Cisco Cius Administration Guide, Release 9.2(1)
An Overview of Cisco Cius
Downloads: This chapterpdf (PDF - 1.37MB) The complete bookPDF (PDF - 3.85MB) | Feedback

Overview of Cisco Cius

Table Of Contents

Overview of Cisco Cius

Understanding Cisco Cius

Supported Networking Protocols

Supported Features on Cisco Cius

Feature Overview

Configuring Telephony Features

Configuring Network Parameters Using Cisco Cius

Providing Users with Feature Information

Understanding Security Features for Cisco Cius

Overview of Supported Security Features

Understanding Security Profiles

Identifying Secure (Encrypted) Phone Calls

Establishing and Identifying Secure Calls

Establishing and Identifying Secure Conference Calls

Call Security Interactions and Restrictions

Supporting 802.1X Authentication on Cisco Cius

Overview

Required Network Components

Requirements and Recommendations

Security Restrictions

Overview of Configuring and Installing Cisco Cius

Configuring Cisco Cius in Cisco Unified Communications Manager

Checklist for Configuring Cisco Cius in Cisco Unified Communications Manager

Installing Cisco Cius

Checklist for Installing Cisco Cius


Overview of Cisco Cius


Cisco Cius is a mobile collaboration tablet built for business. It is designed to help organizations capitalize on the value of mobility by enabling anywhere, anytime access to important business applications and features.

Cisco Cius includes the following features:

Campus mobility with a choice of wired Gigabit Ethernet connectivity through handset media station or IEEE 802.11 a/b/g/n Wi-Fi connectivity

An Intel Atom 1.6-GHz processor

1-GB RAM and 32-GB of eMMC flash memory

Native support for Bluetooth headsets

Bluetooth profile support, including Hands-Free Profile and Advanced Audio Distribution (A2DP) Profile

High-definition video through 7-inch (177.8 mm) high-resolution color screen.

High-definition audio through integrated speakers

Microphone

Front- and rear-facing cameras

Detachable and serviceable 8-hour battery

Cisco Cius, like other network devices, must be configured and managed. Cisco Cius tablets encode G.711a-law, G.711 u-law, G.722, G.729a, G.729ab, and iLBC, and decode G.711a-law, G.711u-law, G.722, G.729, G.729a, G.729b, G.729ab, iSAC, iLBC, and H.264.

This chapter comprises the following topics:

Understanding Cisco Cius

Supported Networking Protocols

Supported Features on Cisco Cius

Understanding Security Features for Cisco Cius

Overview of Configuring and Installing Cisco Cius


Caution Using a mobile or GSM phone, or two-way radio in close proximity to Cisco Cius might cause interference. For more information, see the manufacturer documentation of the interfering device.

Understanding Cisco Cius

Figure 1-1 shows the front view of Cisco Cius.

Figure 1-1 Cisco Cius—Front View

Table 1-1 describes the keys and components on the front of Cisco Cius.

Table 1-1 Cisco Cius Keys and Components—Front View 

No.
Item
Description
1

Camera LED

Indicates video status

2

Front-facing camera

1-megapixel camera

3

Light sensor

Ambient light sensor

4

Speaker (one of two)

Two speakers (located on each side of keys)

5

Menu key

Displays menu options

6

Home key

Returns to the home screen

7

Back key

Returns to the previous screen


Figure 1-2 shows the back view of Cisco Cius.

Figure 1-2 Cisco Cius—Back View

Table 1-2 describes the components on the back of Cisco Cius.

Table 1-2 Cisco Cius Components—Back View 

No.
Item
Description
1

Rear-facing camera

5-megapixel camera with 8X digital zoom


Figure 1-3 shows the left-side view of Cisco Cius.

Figure 1-3 Cisco Cius—Left Side

Table 1-3 describes the components on the left side of Cisco Cius.

Table 1-3 Cisco Cius Components—Left Side 

No.
Item
Description
1

Mute button

Mutes speaker

2

Volume Up button

Turns speaker volume up

3

Volume Down button

Turns speaker volume down

4

SIM slot

Location for SIM card. (Future)


Figure 1-4 shows the right-side view of Cisco Cius.

Figure 1-4 Cisco Cius—Right Side

Table 1-4 describes the components on the right side of Cisco Cius.

Table 1-4 Cisco Cius Features—Right Side 

No.
Item
Description
1

Battery release

Provides means for removing battery

2

Power port

Connects to external power supply


Figure 1-5 shows the top view of Cisco Cius.

Figure 1-5 Cisco Cius—Top View

Table 1-5 describes the components on the top of Cisco Cius.

Table 1-5 Cisco Cius Features—Top View 

No.
Item
Description
1

Micro-USB port

For Android Debug Bridge (ADB) access to get Cisco Cius debug data or to copy files to and from PC. Cannot attach mouse or other accessories

2

MicroSD card slot

Location for MicroSD card

3

Microphone

4

Power button

Turns unit on and off.


Figure 1-6 shows the bottom view of Cisco Cius.

Figure 1-6 Cisco Cius—Bottom View

Table 1-6 describes the components on the bottom of Cisco Cius.

Table 1-6 Cisco Cius Features—Bottom View 

No.
Item
Description
1

Headset port

3.5 mm single-plug stereo headphone connection

2

Dock ports

Connects to Cisco Cius media station

3

HDMI port

Type-D mini-HDMI


Supported Networking Protocols

Cisco Cius supports several industry-standard and Cisco networking protocols that are required for voice communication. Table 1-7 provides an overview of the networking protocols that Cisco Cius supports.

