CUCM Auto-registration Process In Mixed Mode

Introduction

This document describes the procedure to enable autoregistration on Cisco Unified Communication Manager (CUCM) 11.5.x and above in the mix-mode secure cluster.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these commonly used CUCM features:

• Phone Auto-registration
• User Self-Provisioning
• Mixed mode Cluster Security Mode
• User templates

Components Used

The information in this document is based on CUCM 11.5.1

Supported Phones

These phones are supported

• 8800 series desktop phones, including the 8811, 8841, 8851 and 8861
• 7800 series phones, including the 7821, 7841, 7945 and 7861
• 9900 series phones, including the 9951 and 9971
• 8961
• 7900 series phones, including the 7925, 7945, 7965 and 7975
• 6900 series phones, including the 6900, 6901, 6921, 6941, 6945 and 6961
• DX series, including the DX70 and DX80 models
• Telepresence SX20

Unsupported Phones

The 8941 and 8945 phones do not support auto-registration in Mixed mode.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Background Information

Historically, phone auto-registration could not be used with CUCM clusters in Mixed mode Cluster Security mode. Enabling Mixed mode prevented phones from auto-registering, regardless of whether auto-registration was enabled in CUCM Administration.

By design, if Mixed mode were enabled, the <autoRegistration> tag value in the default phone configuration file would be set to disabled to prevent unconfigured phones from attempting auto-registration. Older phones, such as the 7900 series phones, ignore this value, and attempt to auto-register regardless. Due to Mixed mode, the CUCM device layer would reject their registration attempt.

This changes with CUCM 11.5. On an 11.5 Mixed mode cluster, if auto-registration is enabled in the Administration UI, the default phone configuration file will now show an <autoRegistration> tag value of enabled. Phones observing this will attempt auto-registration. Furthermore, rather than rejecting the auto-registration attempt due to Mixed mode, the CUCM device layer will trigger the auto-registration stored procedure to add the phone to the DB, then reset the phone.

Thus, administrators may enable Mixed mode without disabling auto-registration, or may utilize auto-registration on a Mixed mode cluster. This allows customers greater flexibility, such as being able to use self-provisioning features in Mixed mode, and removes a potential barrier to the use of secure phone profiles.

In addition to allowing auto-registration in Mixed mode, Locally Significant Certificates may be installed during auto-registration or self provisioning. This is done through Universal Device Templates, which have been enhanced to allow certificate operations.

Furthermore, in the scenario that a Mixed mode cluster is being upgraded to CUCM 11.5, and has auto-registration enabled in CUCM Administration, auto-registration will be disabled in the Administration UI upon upgrade. This prevents phones from auto-registering after the Mixed mode cluster is upgraded, emulating the pre-11.5 behavior. The administrator will need to enable auto-registration if they want to take advantage of this new feature.

And lastly, regardless of Cluster Security Mode, the next auto-registration number that will be assigned is now displayed in the System > Cisco Unified CM > Cisco Unified CM Configuration page. This gives the administrator more visibility into the workings of the auto-registration feature.

This article addresses two common usage scenarios:

• Configuring Mixed mode on a CUCM 11.5 cluster with auto-registration currently enabled.
• Configuring auto-registration on a Mixed mode CUCM 11.5 cluster.

Configure

Configuration of auto-registration in Mixed mode is by and large the same as configuration of auto-registration in Nonsecure Mode. In this section, we will discuss changes in what an administrator sees or must do.

Before configuring auto-registration, you may wish to review the documentation on User Templates, including Universal Device Templates and Universal Line Templates. A Universal Device Template contains a set of common settings typically applied to phones or other devices. A Universal Line Template holds common settings that are typically applied to a directory number. In the context of auto-registration, they are used to build the initial configuration of the phone.

Refer to CUCM 11.5 Administration Guide - Configure User Templates

Configure Mixed Mode on a CUCM 11.5 Cluster with Auto-registration Currently Enabled

To configure Mixed mode on a non-secure CUCM 11.5 cluster that has auto-registration already enabled, we simply enable Mixed mode from the CLI or from the CTL Client.

