-
Cisco Cius Administration Guide, Release 9.2(2)
-
Preface
-
Overview of Cisco Cius
-
Cisco Cius 4G
-
Preparing to Install Cisco Cius on Your Network
-
Setting Up Cisco Cius
-
Understanding the VoIP Wireless Network
-
Configuring Features, Templates, Services, and Users
-
Configuring Settings on Cisco Cius
-
Viewing Model Information Status and Statistics on Cisco Cius
-
Monitoring Cisco Cius Remotely
-
Troubleshooting and Maintenance
-
Providing Information to Users Through a Website
-
Supporting International Users
-
Technical Specifications
-
Basic Cisco Cius Administration Steps
-
Index
-
Feedback
Contents
- Overview of Cisco Cius
- Understanding Cisco Cius
- Supported Networking Protocols
- Supported Features on Cisco Cius
- Feature Overview
- Configuring Telephony Features
- Configuring Network Parameters Using Cisco Cius
- Providing Users with Feature Information
- Understanding Security Features for Cisco Cius
- Overview of Supported Security Features
- Understanding Security Profiles
- Identifying Secure (Encrypted) Phone Calls
- Establishing and Identifying Secure Calls
- Establishing and Identifying Secure Conference Calls
- Call Security Interactions and Restrictions
- Supporting 802.1X Authentication on Cisco Cius
- Overview
- Required Network Components
- Requirements and Recommendations
- Security Restrictions
- Overview of Configuring and Installing Cisco Cius
- Configuring Cisco Cius in Cisco Unified Communications Manager
- Checklist for Configuring Cisco Cius in Cisco Unified Communications Manager
- Installing Cisco Cius
- Checklist for Installing Cisco Cius
Overview of Cisco Cius
Cisco Cius is a mobile collaboration device built for business. It is designed to help organizations capitalize on the value of mobility by enabling anywhere, anytime access to important business applications and features.
Cisco Cius includes the following features:
- Campus mobility with a choice of wired Gigabit Ethernet connectivity through handset media station or IEEE 802.11 a/b/g/n Wi-Fi connectivity
- An Intel Atom 1.6-GHz processor
- 1-GB RAM and 32-GB of eMMC flash memory
- Native support for Bluetooth headsets
- Bluetooth profile support, including Hands-Free Profile and Advanced Audio Distribution (A2DP) Profile
- High-definition video through 7-inch (177.8 mm) high-resolution color screen.
- High-definition audio through integrated speakers
- Microphone
- Front- and rear-facing cameras
- Detachable and serviceable 8-hour battery
Cisco Cius, like other network devices, must be configured and managed. Cisco Cius devices encode G.711a-law, G.711 u-law, G.722, G.729a, G.729ab, and iLBC, and decode G.711a-law, G.711u-law, G.722, G.729, G.729a, G.729b, G.729ab, iSAC, iLBC, and H.264.
Caution
Using a mobile or GSM phone, or two-way radio in close proximity to Cisco Cius might cause interference. For more information, see the manufacturer documentation of the interfering device.
This chapter comprises the following topics:
- Understanding Cisco Cius
- Supported Networking Protocols
- Supported Features on Cisco Cius
- Understanding Security Features for Cisco Cius
- Overview of Configuring and Installing Cisco Cius
Understanding Cisco Cius
The following image shows the front view of Cisco Cius.
The following table describes the keys and components on the front of Cisco Cius.
The following image shows the back view of Cisco Cius.
The following table describes the components on the back of Cisco Cius.
Table 2 Cisco Cius Components - Back View No.
Item
Description
1
Rear-facing camera
5-megapixel camera with 8X digital zoom
The following image shows the left-side view of Cisco Cius.
The following table describes the components on the left side of Cisco Cius.
The following image shows the right-side view of Cisco Cius.
The following table describes the components on the right side of Cisco Cius.
Table 4 Cisco Cius Features - Right Side No.
