Cisco Unified IP Phone

Phone Overview

The Cisco Unified IP Phone 7975G, 7971G-GE (gigabit Ethernet version), 7970G, 7965G, and 7945G is a full-featured telephone that provides voice communication over an Internet Protocol (IP) network. These IP phones function much like digital business phones and allow you to place and receive phone calls and to access features such as mute, hold, transfer, speed dial, call forward, and more. In addition, because Cisco Unified IP Phones connect to your data network, they offer enhanced IP telephony features, such as access to network information and services and customizable features and services. The phones also support security features that include file authentication, device authentication, signaling encryption, and media encryption.

The Cisco Unified IP Phone 7975G, 7971G-GE, 7970G, 7965G, and 7945G provides a color screen (touchscreen for the 7975G, 7971G-GE, and the 7970G), support for line or speed dial numbers, context-sensitive online help for buttons and features, and a variety of other sophisticated functions.

A Cisco Unified IP Phone, like other network devices, must be configured and managed. These phones encode G.711a, G.711mu, G.722, G.729a, G.729ab, iLBC, and decode G.711a, G.711mu, G.722, G.729, G729a, G.729b, G.729ab, and iLBC. These phones also support uncompressed wideband (16 bits, 16 kHz) audio.


Caution

Use of a cell, mobile, or GSM phone or two-way radio in close proximity to a Cisco Unified IP Phone might cause interference. For more information, see the manufacturer documentation of the interfering device.

Cisco Unified IP Phone 7975G, 7971G-GE, 7970G, 7965G, and 7945G Components

The following sections describe the phone components.

Cisco Unified IP Phone 7975G Buttons and Hardware

The following figure identifies the important parts of the phone. See Buttons and Hardware Identification for the description of the numbered items.



Cisco Unified IP Phone 7970G and 7971G-GE Buttons and Hardware

The following figure identifies the important parts of the phone. See Buttons and Hardware Identification for the description of the numbered items.



Cisco Unified IP Phone 7965G Buttons and Hardware

The following figure identifies the important parts of the phone. See Buttons and Hardware Identification for the description of the numbered items.



Cisco Unified IP Phone 7945G Buttons and Hardware

The following figure identifies the important parts of the phone. See Buttons and Hardware Identification for the description of the numbered items.



Buttons and Hardware Identification

The following table describes the buttons and hardware on the phones.

Table 1. Phone Buttons and Hardware

Item

Description

1

Programmable buttons

Depending on configuration, programmable buttons provide access to:

  • Phone lines (line buttons) and intercom lines
  • Speed-dial numbers (speed-dial buttons), including the Busy Lamp Field (BLF) speed-dial feature
  • Web-based services (for example, a Personal Address Book button)
  • Call features (for example, a Privacy, Hold, or Transfer button)

Buttons illuminate to indicate status:

  • Green, steady: Active call or two-way intercom call

  • Green, flashing: Held call

  • Amber, steady: Privacy in use, one-way intercom call, Do Not Disturb (DND) active, or logged into Hunt Group

  • Amber, flashing: Incoming call or reverting call

  • Red, steady: Remote line in use (shared line, BLF status or active Mobile Connect call)

2

Footstand button

Enables you to adjust the angle of the phone base.

3

Display button

Cisco Unified IP Phones 7970G, 7971G-GE, and 7975G

  • Awakens the phone screen from sleep mode or disables the touchscreen feature for cleaning.

  • No color: Ready for input

  • Green flashing: Disabled

  • Green steady: Sleep mode

Cisco Unified IP Phones 7945G and 7965G

  • Awakens the phone screen from sleep mode.

  • No color: Ready for input

  • Green steady: Sleep mode

4

Messages button

Autodials your voice message service (varies by service).

5

Directories button

Opens/closes the Directories menu. Use the button to access call logs and directories.

6

Help button

Activates the Help menu.

7

Settings button

Opens/closes the Settings menu. Use the button to change phone screen and ring settings.

8

Services button

Opens/closes the Services menu.

9

Volume button

Controls the handset, headset, and speakerphone volume (off-hook) and the ringer volume (on-hook).

10

Speaker button

Selects the speakerphone as the default audio path and initiates a new call, picks up an incoming call, or ends a call. During a call, the button is lit green.

The speakerphone audio path does not change until you select a new default audiopath (for example, by picking up the handset).

If external speakers are connected, the Speakerphone button uses these speakers as the default audio path.

11

Mute button

Toggles the microphone on or off. When the microphone is muted, the button is lit.

12

Headset button

Selects the headset as the default audio path and initiates a new call, picks up an incoming call, or ends a call. During a call, the button is lit green.

A headset icon in the phone screen header line indicates that the headset is the default audio path. This audio path does not change until you select a new default audio path (for example, by picking up the handset).

13

4-way navigation pad and Select button (center)

Cisco Unified IP Phone 7945G, 7965G, and 7975G

  • Enables you to scroll through menus and highlight items. Use the Select button to select an item that is highlighted on the screen.

  • Navigation button: Scroll up and down to see menus and highlight items and right and left across multicolumn displays.

  • Select button: Scroll to highlight a line by using the Navigation button and then press to open a menu, play a ringer item, or access other features, as described on the screen.

14

Navigation button

Cisco Unified IP Phone 7970G and 7971G-GE

  • Enables you to scroll through menus and highlight items. When the phone is on-hook, displays phone numbers from your Placed Calls log.

15

Keypad

Enables you to dial phone numbers, enter letters, and choose menu items.

16

Softkey buttons

Each button activates a softkey option that displays on your phone screen.

17

Handset light strip

Indicates an incoming call or new voice message.

18

Phone screen

Shows phone features.

Network Protocols

Cisco Unified IP Phones support several industry-standard and Cisco network protocols that are required for voice communication. The following table provides an overview of the network protocols that the Cisco Unified IP Phone 7975G, 7971G-GE, 7970G, 7965G, and 7945G supports.

Table 2. Supported Network Protocols on the Cisco Unified IP Phone

Network protocol

Purpose

Usage notes

Bootstrap Protocol (BootP)

BootP enables a network device such as the Cisco Unified IP Phone to discover certain startup information, such as its IP address.

