS
> installed. There is also a CTL on every Phone.
>
> Would it help to delete the LCS certificates and change the phone security
> profile to non secure? I was also thinking about to set the cluster back to
> non secure (from Mixed Mode now). However I am shure if that helps.
>
> Thanks and regards
> Reto
>
> Brian Meade <bmeade90 at vt.edu> schrieb am Di. 9. Jan. 2018 um 17:52:
>
>> Do the phones still have CTLs on them?
>>
>> Phones that support Securty By Default will be okay as they can get trust
>> new certificates using the ITL/TVS.  For the old 7940/60s and things like
>> IP Communicator that don't support CTL, you're probably stuck bulk deleting
>> CTLs.  UnifiedFX may be able to help here.
>>
>> You can try adding new certs to the CTL and use the old tokens but I'm
>> not sure the CTL client will be okay with the expired certificates.
>> Usually the phones won't check certificate validity dates.
>>
>> I'd first try running the CTL Client and import all the CallManager.pem
>> certificates and see if it lets you update the CTL.  If so, you should be
>> able to convert to tokenless fine.
>>
>> On Tue, Jan 9, 2018 at 11:24 AM, Reto Gassmann <voip at mrga.ch> wrote:
>>
>>> Hello Group
>>>
>>> We run a CUCM cluster 10.5 in Mixed Mode. The IP Phones (mainly 7960 and
>>> 7961) are authenticated with LCS.  A long time ago the cluster was set to
>>> Mixed Mode with two Hardware tokens. The tokens (Certificates on the
>>> tokens) expired last September.
>>> Now we want to change to tokenless CTL. I found a Cisco Document
>>> (118893) that describes the steps needed to make that change. However there
>>> are some notes about Problems with TVS and Security by Default with 7960.
>>>
>>> Can anyone help / Any ideas???
>>>
>>> Thank you
>>> Reto
>>>
>>> _______________________________________________
>>> cisco-voip mailing list
>>> cisco-voip at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>>
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20180109/467e6cc0/attachment.html>


More information about the cisco-voip mailing list