Item
Description
1
Battery release
Provides means for removing battery
2
Power port
Connects to external power supply
The following image shows the top view of Cisco Cius.
The following table describes the components on the top of Cisco Cius.
The following image shows the bottom view of Cisco Cius.
The following table describes the components on the bottom of Cisco Cius.
Supported Networking Protocols
Cisco Cius supports several industry-standard and Cisco networking protocols that are required for voice communication. The following table provides an overview of the networking protocols that Cisco Cius supports.
Table 7 Supported Networking Protocols on Cisco Cius Networking protocol
Purpose
Usage notes
Bluetooth
Bluetooth is a wireless personal area network (WPAN) protocol that specifies how devices communicate over short distances.
Cisco Cius supports Bluetooth 2.1+EDR.
Cisco Cius supports Hands-Free Profile (HFP) and Advanced Audio Distribution (A2DP) Profile.
Bootstrap Protocol (BootP)
BootP enables a network device, such as Cisco Cius, to discover certain startup information, such as its IP address.
-
Cisco Discovery Protocol (CDP)
CDP is a device-discovery protocol that runs on all Cisco-manufactured equipment.
Using CDP, a device can advertise its existence to other devices and receive information about other devices in the network.
Cisco Cius uses CDP to communicate information such as auxiliary VLAN ID, per port power-management details, and Quality of Service (QoS) configuration information with the Cisco Catalyst switch.
Cisco Peer-to-Peer Distribution Protocol (CPPDP)
CPPDP is a Cisco proprietary protocol that is used to form a peer-to-peer hierarchy of devices. This hierarchy distributes firmware files from peer devices to their neighboring devices.
The Peer Firmware Sharing feature uses CPPDP.
Dynamic Host Configuration Protocol (DHCP)
DHCP dynamically allocates and assigns an IP address to network devices.
DHCP enables you to connect Cisco Cius into the network and have Cisco Cius become operational without your needing to manually assign an IP address or to configure additional network parameters.
DHCP is enabled by default. If DHCP is disabled, you must manually configure the IP address, gateway, netmask, and a TFTP server on Cisco Cius locally.
Cisco recommends that you use DHCP custom option 150. With this method, you configure the TFTP server IP address as the option value. For additional supported DHCP configurations, see the following chapters in the Cisco Unified Communications Manager System Guide:
If you cannot use option 150, try using DHCP option 66.
Hypertext Transfer Protocol (HTTP)
HTTP is the standard way of transferring information and moving documents across the Internet and the web.
Cisco Cius uses HTTP for XML services and for troubleshooting purposes.
Hypertext Transfer Protocol Secure (HTTPS)
HTTPS is a combination of the Hypertext Transfer Protocol with the SSL/TLS protocol to provide encryption and secure identification of servers and for transferring Cisco Cius firmware images.
Web applications with both HTTP and HTTPS support have two URLs configured.
IEEE 802.1X
The IEEE 802.1X standard defines a client-server-based access control and authentication protocol that restricts unauthorized clients from connecting to a LAN through publicly accessible ports.
Until the client is authenticated, 802.1X access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port to which the client is connected. After authentication is successful, normal traffic can pass through the port.
Cisco Cius implements the IEEE 802.1X standard by providing support for the following authentication methods: EAP-FAST and EAP-TLS, PEAP, and CCKM.
After 802.1X authentication is enabled on Cisco Cius, disable the PC port on the media station and voice VLAN. See the Supporting 802.1X Authentication on Cisco Cius for additional information.
IEEE 802.11a/b/g/n
The IEEE 802.11 standard specifies how devices communicate over a wireless local area network (WLAN).
802.11a operates at the 5 GHz band and 802.11b and 802.11g operate at the 2.4 GHz band.
802.11.n operates in either 2.4 GHz or 5Ghz band.
The 802.11 interface is a deployment option for cases when Ethernet cabling is unavailable or undesirable.
Internet Protocol (IP)
IP is a messaging protocol that addresses and sends packets across the network.