Table 1-7 Supported Networking Protocols on Cisco Cius 

Networking Protocol
Purpose
Usage Notes

Bluetooth

Bluetooth is a wireless personal area network (WPAN) protocol that specifies how devices communicate over short distances.

Cisco Cius supports Bluetooth 2.1+EDR.

Cisco Cius supports Hands-Free Profile (HFP) and Advanced Audio Distribution (A2DP) Profile.

Bootstrap Protocol (BootP)

BootP enables a network device, such as Cisco Cius, to discover certain startup information, such as its IP address.

Cisco Discovery Protocol (CDP)

CDP is a device-discovery protocol that runs on all Cisco-manufactured equipment.

Using CDP, a device can advertise its existence to other devices and receive information about other devices in the network.

Cisco Cius uses CDP to communicate information such as auxiliary VLAN ID, per port power-management details, and Quality of Service (QoS) configuration information with the Cisco Catalyst switch.

Cisco Peer-to-Peer Distribution Protocol (CPPDP)

CPPDP is a Cisco proprietary protocol that is used to form a peer-to-peer hierarchy of devices. This hierarchy distributes firmware files from peer devices to their neighboring devices.

The Peer Firmware Sharing feature uses CPPDP.

Dynamic Host Configuration Protocol (DHCP)

DHCP dynamically allocates and assigns an IP address to network devices.

DHCP enables you to connect Cisco Cius into the network and have Cisco Cius become operational without your needing to manually assign an IP address or to configure additional network parameters.

DHCP is enabled by default. If DHCP is disabled, you must manually configure the IP address, gateway, netmask, and a TFTP server on Cisco Cius locally.

Cisco recommends that you use DHCP custom option 150. With this method, you configure the TFTP server IP address as the option value. For additional supported DHCP configurations, see the following chapters in the Cisco Unified Communications Manager System Guide:

Dynamic Host Configuration Protocol

Cisco TFTP

If you cannot use option 150, try using DHCP option 66.

Hypertext Transfer Protocol (HTTP)

HTTP is the standard way of transferring information and moving documents across the Internet and the web.

Cisco Cius uses HTTP for XML services and for troubleshooting purposes.

Hypertext Transfer Protocol Secure (HTTPS)

HTTPS is a combination of the Hypertext Transfer Protocol with the SSL/TLS protocol to provide encryption and secure identification of servers and for transferring Cisco Cius firmware images.

Web applications with both HTTP and HTTPS support have two URLs configured.

IEEE 802.1X

The IEEE 802.1X standard defines a client-server-based access control and authentication protocol that restricts unauthorized clients from connecting to a LAN through publicly accessible ports.

Until the client is authenticated, 802.1X access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port to which the client is connected. After authentication is successful, normal traffic can pass through the port.

Cisco Cius implements the IEEE 802.1X standard by providing support for the following authentication methods: EAP-FAST and EAP-TLS, PEAP, and CCKM.

After 802.1X authentication is enabled on Cisco Cius, disable the PC port on the media station and voice VLAN. See the "Supporting 802.1X Authentication on Cisco Cius" section for additional information.

IEEE 802.11a/b/g/n

The IEEE 802.11 standard specifies how devices communicate over a wireless local area network (WLAN).

802.11a operates at the 5 GHz band and 802.11b and 802.11g operate at the 2.4 GHz band.

802.11.n operates in either 2.4 GHz or 5Ghz band.

The 802.11 interface is a deployment option for cases when Ethernet cabling is unavailable or undesirable.

Internet Protocol (IP)

IP is a messaging protocol that addresses and sends packets across the network.

To communicate using IP, network devices must have an assigned IP address, gateway, and netmask.

IP address, gateway, and netmask identifications are automatically assigned if you are using Cisco Cius with DHCP. If you are not using DHCP, you must manually assign these properties to each Cisco Cius locally.

Link Layer Discovery Protocol (LLDP)

LLDP is a standardized network discovery protocol (similar to CDP) that is supported on some Cisco and third-party devices.

Link Layer Discovery Protocol-Media Endpoint Devices (LLDP-MED)

LLDP-MED is an extension of the LLDP standard developed for voice products.

Cisco Cius supports LLDP-MED on the media station switch port to communicate information such as:

Voice VLAN configuration

Device discovery

Power management

Inventory management

For more information about LLDP-MED support, see the LLDP-MED and Cisco Discovery Protocol white paper at this URL:

http://www.cisco.com/en/US/technologies/tk652/tk701/technologies_white_paper0900aecd804cd46d.html

Real-Time Transport Protocol (RTP)

RTP is a standard protocol for transporting real-time data, such as interactive voice and video, over data networks.

Cisco Cius uses RTP to send and receive real-time voice and video traffic from other devices and gateways.

Real-Time Control Protocol (RTCP)

RTCP works in conjunction with RTP to provide QoS data (such as jitter, latency, and round-trip delay) on RTP streams. RTCP is also used to synchronize the audio and video stream in order to provide a better video experience.

RTCP is disabled by default, but you can use Cisco Unified Communications Manager to enable it on a per-tablet basis.