If you are using BootP to assign IP addresses to the Cisco Unified IP Phone, the BOOTP Server option shows "Yes" in the network configuration settings on the phone.

Cisco Discovery Protocol (CDP)

CDP is a device-discovery protocol that runs on all Cisco-manufactured equipment.

By using CDP, a device can advertise its existence to other devices and receive information about other devices in the network.

The Cisco Unified IP Phone uses CDP to communicate information such as auxiliary VLAN ID, per port power management details, and Quality of Service (QoS) configuration information with the Cisco Catalyst switch.

Cisco Peer-to-Peer Distribution Protocol (CPPDP)

CPPDP is a Cisco proprietary protocol that forms a-peer-to-peer hierarchy of devices. CPPDP also copies firmware or other files from peer devices to neighboring devices.

The Peer Firmware Sharing feature uses CPPDP.

Dynamic Host Configuration Protocol (DHCP)

DHCP dynamically allocates and assigns an IP address to network devices.

DHCP enables you to connect an IP phone into the network and have the phone become operational without the need to assign an IP address manually or to configure additional network parameters.

DHCP is enabled by default. If disabled, you must manually configure the IP address, subnet mask, gateway, and a TFTP server on each phone locally.

Cisco recommends that you use DHCP custom option 150. With this method, you configure the TFTP server IP address as the option value. For additional supported DHCP configurations, see the "Dynamic Host Configuration Protocol" and "Cisco TFTP" chapters in the Cisco Unified Communications Manager System Guide.

Hypertext Transfer Protocol (HTTP)

HTTP is the standard way of transferring information and moving documents across the Internet and the web.

Cisco Unified IP Phones use HTTP for XML services and for troubleshooting purposes. The phones use HTTP to download configuration files and firmware loads. If the HTTP download fails, the phone uses TFTP to transfer the files.

Cisco Unified IP Phones do not support the use of IPv6 addresses in the URL. You cannot use a literal IPv6 address in the URL or a hostname that maps to an IPv6 address.

Hypertext Transfer Protocol Secure (HTTPS)

Hypertext Transfer Protocol Secure (HTTPS) is a combination of the Hypertext Transfer Protocol with the SSL/TLS protocol to provide encryption and secure identification of servers.

Web applications with both HTTP and HTTPS support have two URLs configured. For a Cisco Unified IP Phone that supports HTTPS, choose the HTTPS URL from the two URLs.

IEEE 802.1X

The IEEE 802.1X standard defines a client-server-based access control and authentication protocol that restricts unauthorized clients from connecting to a LAN through publicly accessible ports.

Until the client authenticates, 802.1X access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port to which the client connects. After authentication is successful, normal traffic can pass through the port.

The Cisco Unified IP Phone implements the IEEE 802.1X standard by supporting the following authentication methods: EAP-FAST, EAP-TLS, and EAP-MD5.

When 802.1X authentication is enabled on the phone, you should disable the PC port and voice VLAN. See 802.1X Authentication for additional information.

Internet Protocol (IP)

IP is a messaging protocol that addresses and sends packets across the network.

To communicate by using IP, network devices must have an assigned IP address, subnet, and gateway.

IP addresses, subnets, and gateways identifications are automatically assigned if you use the Cisco Unified IP Phone with Dynamic Host Configuration Protocol (DHCP). If you do not use DHCP, you must manually assign these properties to each phone locally.

The Cisco Unified IP Phone supports concurrent IPv4 and IPv6 addresses. Configure the IP addressing mode (IPv4 only, IPv6 only, or both IPv4 and IPv6) in Cisco Unified Communications Manager Administration. For more information, see the "Internet Protocol Version 6 (IPv6)" chapter in the Cisco Unified Communications Manager Features and Services Guide.

Link Layer Discovery Protocol (LLDP)

LLDP is a standardized network discovery protocol (similar to CDP) that some Cisco and third-party devices support.

The Cisco Unified IP Phone supports LLDP on the PC port.

Link Layer Discovery Protocol-Media Endpoint Devices (LLDP-MED)

LLDP-MED is an extension of the LLDP standard developed for voice products.

The Cisco Unified IP Phone supports LLDP-MED on the SW port to communicate information such as:

  • Voice VLAN configuration
  • Device discovery
  • Power management
  • Inventory management

For more information about LLDP-MED support, see the LLDP-MED and Cisco Discovery Protocol white paper:

http://www.cisco.com/en/US/tech/tk652/tk701/technologies_white_paper0900aecd804cd46d.shtml

Real-Time Control Protocol (RTCP)

RTCP works with Real-Time Transport Protocol (RTP) to provide QoS data (such as jitter, latency, and round trip delay) on RTP streams.

RTCP is disabled by default, but you can enable it on a per-phone basis in Cisco Unified Communications Manager Administration. For more information, see Network Configuration Menu.

Real-Time Transport Protocol (RTP)

RTP is a standard protocol for transport of real-time data, such as interactive voice and video, over data networks.

Cisco Unified IP Phones use the RTP protocol to send and receive real-time voice traffic from other phones and gateways.

Session Initiation Protocol (SIP)

SIP is the Internet Engineering Task Force (IETF) standard for multimedia conferencing over IP. SIP is an ASCII-based application-layer control protocol (defined in RFC 3261) that can establish, maintain, and terminate calls between two or more endpoints.

Like other VoIP protocols, SIP addresses the functions of signaling and session management within a packet telephony network. Signaling allows call information to be carried across network boundaries. Session management provides the ability to control the attributes of an end-to-end call.

You can configure the Cisco Unified IP Phone to use either SIP or Skinny Client Control Protocol (SCCP).

Cisco Unified IP Phones do not support the SIP protocol when the phones operate in IPv6 address mode.

Skinny Client Control Protocol (SCCP)

SCCP includes a messaging set that allows communications between call control servers and endpoint clients such as IP Phones. SCCP is proprietary to Cisco Systems.

Cisco Unified IP Phones use SCCP for call control. You can configure the Cisco Unified IP Phone to use either SCCP or Session Initiation Protocol (SIP).