To communicate using IP, network devices must have an assigned IP address, gateway, and netmask.
IP address, gateway, and netmask identifications are automatically assigned if you are using Cisco Cius with DHCP. If you are not using DHCP, you must manually assign these properties to each Cisco Cius locally.
Link Layer Discovery Protocol (LLDP)
LLDP is a standardized network discovery protocol (similar to CDP) that is supported on some Cisco and third-party devices.
-
Link Layer Discovery Protocol-Media Endpoint Devices (LLDP-MED)
LLDP-MED is an extension of the LLDP standard developed for voice products.
Cisco Cius supports LLDP-MED on the media station switch port to communicate information such as:
For more information about LLDP-MED support, see the LLDP-MED and Cisco Discovery Protocol white paper at this URL:
http://www.cisco.com/en/US/technologies/tk652/tk701/technologies_white_paper0900aecd804cd46d.html
Real-Time Transport Protocol (RTP)
RTP is a standard protocol for transporting real-time data, such as interactive voice and video, over data networks.
Cisco Cius uses RTP to send and receive real-time voice and video traffic from other devices and gateways.
Real-Time Control Protocol (RTCP)
RTCP works in conjunction with RTP to provide QoS data (such as jitter, latency, and round-trip delay) on RTP streams. RTCP is also used to synchronize the audio and video stream in order to provide a better video experience.
RTCP is disabled by default, but you can use Cisco Unified Communications Manager to enable it on a per-device basis.
Session Description Protocol (SDP)
SDP is the portion of the SIP protocol that determines which parameters are available during a connection between two endpoints. Conferences are established by using only the SDP capabilities that are supported by all endpoints in the conference.
SDP capabilities, such as codec types, DTMF detection, and comfort noise, are normally configured on a global basis by Cisco Unified Communications Manager or Media Gateway in operation. Some SIP endpoints may allow these parameters to be configured on the endpoint itself.
Session Initiation Protocol (SIP)
SIP is the IETF standard for multimedia conferencing over IP. SIP is an ASCII-based application-layer control protocol (defined in RFC 3261) that can be used to establish, maintain, and terminate calls between two or more endpoints.
Like other VoIP protocols, SIP is designed to address the functions of signaling and session management within a packet telephony network. Signaling allows call information to be carried across network boundaries. Session management provides the ability to control the attributes of an end-to-end call.
Transmission Control Protocol (TCP)
TCP is a connection-oriented transport protocol.
Cisco Cius uses TCP to connect to Cisco Unified Communications Manager and to access XML services.
Transport Layer Security
TLS is a standard protocol for securing and authenticating communications.
Cisco Cius uses the TLS protocol after registering with Cisco Unified Communications Manager securely.
Trivial File Transfer Protocol (TFTP)
TFTP allows you to transfer files over the network.
On Cisco Cius, TFTP enables you to obtain a configuration file specific to Cisco Cius.
TFTP requires a TFTP server in your network, that can be automatically identified from the DHCP server. If you want Cisco Cius to use a TFTP server other than the one specified by the DHCP server, you must use the Network Configuration menu on Cisco Cius to assign the IP address of the TFTP server manually.
For more information, see the Cisco TFTP chapter in the Cisco Unified Communications Manager System Guide.
User Datagram Protocol (UDP)
UDP is a connectionless messaging protocol for delivery of data packets.
Cisco Cius transmits and receives RTP streams, which utilize UDP.
Related References
Supported Features on Cisco Cius
Cisco Cius is a business device that delivers anytime, anywhere access to Cisco Collaboration applications, including Unified Communications features. Cisco Cius also provides access to other business and Android applications.