Session Description Protocol (SDP)

SDP is the portion of the SIP protocol that determines which parameters are available during a connection between two endpoints. Conferences are established by using only the SDP capabilities that are supported by all endpoints in the conference.

SDP capabilities, such as codec types, DTMF detection, and comfort noise, are normally configured on a global basis by Cisco Unified Communications Manager or Media Gateway in operation. Some SIP endpoints may allow these parameters to be configured on the endpoint itself.

Session Initiation Protocol (SIP)

SIP is the IETF standard for multimedia conferencing over IP. SIP is an ASCII-based application-layer control protocol (defined in RFC 3261) that can be used to establish, maintain, and terminate calls between two or more endpoints.

Like other VoIP protocols, SIP is designed to address the functions of signaling and session management within a packet telephony network. Signaling allows call information to be carried across network boundaries. Session management provides the ability to control the attributes of an end-to-end call.

Transmission Control Protocol (TCP)

TCP is a connection-oriented transport protocol.

Cisco Cius uses TCP to connect to Cisco Unified Communications Manager and to access XML services.

Transport Layer Security

TLS is a standard protocol for securing and authenticating communications.

Cisco Cius uses the TLS protocol after registering with Cisco Unified Communications Manager securely.

Trivial File Transfer Protocol (TFTP)

TFTP allows you to transfer files over the network.

On Cisco Cius, TFTP enables you to obtain a configuration file specific to Cisco Cius.

TFTP requires a TFTP server in your network, that can be automatically identified from the DHCP server. If you want Cisco Cius to use a TFTP server other than the one specified by the DHCP server, you must use the Network Configuration menu on Cisco Cius to assign the IP address of the TFTP server manually.

For more information, see the "Cisco TFTP" chapter in the Cisco Unified Communications Manager System Guide.

User Datagram Protocol (UDP)

UDP is a connectionless messaging protocol for delivery of data packets.

Cisco Cius transmits and receives RTP streams, which utilize UDP.


Related Topics

Understanding Interactions with Other Cisco Unified IP Telephony Products

Understanding Cisco Cius Startup Process

Ethernet Settings Menu

Supported Features on Cisco Cius

Cisco Cius is a business tablet that delivers anytime, anywhere access to Cisco Collaboration applications, including Unified Communications features. Cisco Cius also provides access to other business and Android applications.

This section comprises the following topics:

Feature Overview

Configuring Telephony Features

Configuring Network Parameters Using Cisco Cius

Providing Users with Feature Information

Feature Overview

Cisco Cius is a mobile collaboration tablet for business. Cisco Cius provides an integrated suite of collaborative applications, including Cisco Quad, Cisco WebEx, Cisco Unified Presence, instant messaging, email, visual voice mail, and Cisco Unified Communications Manager voice and video telephony features. Cisco Cius also provides Virtual Desktop Infrastructure (VDI) and cloud computing and support for a wide range of applications through Cisco AppHQ Developer Network Marketplace. Cisco Cius also supports applications from the Google Android Marketplace. For an overview of the features that Cisco Cius supports and for tips on configuring them, see Chapter 5 "Configuring Features, Templates, Services, and Users."

As with other network devices, you must configure Cisco Cius to prepare to access Cisco Unified Communications Manager and the rest of the IP network. By using DHCP, you have fewer settings to configure on Cisco Cius, but if your network requires it, you can manually configure an IP address, TFTP server, netmask information, and so on. For instructions on configuring the network settings on Cisco Cius, see the "Setup Menus on Cisco Cius" section.

Finally, because Cisco Cius is a network device, you can obtain detailed status information from it directly. This information can assist you with troubleshooting problems that users might encounter when using their Cisco Cius tablets. See Chapter 7 "Viewing Model Information, Status, and Statistics on Cisco Cius" for more information.

Related Topics

Configuring Settings on Cisco Cius

Configuring Features, Templates, Services, and Users

Troubleshooting and Maintenance

Configuring Telephony Features

You can modify settings for Cisco Cius from Cisco Unified Communications Manager Administration. Use this web-based application to set up Cisco Cius registration criteria and calling search spaces, to configure corporate directories and services, and to modify phone button templates, among other tasks.

For more information, see the "Telephony Features Available for Cisco Cius" section and the Cisco Unified Communications Manager Administration Guide. You can also use the context-sensitive help available within the application for guidance.

You can access Cisco Unified Communications Manager documentation at this location:

http://www.cisco.com/en/US/products/sw/voicesw/ps556/tsd_products_support_series_home.html

You can access Cisco Unified Communications Manager Business Edition 5000 documentation at this location:

http://www.cisco.com/en/US/products/ps7273/tsd_products_support_series_home.html

Configuring Network Parameters Using Cisco Cius

You can configure parameters, such as DHCP, TFTP, and IP settings, on the Cisco Cius tablet. You can also obtain statistics about a current call or firmware versions on Cisco Cius.

For more information about configuring features and viewing statistics from Cisco Cius, see Chapter 6 "Configuring Settings on Cisco Cius" and Chapter 7 "Viewing Model Information, Status, and Statistics on Cisco Cius."

Providing Users with Feature Information

You are likely the primary source of information for Cisco Cius users in your network or company. To ensure that you distribute the most current feature and procedural information, familiarize yourself with Cisco Cius documentation. Make sure to visit the Cisco Cius website:

http://www.cisco.com/en/US/products/ps11156/tsd_products_support_series_home.html

From this site, you can view the user guide and quick start documentation.


