You are configuring digest authentication so that the identity of SIP phones can be challenged by the UCM to
which they are connected. After configuring an appropriate security profile, you apply the profile to each SIP
phone on the network. After creating a digest user in the UCM Administration End User window, you notice that
a Cisco 7961G IP phone is not able to authenticate with UCM.
Which of the following should you do? (Select 2 choices.)
A.
Associate the digest user with the SIP phone in UCM Administration.
B.
Configure the SIP realm on a SIP trunk.
C.
Reset the phone.
D.
Specify digest credentials in the Application User Configuration window.
E.
Upload the configuration file to the TFTP server.
Explanation:
You should associate the digest user with the Session Initiation Protocol (SIP) phone in Cisco Unified
Communications Manager (UCM) Administration and then reset the Cisco 7961G IP phone in order to enable
the phone to use digest authentication to verify its identity with the UCM to which it is connected.The digest credentials for most Cisco IP phones are stored in the phone’s configuration file, which is
downloaded from a Trivial File Transfer Protocol (TFTP) server when the phone is started or reset. On Cisco
7940G and 7960G SIP IP phones, the digest credentials must be manually entered from the IP phone.
Digest credentials consist of a unique user ID, password, and digest realm. UCM generates a Message Digest
5 (MD5) hash from these values and a random number. A checksum is generated from the hash. The user
name and checksum are then stored in the UCM database in an encrypted format.
To enable UCM to authenticate a SIP phone, you should first configure a security profile for SIP phones and
verify that the Enable Digest Authentication check box has been selected. Next, you should apply the security
profile to the SIP phones that you want to be authenticated. After the security profile has been created and
applied, you should configure a digest user in the UCM Administration End User window, where you specify the
digest user ID and password that you want the SIP phone to use to authenticate. Finally, you must associate
the digest user with the SIP phone that you want to be authenticated and reset that SIP phone so that it
downloads its new configuration. The new configuration contains the digest credentials.
You do not need to upload the SIP phone configuration file to the TFTP server. UCM updates the configuration
file so that it can be downloaded from the TFTP server by the IP phones. However, for security reasons, you
might want to ensure that TFTP traffic between the server and the IP phones is encrypted. Otherwise, the
digest credentials will be included in a configuration file that is sent across the network as clear text.
You do not need to specify digest credentials in the Application User Configurationwindow. The Application
User Configuration window can be used to specify digest credentials for SIP applications that you want to
authenticate with UCM.
There is nothing in this scenario to indicate that you should configure the SIP realm on a SIP trunk. You would
need to configure a SIP realm if you were receiving digest authentication challenges over a SIP trunk.https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/9_0_1/secugd/
CUCM_BK_CCB00C40_00_cucm-security-guide-90/CUCM_BK_CCB00C40_00_cucm-securityguide_chapter_01100.html#CUCM_TK_S2044B79_00
https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/9_0_1/secugd/
CUCM_BK_CCB00C40_00_cucm-security-guide-90/CUCM_BK_CCB00C40_00_cucm-securityguide_chapter_01.html#CUCM_RF_D4C84CE2_00