- Feature Overview
- Configuring Telephony Features
- Configuring Network Parameters Using Cisco Cius
- Providing Users with Feature Information
Related Information
Feature Overview
Cisco Cius is a mobile collaboration device for business. Cisco Cius provides an integrated suite of collaborative applications, including Cisco Quad, Cisco WebEx, Cisco Unified Presence, instant messaging, email, visual voice mail, and Cisco Unified Communications Manager voice and video telephony features. Cisco Cius also provides Virtual Desktop Infrastructure (VDI) and cloud computing and support for a wide range of applications through Cisco AppHQ Developer Network Marketplace. Cisco Cius also supports applications from the Google Android Marketplace. For an overview of the features that Cisco Cius supports and for tips on configuring them, see Configuring Features, Templates, Services, and Users.
As with other network devices, you must configure Cisco Cius to prepare to access Cisco Unified Communications Manager and the rest of the IP network. By using DHCP, you have fewer settings to configure on Cisco Cius, but if your network requires it, you can manually configure an IP address, TFTP server, netmask information, and so on. For instructions on configuring the network settings on Cisco Cius, see the Setup Menus on Cisco Cius.
Finally, because Cisco Cius is a network device, you can obtain detailed status information from it directly. This information can assist you with troubleshooting problems that users might encounter when using their Cisco Cius devices. See Viewing Model Information Status and Statistics on Cisco Cius for more information.
Related References
Configuring Telephony Features
You can modify settings for Cisco Cius from Cisco Unified Communications Manager Administration. Use this web-based application to set up Cisco Cius registration criteria and calling search spaces, to configure corporate directories and services, and to modify phone button templates, among other tasks.
For more information, see the Telephony Features Available for Cisco Cius and the Cisco Unified Communications Manager Administration Guide. You can also use the context-sensitive help available within the application for guidance.
You can access Cisco Unified Communications Manager documentation at this location:
http://www.cisco.com/en/US/products/sw/voicesw/ps556/tsd_products_support_series_home.html
You can access Cisco Unified Communications Manager Business Edition 5000 documentation at this location:
http://www.cisco.com/en/US/products/ps7273/tsd_products_support_series_home.html
Configuring Network Parameters Using Cisco Cius
You can configure parameters, such as DHCP, TFTP, and IP settings, on the Cisco Cius device. You can also obtain statistics about a current call or firmware versions on Cisco Cius.
For more information about configuring features and viewing statistics from Cisco Cius, see Configuring Settings on Cisco Cius and Viewing Model Information Status and Statistics on Cisco Cius.
Providing Users with Feature Information
You are likely the primary source of information for Cisco Cius users in your network or company. To ensure that you distribute the most current feature and procedural information, familiarize yourself with Cisco Cius documentation. Make sure to visit the Cisco Cius website:
http://www.cisco.com/en/US/products/ps11156/tsd_products_support_series_home.html
From this site, you can view the user guide and quick start documentation.
Note
The Cisco Cius User Guide is also available directly through a link on the tablet. Choose .
In addition to providing documentation, it is important to inform users about available Cisco Cius features, including those specific to your company or network, and about how to access and customize those features, if appropriate.
For a summary of some of the key information that Cisco Cius users may need, see Providing Information to Users Through a Website.
Understanding Security Features for Cisco Cius
Implementing security in the Cisco Unified Communications Manager system prevents data tampering, and prevents call-signaling and media-stream tampering of the Cisco Cius and the Cisco Unified Communications Manager server.
To alleviate these threats, the Cisco IP telephony network establishes and maintains secure (encrypted) communication streams between Cisco Cius and the server, digitally signs files before they are transferred to Cisco Cius, and encrypts media streams and call signaling between Cisco Cius devices.
Cisco Cius uses a security profile that defines whether the device is nonsecure or secure. For information about applying the security profile to the device, see the Cisco Unified Communications Manager Security Guide.
If you configure security-related settings in Cisco Unified Communications Manager Administration, the phone configuration file contains sensitive information. To ensure the privacy of a configuration file, you must configure the file for encryption. For detailed information, see the "Configuring Encrypted Phone Configuration Files" chapter in Cisco Unified Communications Manager Security Guide.