Note The Cisco Cius User Guide is also available directly through a link on the tablet. Choose Settings > About Cius > Cisco Cius User Guide.


In addition to providing documentation, it is important to inform users about available Cisco Cius features, including those specific to your company or network, and about how to access and customize those features, if appropriate.

For a summary of some of the key information that Cisco Cius users may need, see "Providing Information to Users Through a Website."

Understanding Security Features for Cisco Cius

Implementing security in the Cisco Unified Communications Manager system prevents data tampering, and prevents call-signaling and media-stream tampering of the Cisco Cius and the Cisco Unified Communications Manager server.

To alleviate these threats, the Cisco IP telephony network establishes and maintains secure (encrypted) communication streams between Cisco Cius and the server, digitally signs files before they are transferred to Cisco Cius, and encrypts media streams and call signaling between Cisco Cius tablets.

Cisco Cius uses a security profile that defines whether the device is nonsecure or secure. For information about applying the security profile to the device, see the Cisco Unified Communications Manager Security Guide.

If you configure security-related settings in Cisco Unified Communications Manager Administration, the phone configuration file contains sensitive information. To ensure the privacy of a configuration file, you must configure the file for encryption. For detailed information, see the "Configuring Encrypted Phone Configuration Files" chapter in Cisco Unified Communications Manager Security Guide.

Table 1-8 shows where you can find information about security in this and other documents.

Table 1-8 Cisco Cius and Cisco Unified Communications Manager Security Topics 

Topic
Reference

Detailed explanation of security, including setup, configuration, and troubleshooting information for Cisco Unified Communications Manager and Cisco Cius

See the Cisco Unified Communications Manager Security Guide.

Security features supported on Cisco Cius

See the "Overview of Supported Security Features" section.

See the Cisco Cius Wireless LAN Deployment Guide.

Restrictions regarding security features

See the "Security Restrictions" section.

Viewing a security profile name

Table 1-9 provides an overview of the security features that Cisco Cius supports. For more information about these features and about Cisco Unified Communications Manager and Cisco Unified IP Phone security, see the Cisco Unified Communications Manager Security Guide.

Identifying phone calls for which security is implemented

See the "Identifying Secure (Encrypted) Phone Calls" section.

TLS connection

See the "Supported Networking Protocols" section.

See the "Adding Cisco Cius Tablets with Cisco Unified Communications Manager Administration" section.

Security and Cisco Cius startup process

See the "Understanding Cisco Cius Startup Process" section.

Security and Cisco Cius configuration files

See the "Adding Cisco Cius Tablets with Cisco Unified Communications Manager Administration" section.

Changing the TFTP Server 1 or TFTP Server 2 option on Cisco Cius after security is implemented

See the "TFTP Server Settings Menu" section.

Items on the Security Setup menu that you access from Cisco Cius

See the "Location & Security Setup Menu" section.

Disabling access to a tablet web page

See the "Enabling and Disabling Web Page Access" section.

Troubleshooting

See the "Troubleshooting Cisco Cius Security" section.

See the Cisco Unified Communications Manager Security Guide.

Deleting the CTL/ITL file from Cisco Cius

See the"Resetting Cisco Cius" section.

Resetting or restoring Cisco Cius

See the "Resetting Cisco Cius" section.

802.1X Authentication for Cisco Cius

See these sections:

Supporting 802.1X Authentication on Cisco Cius.

Enterprise Security Settings.

Troubleshooting Cisco Cius Security


Overview of Supported Security Features

Table 1-9 provides an overview of the security features that Cisco Cius supports. For more information about these features and about Cisco Unified Communications Manager and Cisco Cius security, see the Cisco Unified Communications Manager Security Guide and the "Wireless Security" chapter of the Cisco Cius Wireless LAN Deployment Guide.

For information about current security settings on Cisco Cius, press the Menu key and choose Settings > Location and security. For more information, see the "Location & Security Setup Menu" section.

Table 1-9 Overview of Security Features 

Feature
Description

Image authentication

Signed binary files (with the extension .sbn) prevent tampering with the firmware image before it is loaded on a Cisco Cius tablet. Tampering with the image causes Cisco Cius to fail the authentication process and reject the new image.

Customer-site certificate installation

Each Cisco Cius requires a unique certificate for device authentication. Cisco Cius tablets include a manufacturing installed certificate (MIC), but for additional security, you can specify in Cisco Unified Communications Manager Administration that a certificate be installed by using the Certificate Authority Proxy Function (CAPF). Alternatively, you can install a Locally Significant Certificate (LSC) from the Enterprise security menu on the tablet. See the "Configuring Security on Cisco Cius" section for more information.

Device authentication

Occurs between the Cisco Unified Communications Manager server and Cisco Cius when each entity accepts the certificate of the other entity. Determines whether a secure connection between Cisco Cius and Cisco Unified Communications Manager occurs and, if necessary, creates a secure signaling path between the entities by using TLS protocol. Cisco Unified Communications Manager will not register Cisco Cius tablets unless Cisco Unified Communications Manager can authenticate them.

File authentication

Validates digitally signed files that Cisco Cius downloads. Cisco Cius validates the signature to make sure that file tampering did not occur after file creation. Files that fail authentication are not written to Flash memory on Cisco Cius. Cisco Cius rejects such files without further processing.