Session Description Protocol (SDP)

SDP is the portion of the SIP protocol that determines which parameters are available during a connection between two endpoints. Conferences are established by using only the SDP capabilities that all endpoints in the conference support.

SDP capabilities, such as codec types, DTMF detection, and comfort noise, are normally configured on a global basis by Cisco Unified Communications Manager or Media Gateway in operation. Some SIP endpoints may allow configuration of these parameters on the endpoint itself.

Transmission Control Protocol (TCP)

TCP is a connection-oriented transport protocol.

Cisco Unified IP Phones use TCP to connect to Cisco Unified Communications Manager and to access XML services.

Transport Layer Security (TLS)

TLS is a standard protocol for securing and authenticating communications.

When security is implemented, Cisco Unified IP Phones use the TLS protocol for secure registration with Cisco Unified Communications Manager.

For more information, see the Cisco Unified Communications Manager Security Guide.

Trivial File Transfer Protocol (TFTP)

TFTP allows you to transfer files over the network.

On the Cisco Unified IP Phone, TFTP enables you to obtain a configuration file that is specific to the phone type.

TFTP requires a TFTP server in your network, which can be automatically identified from the DHCP server. If you want a phone to use a TFTP server other than the one that the DHCP server specifies, you must manually assign TFTP server from the Network Configuration menu on the phone.

For more information, see the "Cisco TFTP" chapter in the Cisco Unified Communications Manager System Guide.

User Datagram Protocol (UDP)

UDP is a connectionless messaging protocol for delivery of data packets.

Cisco Unified IP Phones transmit and receive RTP streams, which utilize UDP.

IPv6 Support on Cisco Unified IP Phones

The Cisco Unified IP Phones use the Internet Protocol to provide voice communication over the network. Because Internet Protocol version 4 (IPv4) uses a 32-bit address, it cannot meet the increased demands for unique IP addresses for all devices that connect to the internet. Therefore, Internet Protocol version 6 (IPv6) is an updated version of the current Internet Protocol. IPv6 uses a 128-bit address and provides end-to-end security capabilities, enhanced Quality of Service (QoS), and increased number of available IP addresses.

The Cisco Unified IP Phone supports IPv4-only addressing mode, IPv6-only addressing mode, as well as an IPv4/IPv6 dual stack addressing mode. In IPv4, you can enter each octet of the IP address on the phone in dotted decimal notation; for example, 192.240.22.5. In IPv6, you can enter each octet of the IP address in hexadecimal notation with each octet separated by a colon; for example, 2005:db8:0:1:ef8:9876:ba72:dc9a. The phone truncates and removes leading zeros when it displays the IPv6 address.

Cisco Unified IP Phones support both IPv4 and IPv6 addresses transparently, so users can handle all calls on the phone to which they are accustomed. Cisco Unified IP Phones with the Skinny Call Control Protocol (SCCP) support IPv6. Cisco Unified IP Phones with SIP do not support IPv6.

Cisco Unified IP Phones do not support URLs with IPv6 addresses in the URL. This affects all IP Phone Service URLs, such as services, directories, messages, help, and any restricted web services that require the phone to use the HTTP protocol to validate credentials with the Authentication URL. If you configure Cisco Unified IP Phone services for Cisco Unified IP Phones, you must configure the phone and the servers that support the phone service with IPv4 addresses.

If you configure IPv6 Only as the IP Addressing Mode for phones that are running SIP, the Cisco TFTP service overrides the IP Addressing Mode configuration and uses IPv4 Only in the configuration file.

For more information on IPv6 deployment in your Cisco Unified Communications network, see the "Internet Protocol Version 6 (IPv6)" chapter in the Cisco Unified Communications Manager Features and Services Guide and Deploying IPv6 in Unified Communications Networks with Cisco Unified Communications Manager, located at http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/srnd/ipv6/ipv6srnd.html.

Cisco Unified IP Phone 7975G, 7971G-GE, 7970G, 7965G, and 7945G Supported Features

The Cisco Unified IP Phone functions much like a digital business phone and allows you to place and receive telephone calls. In addition to traditional telephony features, the Cisco Unified IP Phone includes features that enable you to administer and monitor the phone as a network device.

This section includes the following topics:

Feature Overview

Cisco Unified IP Phones provide traditional telephony functionality, such as call forwarding and transferring, redialing, speed dialing, conference calling, and voice messaging system access. Cisco Unified IP Phones also provide a variety of other features.

As with other network devices, you must configure Cisco Unified IP Phones to prepare them to access Cisco Unified Communications Manager and the rest of the IP network. By using DHCP, you have fewer settings to configure on a phone, but if your network requires it, you can manually configure an IP address, TFTP server, subnet information, and other values.

The Cisco Unified IP Phone interacts with other services and devices on your IP network to provide enhanced functionality. For example, you can integrate the Cisco Unified IP Phones with the corporate Lightweight Directory Access Protocol 3 (LDAP3) standard directory to enable users to search for coworker contact information directly from their IP phones. You can also use XML to enable users to access information such as weather, stocks, quote of the day, and other web-based information.

Finally, because the Cisco Unified IP Phone is a network device, you can obtain detailed status information from it directly. This information can assist you with troubleshooting any problems that users encounter when they use their IP phones.

Telephony Feature Administration

You can modify certain settings for the Cisco Unified IP Phone from the Cisco Unified Communications Manager Administration application. Use this graphical user interface to set up phone registration criteria and calling search spaces, to configure corporate directories and services, and to modify phone button templates, among other tasks. See the Cisco Unified Communications Manager Administration Guide for additional information.

For more information about the Cisco Unified Communications Manager Administration application, refer to Cisco Unified Communications Manager documentation, including the Cisco Unified Communications Manager System Guide. You can also use the context-sensitive help that is available within the application for guidance.