The following table shows where you can find information about security in this and other documents.
Table 8 Cisco Cius and Cisco Unified Communications Manager Security Topics Topic
Reference
Detailed explanation of security, including setup, configuration, and troubleshooting information for Cisco Unified Communications Manager and Cisco Cius
See the Cisco Unified Communications Manager Security Guide.
Restrictions regarding security features
See the Security Restrictions.
Viewing a security profile name
Table 1-9 provides an overview of the security features that Cisco Cius supports. For more information about these features and about Cisco Unified Communications Manager and Cisco Unified IP Phone security, see the Cisco Unified Communications Manager Security Guide.
Identifying phone calls for which security is implemented
TLS connection
See the Supported Networking Protocols.
See the Adding Cisco Cius Devices with Cisco Unified Communications Manager Administration.
See the Adding Cisco Cius Devices with Cisco Unified Communications Manager Administration.
Changing the TFTP Server 1 or TFTP Server 2 option on Cisco Cius after security is implemented
See the TFTP Server Settings Menu.
Items on the Security Setup menu that you access from Cisco Cius
See the Location and Security Setup Menu.
Disabling access to a device web page
Troubleshooting
See the Troubleshooting Cisco Cius Security.
See the Cisco Unified Communications Manager Security Guide.
See theResetting Cisco Cius.
See the Resetting Cisco Cius.
See these sections:
- Overview of Supported Security Features
- Understanding Security Profiles
- Identifying Secure (Encrypted) Phone Calls
- Supporting 802.1X Authentication on Cisco Cius
- Security Restrictions
Overview of Supported Security Features
The following table provides an overview of the security features that Cisco Cius supports. For more information about these features and about Cisco Unified Communications Manager and Cisco Cius security, see the Cisco Unified Communications Manager Security Guide and the Wireless Security chapter of the Cisco Cius Wireless LAN Deployment Guide.
For information about current security settings on Cisco Cius, press the Menu key and choose . For more information, see the Location and Security Setup Menu.
Table 9 Overview of Security Features Feature
Description
Image authentication
Signed binary files (with the extension .sbn) prevent tampering with the firmware image before it is loaded on a Cisco Cius device. Tampering with the image causes Cisco Cius to fail the authentication process and reject the new image.
Customer-site certificate installation
Each Cisco Cius requires a unique certificate for device authentication. Cisco Cius devices include a manufacturing installed certificate (MIC), but for additional security, you can specify in Cisco Unified Communications Manager Administration that a certificate be installed by using the Certificate Authority Proxy Function (CAPF). Alternatively, you can install a Locally Significant Certificate (LSC) from the Enterprise security menu on the device. See the Configuring Security on Cisco Cius for more information.
Device authentication
Occurs between the Cisco Unified Communications Manager server and Cisco Cius when each entity accepts the certificate of the other entity. Determines whether a secure connection between Cisco Cius and Cisco Unified Communications Manager occurs and, if necessary, creates a secure signaling path between the entities by using TLS protocol. Cisco Unified Communications Manager will not register Cisco Cius devices unless Cisco Unified Communications Manager can authenticate them.
File authentication
Validates digitally signed files that Cisco Cius downloads. Cisco Cius validates the signature to make sure that file tampering did not occur after file creation. Files that fail authentication are not written to Flash memory on Cisco Cius. Cisco Cius rejects such files without further processing.
File encryption
Encryption prevents sensitive information from being revealed while the file is in transit to Cisco Cius. In addition, Cisco Cius validates the signature to make sure that file tampering did not occur after file creation. Files that fail authentication are not written to Flash memory on the Cius. Cisco Cius rejects such files without further processing.
Signaling Authentication
Uses the TLS protocol to validate that no tampering has occurred to signaling packets during transmission.
Manufacturing installed certificate
Each Cisco Cius contains a unique manufacturing-installed certificate (MIC), which is used for device authentication. The MIC provides permanent unique proof of identity for the device and allows Cisco Unified Communications Manager to authenticate Cisco Cius.