File encryption

Encryption prevents sensitive information from being revealed while the file is in transit to Cisco Cius. In addition, Cisco Cius validates the signature to make sure that file tampering did not occur after file creation. Files that fail authentication are not written to Flash memory on the Cius. Cisco Cius rejects such files without further processing.

Signaling Authentication

Uses the TLS protocol to validate that no tampering has occurred to signaling packets during transmission.

Manufacturing installed certificate

Each Cisco Cius contains a unique manufacturing-installed certificate (MIC), which is used for device authentication. The MIC provides permanent unique proof of identity for the tablet and allows Cisco Unified Communications Manager to authenticate Cisco Cius.

Media encryption

Uses SRTP to ensure that the media streams between supported devices are secure and that only the intended device receives and reads the data. Includes creating a media master key pair for the devices, delivering the keys to the devices, and securing the delivery of the keys.

CAPF (Certificate Authority Proxy Function)

Implements parts of the certificate generation procedure that are too processing-intensive for Cisco Cius, and interacts with Cisco Cius for key generation and certificate installation. The CAPF can be configured to request certificates from customer-specified certificate authorities on behalf of Cisco Cius, or it can be configured to generate certificates locally.

Security profiles

Defines whether Cisco Cius is nonsecure, authenticated, encrypted, or protected. For more information about these features and about Cisco Unified Communications Manager and Cisco Cius security, see the Cisco Unified Communications Manager Security Guide.

Encrypted configuration files

Lets you ensure the privacy of Cisco Cius configuration files.

Optional disabling of the web server functionality for Cisco Cius

For security purposes, you can prevent access to a Cisco Cius web page (which indicates a variety of operational statistics for the tablet) and user options pages. For more information, see the "Enabling and Disabling Web Page Access" section.

Phone hardening

Additional security options, which you control from Cisco Unified Communications Manager Administration:

Disabling PC port on the media station

Disabling Gratuitous ARP (GARP)

Disabling PC Voice VLAN access

Providing restricted access to the web applications

Disabling Bluetooth Accessory Port

Disabling access to web pages

Requiring a screen lock

Controlling access to Google Android market.

Controlling access to installation of applications from unknown sources

802.1X Authentication

Cisco Cius can use 802.1X authentication to request and gain access to the network. See the "Supporting 802.1X Authentication on Cisco Cius" section for more information.

Secure SIP Failover for SRST

After you configure an SRST reference for security and then reset the dependent devices in Cisco Unified Communications Manager Administration, the TFTP server adds the SRST certificate to the Cisco Cius cnf.xml file and sends the file to the tablet. A secure tablet then uses a TLS connection to interact with the SRST-enabled router.

Signaling encryption

Ensures that all SIP signaling messages that are sent between the device and the Cisco Unified CM server are encrypted.


Related Topics

Identifying Secure (Encrypted) Phone Calls

Security Restrictions

Understanding Security Profiles

All Cisco Cius tablets that support Cisco Unified Communications Manager use a security profile, which defines whether the tablet is nonsecure, authenticated, or encrypted. For information about configuring the security profile and applying the profile to the tablet, see the Cisco Unified Communications Manager Security Guide.

To view the security mode that is set for Cisco Cius, view the Signaling security mode setting in the Enterprise security settings menu.

Related Topics

Identifying Secure (Encrypted) Phone Calls

Security Restrictions

Identifying Secure (Encrypted) Phone Calls

Security is implemented for Cisco Cius by enabling the "Protected Device" parameter from the Cisco Unified Communications Manager Administration Phone window. When security is implemented, you can identify secure phone calls by the Secure Call icon on the Cisco Cius screen. In a secure call, all call signaling and media streams are encrypted. A secure call offers a high level of security, providing integrity and privacy to the call. When a call in progress is being encrypted, the Security Mode status on Cisco Cius Enterprise security settings menu indicates "Encrypted."


Note If the call is routed through non-IP call legs (for example, PSTN), the call may be nonsecure even though it is encrypted within the IP network and has a lock icon associated with it.


In a secure call, a 2-second tone plays to notify the users when a call is encrypted and both devices are configured as protected devices, and if secure tone features are enabled on Cisco Unified Communications Manager. The tone plays for both parties when the call is answered. The tone does not play unless both devices are protected and the call occurs over encrypted media. If the system determines that the call is not encrypted, Cisco Cius plays a nonsecure indication tone (6 beeps) to alert the user that the call is not protected. For a detailed description of the secure indication tone feature and the configuration requirements, see the Cisco Unified Communications Manager Security Guide.


Note Video is transmitted as nonsecure. So, even if both Cisco Cius tablets are secure, the "Encrypted" lock icon will not be displayed for video calls.


Related Topics

Understanding Security Features for Cisco Cius

Security Restrictions

Establishing and Identifying Secure Calls

A secure call is established when your Cisco Cius and a phone on the other end are configured for secure calling. They can be in the same Cisco IP network, or on a network outside the IP network. A secure conference call is established by using this process:

1. A user initiates the call from a secured Cisco Cius (Encrypted security mode).

2. Cisco Cius indicates the "Encrypted" status on the Enterprise security menu. This status indicates that Cisco Cius is configured for secure calls, but does not mean that the other connected phone is also secured.