You can access the Cisco Unified Communications Manager documentation suite at this location:

http://www.cisco.com/en/US/products/sw/voicesw/ps556/tsd_products_support_series_home.html

You can access the complete Cisco Business Edition 5000 documentation suite at this location:

http://www.cisco.com/en/US/products/ps7273/tsd_products_support_series_home.html

Information for End Users

If you are a system administrator, you are likely the primary source of information for Cisco Unified IP Phone users in your network or company. To ensure that you distribute the most current feature and procedural information, familiarize yourself with Cisco Unified IP Phone documentation. Make sure to visit the Cisco Unified IP Phone web site:

http://www.cisco.com/en/US/products/hw/phones/ps379/tsd_products_support_series_home.html

From this site, you can access various user guides.

In addition to providing users with documentation, it is important to inform them about available Cisco Unified IP Phone features, including features that are specific to your company or network, and about how to access and customize those features, if appropriate.

Cisco Unified IP Phone Security Features

Implementation of security in the Cisco Unified Communications Manager system prevents identity theft of the phone and Cisco Unified Communications Manager server, prevents data tampering, and prevents call signaling and media stream tampering.

To alleviate these threats, the Cisco Unified IP telephony network establishes and maintains authenticated and encrypted communication streams between a phone and the server, digitally signs files before they are transferred to a phone, and encrypts media streams and call signaling between Cisco Unified IP phones.

The Cisco Unified IP Phone 7975G, 7971G-GE, 7970G, 7965G, and 7945G uses the Phone Security Profile, which defines whether the device is nonsecure, authenticated, or encrypted. For information on application of the security profile to the phone, see the Cisco Unified Communications Manager Security Guide.

If you configure security-related settings in Cisco Unified Communications Manager Administration, the phone configuration file will contain sensitive information. To ensure the privacy of a configuration file, you must configure it for encryption. For detailed information, see the "Configuring Encrypted Phone Configuration Files" chapter in the Cisco Unified Communications Manager Security Guide.

The following table shows where you can find additional information about security in this and other documents.

Table 3. Cisco Unified IP Phone and Cisco Unified Communications Manager Security Topics

Topic

Reference

Detailed explanation of security; includes setup, configuration, and troubleshooting information for Cisco Unified Communications Manager and Cisco Unified IP Phones

See the Troubleshooting Guide for Cisco Unified Communications Manager.

Security features that the Cisco Unified IP Phone supports

See Supported Security Features.

Security feature restrictions

See Security Restrictions.

Viewing a security profile name

See Security Profiles.

Identification of phone calls for which security is implemented

See Authenticated, Encrypted, and Protected Phone Calls.

TLS connection

See Network Protocols.

See Phone Configuration Files.

Security and the phone startup process

See Phone Startup Process.

Security and phone configuration files

See Phone Configuration Files.

Changes to the TFTP Server 1 or TFTP Server 2 option on the phone when security is implemented

See Network Configuration Menu.

Security icons in the Unified CM 1 through Unified CM 5 options in the Device Configuration Menu on the phone

See Unified CM Configuration Menu.

Security Configuration menu items that you access from the Device Configuration menu on the phone

See Security Configuration Menu.

Security Configuration menu items that you access from the Settings menu on the phone

See Security Configuration Menu.

Unlock of the CTL (Certificate Trust List) and ITL (Identity Trust List) files

See Unlock CTL and ITL Files.

Disabling access to web pages for a phone

See Unlock CTL and ITL Files.

Deletion of the CTL file from the phone

See Control Web Page Access.

Phone reset or restoration

See Cisco Unified IP Phone Reset or Restore.

Extension Mobility HTTPS Support

See Network Protocols.

802.1X Authentication for Cisco Unified IP Phones

See these sections:

Supported Security Features

The following table provides an overview of the security features that the Cisco Unified IP Phone 7975G, 7971G-GE, 7970G, 7965G, and 7945G supports. For more information about these features and about Cisco Unified Communications Manager and Cisco Unified IP Phone security, see the Cisco Unified Communications Manager Security Guide.

For information about current security settings on a phone, look at the Security Configuration menus on the phone (choose Settings > Security Configuration and choose Settings > Device Configuration > Security Configuration).


Note

Most security features are available only if a CTL is installed on the phone. For more information about the CTL, see the "Configuring the Cisco CTL Client" chapter in the Cisco Unified Communications Manager Security Guide.

Table 4. Overview of security features

Feature

Description

Image authentication

Signed binary files (with the extension .sbn) prevent tampering with the firmware image before it loads on a phone. Tampering with the image causes a phone to fail the authentication process and reject the new image.

Customer-site certificate installation

Each Cisco Unified IP Phone requires a unique certificate for device authentication. Phones include a manufacturing installed certificate (MIC), but for additional security, you can specify in Cisco Unified Communications Manager Administration that a certificate be installed by using the CAPF (Certificate Authority Proxy Function). Alternatively, you can install a Locally Significant Certificate (LSC) from the Security Configuration menu on the phone.

Device authentication

Occurs between the Cisco Unified Communications Manager server and the phone when each entity accepts the certificate of the other entity. Determines whether a secure connection between the phone and a Cisco Unified Communications Manager should occur, and, if necessary, creates a secure signaling path between the entities that use TLS protocol. Cisco Unified Communications Manager does not register phones unless it can authenticate them.

File authentication

Validates digitally signed files that the phone downloads. The phone validates the signature to make sure that file tampering did not occur after file creation. Files that fail authentication are not written to Flash memory on the phone. The phone rejects such files without further processing.

Signaling authentication

Uses the TLS protocol to validate that no tampering has occurred to signaling packets during transmission.

Manufacturing installed certificate

Each Cisco Unified IP Phone contains a unique manufacturing installed certificate (MIC), which is used for device authentication. The MIC is a permanent unique proof of identity for the phone, and allows Cisco Unified Communications Manager to authenticate the phone.

Secure SRST reference

After you configure an SRST reference for security and then reset the dependent devices in Cisco Unified Communications Manager Administration, the TFTP server adds the SRST certificate to the phone cnf.xml file and sends the file to the phone. A secure phone then uses a TLS connection to interact with the SRST-enabled router.

Media encryption

Uses Secure Real-time Transport Protocol (SRTP ) to ensure that the media streams between supported devices prove secure and that only the intended device receives and reads the data. Includes creation of a media primary key pair for the devices, delivery of the keys to the devices, and securing the key delivery while the keys are in transport.

