Tokenless CTL

tokenless CTL is a new feature introduced on Cisco Unified Communications Manager from 10.0, it allows for the encryption of phone signalling and media without the need for the USB eToken as was previously mandated.


  • have access to CLI
  • ensure the Database replication is working properly and there is full connectivity between the nodes

on the CLI of the CUCM CLI enter the command to check if a CTL is present

admin:show ctl
Length of CTL file: 0
CTL File not found. Please run CTLClient plugin or run the CLI – utils ctl.. to generate the CTL file.
Error parsing the CTL File.

on the phone check if CTL is installed, settings > Security > Enterprise Security > CTL – Not installed, ITL Installed

you can check the cluster security mode is set to 0 under CUCM Admin Page > System > Enterprise Parameters


place the cluster into mixed-mode

admin:utils ctl set-cluster mixed-mode
This operation will set the cluster to Mixed mode. Do you want to continue? (y/n):y

Moving Cluster to Mixed Mode
Cluster set to Mixed Mode
Please Restart the TFTP and Cisco CallManager services on all nodes in the cluster
that run these services

here again you can verify that the mode has now been set to 1 – Mixed Mode


Now you can restart CallManager and TFTP service on CUCM and phones to ensure they receive the correct CTL file

admin:show ctl
The checksum value of the CTL file:


Length of CTL file: 6362
The CTL File was last modified on Sat Mar 11 13:41:42 BST 2017

Parse CTL File

Version: 1.2
HeaderLength: 420 (BYTES)


The CTL file was verified successfully.





Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s