3. A security tone plays if the call is connected to another secured device, indicating that both ends of the conversation are encrypted and secured. Otherwise, nonsecure tone will be played.


Note Secure tone is played only when enabled on Cisco Unified Communications Manager. If disabled on Cisco Unified Communications Manager, no secure tone will be played even the call is secure. For more information, see the "Configuring Secure and Nonsecure Indication Tones" chapter of the Cisco Unified Communications Manager Security Guide.


Establishing and Identifying Secure Conference Calls

You can initiate a secure conference call and monitor the security level of participants. A secure conference call is established by using this process:

1. A user initiates the conference from a secure Cisco Cius tablet.

2. Cisco Unified Communications Manager assigns a secure conference bridge to the call.

3. As participants are added, Cisco Unified Communications Manager verifies the security mode of each device and maintains the secure level for the conference.

4. Cisco Cius indicates the security level of the conference call.


Note Various interactions, restrictions, and limitations affect the security level of the conference call, depending on the security mode of the participant devices and the availability of secure conference bridges. See Table 1-12 and Table 1-13 for information about these interactions. Cisco Cius supports secure audio conference calls only; video will not be secure.


Call Security Interactions and Restrictions

Cisco Unified Communications Manager checks the Cisco Cius security status when conferences are established and changes the security indication for the conference or blocks completion of the call to maintain integrity and also security in the system. Table 1-10 provides information about changes to call security levels when Barge is used.

Table 1-10 Call Security Interactions When Barge Is Used 

Initiator Device Security Level
Feature Used
Call Security Level
Results of Action

Nonsecure

Barge

Encrypted call

Call barged and identified as nonsecure call

Secure

Barge

Encrypted call

Call barged and identified as secure call


Table 1-11 provides information about changes to conference security levels depending on the initiator device security level, the security levels of participants, and the availability of secure conference bridges.

Table 1-11 Security Restrictions with Conference Calls 

Initiator Device Security Level
Feature Used
Security Level of Participants
Results of Action

Nonsecure

Conference

Secure

Nonsecure conference bridge

Nonsecure conference

Secure

Conference

At least one member is nonsecure

Secure conference bridge

Nonsecure conference

Secure

Conference

Secure

Secure conference bridge

Secure encrypted level conference


Supporting 802.1X Authentication on Cisco Cius

These sections provide information about 802.1X support on Cisco Cius:

Overview

Required Network Components

Requirements and Recommendations

Overview

Cisco Cius and Cisco Catalyst switches traditionally use Cisco Discovery Protocol (CDP) to identify each other and determine parameters such as VLAN allocation and inline power requirements. Cisco Cius also uses CDP; however, CDP does not identify any locally attached PCs; therefore, an EAPOL pass-through mechanism is used, whereby a PC that is attached locally to Cisco Cius may pass EAPOL messages to the 802.1X authenticator in the LAN switch. This mechanism prevents Cisco Cius from having to act as the authenticator, yet allows the LAN switch to authenticate a data endpoint before accessing the network.

In conjunction with the EAPOL pass-through mechanism, Cisco Cius provides a proxy EAPOL-Logoff mechanism. If the locally attached PC disconnects from Cisco Cius, the LAN switch does not detect the physical link fail, because the link between the LAN switch and Cisco Cius is maintained. To avoid compromising network integrity, Cisco Cius sends an EAPOL-Logoff message to the switch on behalf of the downstream PC, and this action triggers the LAN switch to clear the authentication entry for the downstream PC.

Cisco Cius contains an 802.1X supplicant in addition to the EAPOL pass-through mechanism. This supplicant allows network administrators to control the connectivity of Cisco Cius to the LAN switch ports. The current release of the 802.1X supplicant uses the EAP-FAST and EAP-TLS options for network authentication.

Required Network Components

Support for 802.1X authentication on Cisco Cius requires several components, including the following:

Cisco Cius—Cisco Cius acts as the 802.1X supplicant, which initiates the request to access the network.

Cisco Catalyst Switch (or other third-party switch)—The switch must support 802.1X, so that it can act as the authenticator and pass the messages between Cisco Cius and the authentication server. When the exchange is completed, the switch grants or denies access to the network to the tablet.

Requirements and Recommendations

The requirements and recommendations for 802.1X authentication on Cisco Cius include the following:

Enable 802.1X Authentication—If you want to use the 802.1X standard to authenticate Cisco Cius, be sure that you properly configure the other components before enabling 802.1X authentication on the tablet. See the "Enterprise Security Settings" section for more information.

Configure PC Port on Media Station—The 802.1X standard does not take into account the use of VLANs and thus recommends that only a single device be authenticated to a specific switch port. However, some switches (including Cisco Catalyst switches) support multidomain authentication. The switch configuration determines whether you can connect a PC to a Cisco Cius media station PC port.

Enabled—If you are using a switch that supports multidomain authentication, you can enable the media station PC port and connect a PC to it. In this case, Cisco Cius supports proxy EAPOL-Logoff to monitor the authentication exchanges between the switch and the attached PC. For more information about IEEE 802.1X support on the Cisco Catalyst switches, see the Cisco Catalyst switch configuration guides at:

http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html

Disabled—If the switch does not support multiple 802.1X-compliant devices on the same port, disable the media station PC Port when 802.1X authentication is enabled. See the "Ethernet Settings Menu" section for more information. If you do not disable this port and subsequently attempt to attach a PC to it, the switch denies network access to both the tablet and the PC.