Signaling encryption

Ensures that all SCCP and SIP signaling messages that are sent between the device and the Cisco Unified Communications Manager server are encrypted.

CAPF (Certificate Authority Proxy Function)

Implements parts of the certificate generation procedure that are too processing-intensive for the phone, and interacts with the phone for key generation and certificate installation. The CAPF can be configured to request certificates from customer-specified certificate authorities on behalf of the phone, or it can be configured to generate certificates locally.

Security profiles

Defines whether the phone is nonsecure, authenticated, encrypted, or protected.

Encrypted configuration files

Ensures the privacy of phone configuration files.

Optional disabling of the web server functionality for a phone

Prevents access to a phone web page, which displays a variety of operational statistics for the phone.

Phone hardening

Additional security options, which you control from Cisco Unified Communications Manager Administration:

  • Disabling PC port
  • Disabling Gratuitous ARP (GARP)
  • Disabling PC Voice VLAN access
  • Disabling access to the Setting menus, or providing restricted access that allows access to the User Preferences menu and saving volume changes only
  • Disabling access to web pages for a phone
Note 

View current settings for the PC Port Disabled, GARP Enabled, and Voice VLAN enabled options by looking at the phone Security Configuration menu.

802.1X Authentication

The Cisco Unified IP Phone can use 802.1X authentication to request and gain access to the network.

Security Profiles

Cisco Unified IP Phones that support Cisco Unified Communications Manager release 7.0 or later use a security profile, which defines whether the phone is nonsecure, authenticated, or encrypted. For information about security profile configuration and profile application to the phone, see the Cisco Unified Communications Manager Security Guide.

To view the security mode that is set for the phone, view the Security Mode setting in the Security Configuration menu.

Authenticated, Encrypted, and Protected Phone Calls

When security is implemented for a phone, you can identify authenticated or encrypted phone calls by icons on the phone screen. You can also determine whether the connected phone is secure and protected if a security tone plays at the beginning of the call.

In an authenticated call, all devices that participate in the establishment of the call are trusted devices that Cisco Unified Communications Manager authenticates. When a call in progress is authenticated, the call progress icon to the right of the call duration timer in the phone screen changes to this icon: .

In an encrypted call, all devices that participate in the establishment of the call are trusted devices that Cisco Unified Communications Manager authenticates. In addition, call signaling and media streams are encrypted. An encrypted call offers a high level of security and provides integrity and privacy to the call. When a call in progress is encrypted, the call progress icon to the right of the call duration timer in the phone screen changes to this icon: .


Note

If the call routes through non-IP call legs, for example, PSTN (public switched telephone network), the call may be nonsecure even though it is encrypted within the IP network and has a lock icon associated with it.

In a protected call, a security tone plays at the beginning of a call to indicate that the other connected phone is also receiving and transmitting encrypted audio and video (if video is involved). If your call connects to a non-protected phone, the security tone does not play.


Note

Protected calling is supported for connections between two phones only. Some features, such as conference calling, shared lines, Extension Mobility, and Join Across Lines are not available when protected calling is configured. Protected calls are not authenticated.

Secure Conference Call Identification

You can initiate a secure conference call and monitor the security level of participants. Establishment of a secure conference call follows this process:

  1. A user initiates the conference from a secure phone (encrypted or authenticated security mode).

  2. Cisco Unified Communications Manager assigns a secure conference bridge to the call.

  3. As participants are added, Cisco Unified Communications Manager verifies the security mode of each phone (encrypted or authenticated) and maintains the secure level for the conference.

  4. The phone displays the security level of the conference call. A secure conference displays (encrypted) or (authenticated) icon to the right of “Conference” on the phone screen. If icon displays, the conference is not secure.


Note

Certain interactions, restrictions, and limitations affect the security level of the conference call. These interactions depend on the security mode of the participant phones and the availability of secure conference bridges. See Call Security Interactions and Restrictions for information about these interactions.

Protected Call Identification

A protected call is established when a user phone and the phone on the other end are configured for protected calling. The other phone can be in the same Cisco IP network, or on a network outside the IP network. Protected calls can only be made between two phones. Conference calls and other multiple-line calls are not supported.

Establishment of a protected call follows this process:

  1. A user initiates the call from a protected phone (protected security mode).

  2. The phone displays the icon (encrypted) on the phone screen. This icon indicates that the phone is configured for secure (encrypted) calls, but this does not mean that the other connected phone is also protected.

  3. A security tone plays if the call connects to another protected phone; the tone indicates that both ends of the conversation are encrypted and protected. If the call is connected to a nonprotected phone, the secure tone does not play.


Note

Protected calling is supported for conversations between two phones. Some features, such as conference, shared lines, Cisco Extension Mobility, and Join Across Lines are not available when protected calling is configured.

Call Security Interactions and Restrictions

Cisco Unified Communications Manager checks the phone security status when conferences are established and changes the security indication for the conference or blocks the completion of the call to maintain integrity and also security in the system. The following table provides information about changes to call security levels when the Barge feature is used.

Table 5. Call Security Interactions When using Barge

Initiator phone security level

Call security level

Results of action

Nonsecure

Encrypted call

Call barged and identified as nonsecure call

Secure (encrypted)

Authenticated call

Call barged and identified as authenticated call

Secure (authenticated)

Encrypted call

Call barged and identified as authenticated call

Nonsecure

Authenticated call

Call barged and identified as nonsecure call

The following table provides information about changes to conference security levels, which depend on the initiator phone security level, the security levels of participants, and the availability of secure conference bridges.

Table 6. Security Restrictions with Conference Calls

Initiator phone security level

Feature used

Security level of participants

Results of action

Nonsecure

Conference

Encrypted or authenticated

Nonsecure conference bridge

Nonsecure conference

Secure (encrypted or authenticated)

Conference

At least one member is nonsecure.

Secure conference bridge

Nonsecure conference

Secure (encrypted)

Conference

All participants are encrypted

Secure conference bridge

Secure encrypted level conference

Secure (authenticated)

Conference

All participants are encrypted or authenticated.