If you are using the CLI option, CUCM will warn you that auto-registration is currently enabled. This is so that you may decide to disable auto-registration if your security policy requires it.

admin:utils ctl set-cluster mixed-mode
This operation will set the cluster to Mixed mode. Auto-registration is enabled on at least one CM node. Do you want to continue? (y/n):y

Moving Cluster to Mixed Mode
Cluster set to Mixed Mode
Please Restart Cisco Tftp, Cisco CallManager and Cisco CTIManager services on all nodes in the cluster that run these services.

Note: Restart Cisco Tftp, Cisco CallManager and Cisco CTIManager services on all nodes in the cluster that run these services.

Note: No warning is displayed if you are enable Mixed mode from the CTL Client application.

After Mixed mode is enabled, please review your auto-registraton configuration.

Navigate to System > Cisco Unified CM > Cisco Unified CM Configuration, for each server that does not have auto-registration disabled, verify that the Universal Device Template, Universal Line Template, Starting Directory Number and Ending Directory Number are as intended.

We also see that the next available auto-registration number is exposed in the web interface starting with this version.

Navigate to User Management > User/Phone Add > Universal Device Template, verify that the Security Settings for the template used for auto-registration are configured as intended. If you want phones to install an LSC upon auto-registration, set Certificate Operation to Install/Upgrade and configure the Certificate Authority Proxy Function (CAPF) Settings.

After the phones are autoregistered, and after their LSC certificates have been installed, you may update their phone security profiles to enable authenticated or encrypted registration and operation.

Configure Auto-registration

Enable Auto-registration on a Mixed Mode cluster  the same way as a Nonsecure mode cluster.

1. Navigate to System > Cisco Unified CM Group > Cisco Unified CM Group Configuration Configure Auto-registration Cisco Unified Communications Manager Group, 
   
2. Navigate to System > Cisco Unified CM > Cisco Unified CM Configuration, configure the Unifersal Device Template, Universal Line Template, Starting Directory Number, Ending Directory Number, then deselect Auto-registration Disabled on this Cisco Unified Communications Manager on the primary Call Manager server in the auto-registration group.
3. You will see this informational message,  that auto-registration will occur in Mixed mode.
   
   Click OK to proceed.
4. Navigate to User Management > User/Phone Add > Universal Device Template, verify that the Security Settings for the template used for auto-registration are configured as intended. If you want phones to install an LSC upon auto-registration, set Certificate Operation to Install/Upgrade and configure the Certificate Authority Proxy Function (CAPF) Settings.

Verify

To verify a successful configuration of auto-registration in Mixed mode:

1. Verify that System > Enterprise Parameters > Security Parameters > Cluster Security Mode is set to 1 for Mixed mode.
2. Via a tftp client, download the xmldefault.cnf.xml file from each TFTP server in the clulster. Verify that the autoRegistration tag is set to enabled.
   
   

Troubleshoot

Phone doesn't auto-register

• Verify that auto-registration is enabled on the Cisco Unified CM Group.
• Verify that auto-registration is enabled on the primary Call Manager server in the auto-registration Cisco Unified CM Group.

LSC is not installed on the phone

• Verify that the Universal Device Template configured for auto-registration has Security Settings > Certificate Operation set to Install/Upgrade.
• If the Universal Device Template is configured to install an LSC,  review the Set Up CAPF procedure in the Security Guide.
• Restart the CAPF servic and then reattempt the CAPF Install/Upgrade procedure from the Device Settings page for the phone.
• If this fails the issue is unlikely to be specific to phone auto-registration.
  • Gather the console logs and detailed Cisco Certificate Authority Proxy Function service traces for the time of the LSC installation failure and review.
  • Verify that the CAPF certificate is valid. If it is third-party-signed, verify that it has the correct extensions, the same as on the CAPF CSR  refered to Cisco UC OS Administraton Guide - Third-Party CA Certificates

Unsupported Phones

• The 8941 and 8945 phones do not support auto-registration in Mixed mode.