Media encryption
Uses SRTP to ensure that the media streams between supported devices are secure and that only the intended device receives and reads the data. Includes creating a media master key pair for the devices, delivering the keys to the devices, and securing the delivery of the keys.
CAPF (Certificate Authority Proxy Function)
Implements parts of the certificate generation procedure that are too processing-intensive for Cisco Cius, and interacts with Cisco Cius for key generation and certificate installation. The CAPF can be configured to request certificates from customer-specified certificate authorities on behalf of Cisco Cius, or it can be configured to generate certificates locally.
Security profiles
Defines whether Cisco Cius is nonsecure, authenticated, encrypted, or protected. For more information about these features and about Cisco Unified Communications Manager and Cisco Cius security, see the Cisco Unified Communications Manager Security Guide.
Encrypted configuration files
Lets you ensure the privacy of Cisco Cius configuration files.
Optional disabling of the web server functionality for Cisco Cius
For security purposes, you can prevent access to a Cisco Cius web page (which indicates a variety of operational statistics for the device) and user options pages. For more information, see the Enabling and Disabling Web Page Access.
Phone hardening
Additional security options, which you control from Cisco Unified Communications Manager Administration:
- Disabling PC port on the media station
- Disabling Gratuitous ARP (GARP)
- Disabling PC Voice VLAN access
- Providing restricted access to the web applications
- Disabling Bluetooth Accessory Port
- Disabling access to web pages
- Requiring a screen lock
- Controlling access to Google Android market.
- Controlling access to installation of applications from unknown sources
802.1X Authentication
Cisco Cius can use 802.1X authentication to request and gain access to the network. See the Supporting 802.1X Authentication on Cisco Cius for more information.
Secure SIP Failover for SRST
After you configure an SRST reference for security and then reset the dependent devices in Cisco Unified Communications Manager Administration, the TFTP server adds the SRST certificate to the Cisco Cius cnf.xml file and sends the file to the device. A secure device then uses a TLS connection to interact with the SRST-enabled router.
Signaling encryption
Ensures that all SIP signaling messages that are sent between the device and the Cisco Unified CM server are encrypted.
Understanding Security Profiles
All Cisco Cius devices that support Cisco Unified Communications Manager use a security profile, which defines whether the device is nonsecure, authenticated, or encrypted. For information about configuring the security profile and applying the profile to the device, see the Cisco Unified Communications Manager Security Guide.
To view the security mode that is set for Cisco Cius, view the Signaling security mode setting in the Enterprise security settings menu.
Identifying Secure (Encrypted) Phone Calls
Security is implemented for Cisco Cius by enabling the "Protected Device" parameter from the Cisco Unified Communications Manager Administration Phone window. When security is implemented, you can identify secure phone calls by the Secure Call icon on the Cisco Cius screen. In a secure call, all call signaling and media streams are encrypted. A secure call offers a high level of security, providing integrity and privacy to the call. When a call in progress is being encrypted, the Security Mode status on Cisco Cius Enterprise security settings menu indicates "Encrypted."
Note
If the call is routed through non-IP call legs (for example, PSTN), the call may be nonsecure even though it is encrypted within the IP network and has a lock icon associated with it.
In a secure call, a 2-second tone plays to notify the users when a call is encrypted and both devices are configured as protected devices, and if secure tone features are enabled on Cisco Unified Communications Manager. The tone plays for both parties when the call is answered. The tone does not play unless both devices are protected and the call occurs over encrypted media. If the system determines that the call is not encrypted, Cisco Cius plays a nonsecure indication tone (6 beeps) to alert the user that the call is not protected. For a detailed description of the secure indication tone feature and the configuration requirements, see the Cisco Unified Communications Manager Security Guide.
Note
Video is transmitted as nonsecure. So, even if both Cisco Cius devices are secure, the Encrypted lock icon will not be displayed for video calls.