Secure conference bridge

Secure authenticated level conference

Nonsecure

Conference

Encrypted or authenticated

Only secure conference bridge is available and used

Nonsecure conference

Secure (encrypted or authenticated)

Conference

Encrypted or authenticated

Only nonsecure conference bridge is available and used

Nonsecure conference

Secure (encrypted or authenticated)

Conference

Secure or encrypted

Conference remains secure

When one participant tries to Hold the call with Music on Hold (MOH), the MOH does not play.

Secure (encrypted)

Join

Encrypted or authenticated

Secure conference bridge

Conference remains secure (encrypted or authenticated)

Nonsecure

cBarge

All participants are encrypted

Secure conference bridge

Conference changes to nonsecure

Nonsecure

Meet-Me

Minimum security level is encrypted

Initiator receives message Does not meet Security Level, call rejected.

Secure (encrypted)

Meet-Me

Minimum security level is authenticated

Secure conference bridge

Conference accepts encrypted and authenticated calls

Secure (encrypted)

Meet-Me

Minimum security level is nonsecure

Only secure conference bridge available and used

Conference accepts all calls

802.1X Authentication

These sections provide information about 802.1X support on the Cisco Unified IP Phones:

Overview

Cisco Unified IP Phones and Cisco Catalyst switches traditionally use Cisco Discovery Protocol (CDP) to identify each other and determine parameters such as VLAN allocation and inline power requirements. CDP does not identify locally attached workstations. Cisco Unified IP Phones provide an EAPOL pass-through mechanism. This mechanism allows a workstation attached to the Cisco Unified IP Phone to pass EAPOL messages to the 802.1X authenticator at the LAN switch. The pass-through mechanism ensures that the IP phone does not act as the LAN switch to authenticate a data endpoint before accessing the network.

Cisco Unified IP Phones also provide a proxy EAPOL Logoff mechanism. In the event that the locally attached PC disconnects from the IP phone, the LAN switch does not see the physical link fail, because the link between the LAN switch and the IP phone is maintained. To avoid compromising network integrity, the IP phone sends an EAPOL-Logoff message to the switch on behalf of the downstream PC, which triggers the LAN switch to clear the authentication entry for the downstream PC.

Cisco Unified IP Phones also contain an 802.1X supplicant. This supplicant allows network administrators to control the connectivity of IP phones to the LAN switch ports. The current release of the phone 802.1X supplicant uses the EAP-FAST, EAP-TLS, and EAP-MD5 options for network authentication.

Required Network Components

Support for 802.1X authentication on Cisco Unified IP Phones requires several components, including:

  • Cisco Unified IP Phone: The phone acts as the 802.1X supplicant, which initiates the request to access the network.

  • Cisco Secure Access Control Server (ACS) (or other third-party authentication server): The authentication server and the phone must both be configured with a shared secret that authenticates the phone.

  • Cisco Catalyst Switch (or other third-party switch): The switch must support 802.1X, so it can act as the authenticator and pass the messages between the phone and the authentication server. After the exchange completes, the switch grants or denies the phone access to the network.

Best-Practice Requirements and Recommendations

  • Enable 802.1X Authentication: If you want to use the 802.1X standard to authenticate Cisco Unified IP Phones, make sure that you have properly configured the other components before you enable the standard on the phone.

    MAC Authentication Bypass (MAB) is required as a fallback to 802.1x authentication for the LSC certificate update process. Enable MAB on the phone port. For more information, see https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/config_guide_c17-663759.html.

  • Configure PC Port: The 802.1X standard does not take into account the use of VLANs and thus recommends that only a single device be authenticated to a specific switch port. However, some switches (such as Cisco Catalyst switches) support multidomain authentication. The switch configuration determines whether you can connect a PC to the phone PC port.

    • Enabled: If you use a switch that supports multidomain authentication, you can enable the PC port and connect a PC to it. In this case, Cisco Unified IP Phones support proxy EAPOL-Logoff to monitor the authentication exchanges between the switch and the attached PC. For more information about IEEE 802.1X support on the Cisco Catalyst switches, see the Cisco Catalyst switch configuration guides at:

      http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html

    • Disabled: If the switch does not support multiple 802.1X-compliant devices on the same port, you should disable the PC Port when 802.1X authentication is enabled. If you do not disable this port and subsequently attempt to attach a PC to it, the switch will deny network access to the phone and the PC.

  • Configure Voice VLAN: Because the 802.1X standard does not account for VLANs, you should configure this setting according to the switch support.

    • Enabled: If you use a switch that supports multidomain authentication, you can continue to use the voice VLAN.

    • Disabled: If the switch does not support multidomain authentication, disable the Voice VLAN and consider assigning the port to the native VLAN.

  • Enter MD5 Shared Secret: If you disable 802.1X authentication or perform a factory reset on the phone, the previously configured MD5 shared secret is deleted.

Security Restrictions

A user cannot barge into an encrypted call if the phone that is used to barge is not configured for encryption. When barge fails in this case, a reorder (fast busy) tone plays on the phone of the barge initiator.

If the initiator phone is configured for encryption, the barge initiator can barge into an authenticated or nonsecure call from the encrypted phone. After the barge occurs, Cisco Unified Communications Manager classifies the call as nonsecure.

If the initiator phone is configured for encryption, the barge initiator can barge into an encrypted call, and the phone indicates that the call is encrypted.

A user can barge into an authenticated call, even if the phone that is used to barge is nonsecure. The authentication icon continues to appear on the authenticated devices in the call, even if the initiator phone does not support security.

Phone Power Consumption

The Cisco Unified IP Phone 7900 Series supports Cisco EnergyWise. EnergyWise is also known as Power Save Plus. When your network contains an EnergyWise controller, you can configure these phones to sleep (power down) and wake (power up) on a schedule to reduce your power consumption. The phone should be powered by the Power Over Ethernet (PoE) port of the switch instead of the power adapter.

You set up each phone to enable or disable the EnergyWise settings. You can also configure EnergyWise parameters on the enterprise and common phone configuration. If EnergyWise is enabled, you configure a sleep and wake time, as well as other parameters. These parameters are sent to the phone as part of the phone configuration XML file.