Configure Voice VLAN—Because the 802.1X standard does not account for VLANs, configure this setting based on the switch support.

Enabled—If you are using a switch that supports multidomain authentication, continue to use the voice VLAN.

Disabled—If the switch does not support multidomain authentication, disable the Voice VLAN and consider assigning the port to the native VLAN. See the "Ethernet Settings Menu" section for more information.

Security Restrictions

A user cannot barge in to an encrypted call if the Cisco Cius tablet that is used to barge is not configured for encryption. When barge fails in this case, a fast busy tone plays on the Cisco Cius on which the user initiated the barge.

If the initiator Cisco Cius tablet is configured for encryption, the barge initiator can barge in to a nonsecure call from the encrypted Cisco Cius tablet. After the barge occurs, Cisco Unified Communications Manager classifies the call as nonsecure.

If the initiating Cisco Cius is configured for encryption, the barge initiator can barge in to an encrypted call, and Cisco Cius indicates that the call is encrypted.

Overview of Configuring and Installing Cisco Cius

When deploying a new IP telephony system, system administrators and network administrators must complete several initial configuration tasks to prepare the network for IP telephony service. For information and a checklist for setting up and configuring a Cisco IP telephony network, see the "System Configuration Overview" chapter in the Cisco Unified Communications Manager System Guide.

After you set up the IP telephony system and configure system-wide features in Cisco Unified Communications Manager, you can add Cisco Cius to the system.

The following topics provide an overview of procedures for adding Cisco Cius to your network:

Configuring Cisco Cius in Cisco Unified Communications Manager

Installing Cisco Cius

Configuring Cisco Cius in Cisco Unified Communications Manager

Use the following methods to add Cisco Cius tablets to the Cisco Unified Communications Manager database:

Auto-registration

Cisco Unified Communications Manager Administration

Bulk Administration Tool (BAT)

BAT and the Tool for Auto-Registered Phones Support (TAPS)

For more information about these choices, see the "Understanding How Cisco Cius Interacts with Cisco Unified Communications Manager" section.

For general information about configuring Cisco Cius tablets in Cisco Unified Communications Manager, see the following documentation:

Cisco Unified Communications Manager Administration Guide

Cisco Unified Communications Manager Bulk Administration Guide

Checklist for Configuring Cisco Cius in Cisco Unified Communications Manager

Table 1-12 provides a checklist of configuration tasks for Cisco Cius in Cisco Unified Communications Manager Administration. The list presents a suggested order to guide you through the Cisco Cius configuration process. Some tasks are optional, depending on your system and user needs. For detailed procedures and information, see the sources in the list.

Table 1-12 Checklist for Configuring Cisco Cius in Cisco Unified Communications Manager  

Task
Purpose
For More Information

Gather the following information about Cisco Cius:

MAC address (Ethernet MAC address)


Note Cisco Cius uses two addresses: Ethernet MAC and Wireless LAN MAC. When adding Cisco Cius to the Cisco Unified Communications Manager, it must be provisioned using the Ethernet MAC address.


Physical location of Cisco Cius

Name or user ID of Cisco Cius user

Device pool

Partition, calling search space, and location information

Number of lines and associated directory numbers (DNs) to assign to Cisco Cius

Cisco Unified Communications Manager user to associate with Cisco Cius

Cisco Cius usage information that affects telephony features, or applications

Provides list of configuration requirements for setting up Cisco Cius.

Identifies preliminary configuration that you must perform before configuring Cisco Cius.

For more information, go to the "Cisco Unified IP Phones" chapter in the Cisco Unified Communications Manager System Guide.

See the "Telephony Features Available for Cisco Cius" section.

Verify that you have sufficient unit licenses for your Cisco Cius.

For more information, go to the "Licensing" chapter in the Cisco Unified Communications Manager Features and Services Guide.

Add and configure Cisco Cius by completing the required fields in the Phone Configuration window of Cisco Unified Communications Manager Administration. Required fields are indicated by an asterisk (*) next to the field name; for example, MAC address and device pool.

Adds the device with its default settings to the Cisco Unified Communications Manager database.

For more information, go to the "Cisco Unified IP Phone Configuration" chapter in the Cisco Unified Communications Manager Administration Guide.

For information about Product Specific Configuration fields, use the "?" button in the Phone Configuration window.

Note If you want to add both Cisco Cius and user to the Cisco Unified Communications Manager database at the same time, go to the "User/Phone Add Configuration" chapter in the Cisco Unified Communications Manager Administration Guide.

Add and configure directory numbers (lines) on Cisco Cius by completing the required fields in the Phone Configuration window in Cisco Unified Communications Manager Administration. Required fields are indicated by an asterisk (*) next to the field name; for example, directory number and presence group.

Adds primary and secondary directory numbers and features associated with directory numbers to Cisco Cius.

For more information, go to the "Directory Number Configuration" chapter in the Cisco Unified Communications Manager Administration Guide.

See the "Telephony Features Available for Cisco Cius" section.

Configure speed-dial buttons and assign speed-dial numbers (optional).

Adds speed-dial buttons and numbers.

Users can change speed-dial settings on their Cisco Cius by using Cisco Unified Communications Manager User Options.