- Establishing and Identifying Secure Calls
- Establishing and Identifying Secure Conference Calls
- Call Security Interactions and Restrictions
Related References
Related Information
Establishing and Identifying Secure Calls
A secure call is established when your Cisco Cius and a phone on the other end are configured for secure calling. They can be in the same Cisco IP network, or on a network outside the IP network. A secure conference call is established by using this process:
- A user initiates the call from a secured Cisco Cius (Encrypted security mode).
- Cisco Cius indicates the Encrypted status on the Enterprise security menu. This status indicates that Cisco Cius is configured for secure calls, but does not mean that the other connected phone is also secured.
- A security tone plays if the call is connected to another secured device, indicating that both ends of the conversation are encrypted and secured. Otherwise, nonsecure tone will be played.
Establishing and Identifying Secure Conference Calls
You can initiate a secure conference call and monitor the security level of participants. A secure conference call is established by using this process:
- A user initiates the conference from a secure Cisco Cius device.
- Cisco Unified Communications Manager assigns a secure conference bridge to the call.
- As participants are added, Cisco Unified Communications Manager verifies the security mode of each device and maintains the secure level for the conference.
- Cisco Cius indicates the security level of the conference call.
Note
Various interactions, restrictions, and limitations affect the security level of the conference call, depending on the security mode of the participant devices and the availability of secure conference bridges. Cisco Cius supports secure audio conference calls only; video will not be secure.
Call Security Interactions and Restrictions
Cisco Unified Communications Manager checks the Cisco Cius security status when conferences are established and changes the security indication for the conference or blocks completion of the call to maintain integrity and also security in the system. The following table provides information about changes to call security levels when Barge is used.
Table 10 Call Security Interactions When Barge Is Used Initiator device security level
Feature used
Call security level
Results of action
Nonsecure
Barge
Encrypted call
Call barged and identified as nonsecure call
Secure
Barge
Encrypted call
Call barged and identified as secure call
The following table provides information about changes to conference security levels depending on the initiator device security level, the security levels of participants, and the availability of secure conference bridges.
Table 11 Security Restrictions With Conference Calls Initiator device security level
Feature used
Security level of participants
Results of action
Nonsecure
Conference
Secure
Nonsecure conference bridge
Nonsecure conference
Secure
Conference
At least one member is nonsecure
Secure conference bridge
Nonsecure conference
Secure
Conference
Secure
Secure conference bridge
Secure encrypted level conference
Supporting 802.1X Authentication on Cisco Cius
Overview
Cisco Cius and Cisco Catalyst switches traditionally use Cisco Discovery Protocol (CDP) to identify each other and determine parameters such as VLAN allocation and inline power requirements. Cisco Cius also uses CDP; however, CDP does not identify any locally attached PCs; therefore, an EAPOL pass-through mechanism is used, whereby a PC that is attached locally to Cisco Cius may pass EAPOL messages to the 802.1X authenticator in the LAN switch. This mechanism prevents Cisco Cius from having to act as the authenticator, yet allows the LAN switch to authenticate a data endpoint before accessing the network.
In conjunction with the EAPOL pass-through mechanism, Cisco Cius provides a proxy EAPOL-Logoff mechanism. If the locally attached PC disconnects from Cisco Cius, the LAN switch does not detect the physical link fail, because the link between the LAN switch and Cisco Cius is maintained. To avoid compromising network integrity, Cisco Cius sends an EAPOL-Logoff message to the switch on behalf of the downstream PC, and this action triggers the LAN switch to clear the authentication entry for the downstream PC.
Cisco Cius contains an 802.1X supplicant in addition to the EAPOL pass-through mechanism. This supplicant allows network administrators to control the connectivity of Cisco Cius to the LAN switch ports. The current release of the 802.1X supplicant uses the EAP-FAST and EAP-TLS options for network authentication.
Required Network Components
Support for 802.1X authentication on Cisco Cius requires several components, including the following:
- Cisco Cius - