1. Manuals
  2. Brands
  3. Cisco Manuals
  4. Adapter
  5. SPA1112
  6. Provisioning manual

Cisco SPA1112 Provisioning Manual page 56

Analog telephone adapters
Hide thumbs
Table of Contents

Advertisement

Provisioning Examples
Secure HTTPS Resync
NOTE
STEP 1
STEP 2
STEP 3
STEP 4
Provisioning Guide for Cisco SPA100 and SPA200 Series Analog Telephone Adapters
HTTPS With Client Certificate Authentication
In the factory default configuration, the server does not request a SSL client
certificate from a client. Transfer of the profile is not secure because any client can
connect to the server and request the profile. You can edit the configuration to
enable client authentication; the server requires a client certificate to authenticate
the ATA before accepting a connection request.
Because of this, the resync operation cannot be independently tested by using a
browser lacking the proper credentials. The SSL key exchange within the HTTPS
connection between the test ATA and the server can be observed using the
ssldump utility. The utility trace shows the interaction between client and server.
Both basic and digest authentication are supported on SPA500 Series phones
running firmware version 7.4.9c and higher.
Exercise
Enable client certificate authentication on the HTTPS server.
In Apache (v.2), set the following in the server configuration file:
SSLVerifyClient
require
Also ensure that the spacroot.cert has been stored as shown in the
Resync
exercise.
Restart the HTTPS server and observe the syslog trace from the ATA.
Each resync to the server now performs symmetric authentication, so that both the
server certificate and the client certificate are verified before the profile is
transferred.
Use ssldump to capture a resync connection between the ATA and the HTTPS
server.
If client certificate verification is properly enabled on the server, the ssldump trace
shows the symmetric exchange of certificates (first server-to-client, then client-to-
server) before the encrypted packets containing the profile.
With client authentication enabled, only a ATA with a MAC address matching a
valid client certificate can request the profile from the provisioning server. A
request from an ordinary browser or other unauthorized device is rejected by the
server.
4
Basic HTTPS
56
Show Quick Links

Hide quick links:

Advertisement

Table of Contents
loading

Related Manuals for Cisco SPA1112

Related Products for Cisco SPA1112

This manual is also suitable for:

Spa232dSpa122

Table of Contents