For more information, go to the "Configuring Speed-Dial Buttons or Abbreviated Dialing" section in the "Cisco Unified IP Phone Configuration" chapter in the Cisco Unified Communications Manager Administration Guide.

Configure Cisco Cius services and assign services (optional).

Provides Cisco Cius services.

Users can add or change services on their Cisco Cius by using the Cisco Unified Communications Manager User Options.

Note Users can subscribe to the IP phone service only if the Enterprise Subscription check box is unchecked when the IP phone service is first configured in Cisco Unified Communications Manager Administration.

Note Some Cisco-provided default services are classified as enterprise subscriptions, so the user cannot add them through the user options pages. These services are on Cisco Cius by default, and they can be removed from the device only if you disable them in Cisco Unified Communications Manager Administration.

For more information, go to the "IP Phone Services Configuration" chapter in the Cisco Unified Communications Manager Administration Guide.

See the "Configuring Reset Options/Load Upgrades" section.

Add user information by configuring required fields. Required fields are indicated by an asterisk (*); for example, User ID and last name.

Note Assign a password for User Options web pages.

Adds user information to the global directory for Cisco Unified Communications Manager.

For more information, go to the "End User Configuration" chapter in the Cisco Unified Communications Manager Administration Guide.

See the "Configuring Reset Options/Load Upgrades" section.

If your company uses a a Lightweight Directory Access Protocol (LDAP) directory to store information about users, you can install and configure Cisco Unified Communications Manager to use your existing LDAP directory.

If you want to add both Cisco Cius and user to the Cisco Unified Communications Manager database at the same time, go to the "User/Phone Add Configuration" chapter in the Cisco Unified Communications Manager Administration Guide.

Associate a user to a user group.

Assigns users a common list of roles and permissions that apply to all users in a user group. Administrators can manage user groups, roles, and permissions to control the level of access (and, therefore, the level of security) for system users. For example, you must add users to the standard Cisco CCM End Users group so users can access Cisco Unified Communications Manager User Options.

See the following sections in the Cisco Unified Communications Manager Administration Guide:

End User Configuration Settings

Adding Users to a User Group

Associate a user with Cisco Cius.

Provides users with control over their Cisco Cius for tasks such as forwarding calls or adding speed-dial numbers or services.

For more information, go to the "Associating Devices to an End User" section in the "End User Configuration" chapter in the Cisco Unified Communications Manager Administration Guide.


Installing Cisco Cius

After you add Cisco Cius to the Cisco Unified Communications Manager Administration database, you can complete Cisco Cius installation. You (or Cisco Cius users) can install Cisco Cius at the user location. For information about installing Cisco Cius, see the Cisco Cius User Guide, which is located at:

http://www.cisco.com/en/US/products/ps11156/products_user_guide_list.html

The Cisco Cius User Guide provides directions for connecting Cisco Cius media station, cables, and other accessories.

After Cisco Cius connects to the network, the Cisco Cius startup process begins and Cisco Cius registers with Cisco Unified Communications Manager. Cisco Cius will upgrade itself when connecting to Cisco Unified Communications Manager if a newer load is in its config file. To finish installing Cisco Cius, configure the network settings, including whether you enable or disable DHCP service.

If you used auto-registration, you must update the specific configuration information for Cisco Cius, such as associating Cisco Cius with a user, changing the button table, or adding the directory number.

Checklist for Installing Cisco Cius

Table 1-13 provides an overview and checklist of installation tasks for Cisco Cius. The list presents a suggested order to guide you through Cisco Cius installation. Some tasks are optional, depending on your system and user needs. For detailed procedures and information, see the sources in the list.

For more information on installing Cisco Cius, see the "Installing Cisco Cius" section.

Table 1-13 Installation Checklist for Cisco Cius 

Task
Purpose
For More Information

Choose the power source for Cisco Cius:

AC Adapter (CP-PWR-CUBE-4)

Power over Ethernet (PoE+ 802.3at)

Determines how Cisco Cius receives power.

See the "Providing Power to Cisco Cius" section.

Assemble Cisco Cius and media station, adjust Cisco Cius placement, and connect the network cable.

Alternatively, connect Cisco Cius to the wireless network.

Provides wired or wireless connectivity for Cisco Cius to the network.

See the Cisco Cius User Guide.

Monitor the Cisco Cius startup process.

Adds primary and secondary directory numbers and features associated with directory numbers to Cisco Cius.

See the "Verifying Cisco Cius Startup Process" section.

Configure the Ethernet network settings on Cisco Cius.

See the "Configuring Startup Network Settings" section.

See the "Ethernet Settings Menu" section.

If you choose to deploy Cisco Cius on the wireless network, you must perform the following configuration:

Configure the wireless network.

Enable Wireless LAN for Cisco Cius tablets on Cisco Unified Communications Manager Administration.

Configure a wireless network profile on Cisco Cius.

Note Cisco Cius prefers wireless for telephony signaling and wired for telephony media data.

See Chapter 4 "Understanding the VoIP Wireless Network."

See the Cisco Cius Wireless LAN Deployment Guide.

Make calls using Cisco Cius.

Verifies that Cisco Cius and features work correctly.

See the Cisco Cius User Guide.

Provide information to users about how to use their Cisco Cius and how to configure their Cisco Cius options.

Ensures that users have adequate information to use their Cisco Cius successfully.

See "Providing Information to Users Through a Website."

See the Cisco Cius User Guide.