The switch administrator can wake the phone up before the scheduled time. For more information on powering up the phones from the switch, see the switch documentation.

Cisco Unified IP Phone Deployment

Upon deployment of a new IP telephony system, system administrators and network administrators must complete several initial configuration tasks to prepare the network for IP telephony service. For information and a checklist for setup and configuration of a Cisco Unified IP telephony network, see the "System Configuration Overview" chapter in the Cisco Unified Communications Manager System Guide.

After you have set up the IP telephony system and configured system-wide features in Cisco Unified Communications Manager, you can add IP phones to the system.

The following topics provide an overview of procedures for adding Cisco Unified IP Phones to your network:

Cisco Unified IP Phone Setup in Cisco Unified Communications Manager

To add phones to the Cisco Unified Communications Manager database, you can use:

  • Autoregistration

  • Cisco Unified Communications Manager Administration

  • Bulk Administration Tool (BAT)

  • BAT and the Tool for Auto-Registered Phones Support (TAPS)

For general information about phone configuration in Cisco Unified Communications Manager, see the "Cisco Unified IP Phones" chapter in the Cisco Unified Communications Manager System Guide.

Set Up Cisco Unified IP Phone 7975G, 7971G-GE, 7970G, 7965G, and 7945G in Cisco Unified Communications Manager Administration

The following steps provide an overview and checklist of configuration tasks for the Cisco Unified IP Phone 7975G, 7971G-GE, 7970G, 7965G, and 7945G in Cisco Unified Communications Manager Administration. The steps present a suggested order to guide you through the phone configuration process. Some tasks are optional, depending on your system and user needs. For detailed procedures and information, see the sources in the steps.

Procedure
Step 1

Gather the following information about the phone:

  1. Phone Model

  2. MAC address

  3. Physical location of the phone

  4. Name or user ID of phone user

  5. Device pool

  6. Partition, calling search space, and location information

  7. Number of lines and associated directory numbers (DNs) to assign to the phone

  8. Cisco Unified Communications Manager user to associate with the phone

  9. Phone usage information that affects phone button template, softkey template, phone features, IP Phone services, or phone applications

    Provides list of configuration requirements for phone setup.

    Identifies preliminary configuration that you need to perform before you configure individual phones, such as phone button templates or softkey templates.

    See the Cisco Unified Communications Manager System Guide, “Cisco Unified IP Phones” chapter, and Telephony Features Available for Cisco Unified IP Phone.

Step 2

Customize phone button templates (if required).

Changes the number of line buttons, speed-dial buttons, Service URL buttons, or adds a Privacy button to meet user needs.

You must specify a service URL with an IPv4 address.

See Cisco Unified Communications Manager Administration Guide, "Phone Button Template Configuration" chapter, and Phone Button Templates.

Step 3

Add and configure the phone by completing the required fields in the Phone Configuration window. Required fields are indicated by an asterisk (*) next to the field name; for example, MAC address and device pool.

Adds the device with its default settings to the Cisco Unified Communications Manager database.

See the Cisco Unified Communications Manager Administration Guide, "Cisco Unified IP Phone Configuration" chapter. For information about Product Specific Configuration fields, refer to "?" button Help in the Phone Configuration window.

Step 4

Add and configure directory numbers (lines) on the phone by completing the required fields in the Directory Number Configuration window. Required fields are indicated by an asterisk (*) next to the field name; for example, directory number and presence group.

Adds primary and secondary directory numbers and features associated with directory numbers to the phone.

See the Cisco Unified Communications Manager Administration Guide, “Directory Number Configuration” chapter, and Telephony Features Available for Cisco Unified IP Phone.

Step 5

Customize softkey templates.

Adds, deletes, or changes order of softkey features that display on the user phone to meet feature usage needs.

See the Cisco Unified Communications Manager Administration Guide, "Softkey Template Configuration" chapter, and Softkey Templates.

Step 6

Configure speed-dial buttons and assign speed-dial numbers (optional). Adds speed-dial buttons and numbers.

Note 

Users can change speed-dial settings on their phones by using the Cisco Unified Communications Manager User Options web pages.

See the Cisco Unified Communications Manager Administration Guide, "Cisco Unified IP Phone Configuration" chapter.

Step 7

Configure Cisco Unified IP Phone services and assign services (optional). Provides IP Phone services.

Note 

Users can add or change services on their phones by using the Cisco Unified Communications Manager User Options web pages.

Note 

You must specify a service URL with an IPv4 address.

See the Cisco Unified Communications Manager Administration Guide "Cisco Unified IP Phone Services Configuration" chapter, and Services Setup.

Step 8

Assign services to phone buttons (optional). Provides single-button access to an IP phone service or URL.

See the Cisco Unified Communications Manager Administration Guide, "Cisco Unified IP Phone Configuration" chapter.

Step 9

Add user information by configuring required fields. Required fields are indicated by an asterisk (*); for example, User ID and last name.

Note 

Assign a password (for User Options web pages) and PIN (for Extension Mobility and Personal Directory).

Adds user information to the global directory for Cisco Unified Communications Manager.

See Cisco Unified Communications Manager Administration Guide, "End User Configuration" chapter and Cisco Unified Communications Manager User Addition.

Note 

If your company uses a Lightweight Directory Access Protocol (LDAP) directory to store information on users, you can install and configure Cisco Unified Communications to use your existing LDAP directory, see Corporate Directory Setup.

Step 10

Associate a user to a user group. Assigns users a common list of roles and permissions that apply to all users in a user group. Administrators can manage user groups, roles, and permissions to control the level of access (and, therefore, the level of security) for system users.

See the Cisco Unified Communications Manager Administration Guide:

  • "End User Configuration" chapter

  • "User Group Configuration" chapter

Step 11

Associate a user with a phone. Provides users with control over their phone so that they can forward calls or add speed-dial numbers or services.

Note 

Some phones, such as those in conference rooms, do not have an associated user.

See the Cisco Unified Communications Manager Administration Guide, "End User Configuration" chapter.

Cisco Unified IP Phone Installation

After you add the phones to the Cisco Unified Communications Manager database, you can complete the phone installation. You can install the phones at the desired locations, or you can give the phone users the information they need to perform the installation. The Cisco Unified IP Phone Installation Guide, which is available at http://www.cisco.com/en/US/products/hw/phones/ps379/prod_installation_guides_list.html, provides directions for connecting the phone foot stand, handset, cables, and other accessories.


Note

Upgrade the phone to the current firmware image before installation. For information about phone upgrades, see the Readme file for your phone model located at:

http://www.cisco.com/cgi-bin/tablebuild.pl/ip-7900ser

After the phone connects to the network, the phone startup process begins, and the phone registers with Cisco Unified Communications Manager. To complete phone installation, configure the network settings on the phone depending on whether you enable or disable DHCP service.

If you used autoregistration, update the specific configuration information for the phone: associate the phone with a user, change the button table, or assign a directory number.

Install Cisco Unified IP Phone 7975G, 7971G-GE, 7970G, 7965G, and 7945G

The following steps provide an overview and checklist of installation tasks for the Cisco Unified IP Phone 7975G, 7971G-GE, 7970G, 7965G, and 7945G. The steps present a suggested order to guide you through the phone installation. Some tasks are optional, depending on your system and user needs. For detailed procedures and information, see the sources in the steps.

Procedure
Step 1

Choose the power source for the phone:

  1. Power over Ethernet (PoE)

  2. External power supply

    Determines how the phone receives power.

    See Cisco Unified IP Phone Power.

Step 2

Assemble the phone, adjust phone placement, and connect the network cable.

Locates and installs the phone in the network.

See Install Cisco Unified IP Phone and Footstand Adjustment.

Step 3

(Optional) Add a Cisco Unified IP Phone Expansion Module.

Adds the device with its default settings to the Cisco Unified Communications Manager database. Extends functionality of a Cisco Unified IP Phone by adding 14 (Cisco Unified IP Phone Expansion Module 7914) or 24 (Cisco Unified IP Phone Expansion Modules 7915 or 7916) line appearances or speed-dial numbers.

Note 

Cisco Unified IP Phones 7971G-GE and 7970G do not support Cisco Unified IP Phone Expansion Modules 7915 and 7916.

Note 

The Cisco Unified IP Phone 7945G does not support any expansion modules.

Note 

A maximum of 56 keys for a Cisco Unified IP Phone 7975G and up to 54 keys for a Cisco Unified IP Phone 7965G can be configured.

See Cisco Unified IP Phone Expansion Module.

Step 4

Monitor the phone startup process. Verifies that phone is configured properly.

See Phone Startup Process.

Step 5

When you configure the network settings on the phone, for an IPv4 network you can set up an IP address for the phone either by using DHCP or by manually entering an IP address.

With DHCP: To enable DHCP and allow the DHCP server to automatically assign an IP address to the Cisco Unified IP Phone and direct the phone to a TFTP server, choose Settings > Network Configuration > IPv4 Configuration and configure the following:
  • To enable DHCP, set DHCP Enabled to Yes. DHCP is enabled by default.
  • To use an alternate TFTP server, set Alternate TFTP Server to Yes, and enter the IP address for the TFTP Server.
    Note 
    Consult the network administrator if you need to assign an alternative TFTP server instead of using the TFTP server that DHCP assigns.

  • Without DHCP: You must configure the IP address, subnet mask, TFTP server, and default router locally on the phone. To do so, choose Settings > Network Configuration > IPv4 Configuration.

To disable DHCP and manually set an IP address:

  1. Set DHCP Enabled to No.

  2. Enter the static IP address for phone.

  3. Enter the subnet mask.

  4. Enter the default router IP addresses.

  5. Set Alternate TFTP Server to Yes, and enter the IP address for TFTP Server 1.

    You must also enter the domain name where the phone resides by choosing Settings > Network Configuration.

    The Cisco Unified IP Phone supports concurrent IPv4 and IPv6 addresses. You can configure Cisco Unified Communications Manager to support IPv4 addresses only, IPv6 addresses only, or both IPv4 and IPv6 addresses.

    See Network Settings and Network Configuration Menu.

Step 6

If you configure the network settings on the phone for an IPv6 network, you can set up an IP address for the phone either by using DHCPv6 or by manually entering an IP address.

With DHCPv6: To enable DHCPv6 and allow the DHCPv6 server to automatically assign an IP address to the Cisco Unified IP Phone and direct the phone to a TFTP server:

  • Choose Settings > Network Configuration > IPv6 Configuration.

  • Set DHCPv6 Enabled to Yes. DHCPv6 is enabled by default.
  • To use an alternate TFTP server, set IPv6 Alternate TFTP Server to Yes and enter the IP address for IPv6 TFTP Server 1.
    Note 
    Consult the network administrator if you need to assign an alternative TFTP server instead of using the TFTP server that DHCP assigns.
  • Without DHCP: You must configure the IP address, subnet mask, TFTP server, and default router locally on the phone, choose Settings > Network Configuration > IPv6 Configuration.

To disable DHCP and manually set an IP address:

  1. Set DHCPv6 Enabled to No.

  2. Enter the static IP address for phone.

  3. Enter the IPv6 prefix length.

  4. Set IPv6 Alternate TFTP Server to Yes, and enter the IP address for IPv6 TFTP Server 1.

    You must also enter the domain name where the phone resides by choosing Settings > Network Configuration.

    Note 

    The Cisco Unified IP Phone supports concurrent IPv4 and IPv6 addresses. You can configure Cisco Unified Communications Manager to support IPv4 addresses only, IPv6 addresses only, or both IPv4 and IPv6 addresses.

    See Network Settings and Network Configuration Menu.

Step 7

Set up security on the phone. Provides protection against data tampering threats and identity theft of phones.

See Cisco Unified IP Phone Security.

Step 8

Make calls with the Cisco Unified IP Phone. Verifies that the phone and features work correctly.

See your phone user guide.

Step 9

Provide information to end users about how to use their phones and how to configure their phone options.

Ensures that users have adequate information to use their Cisco Unified IP Phones.

See Internal Support Web Site.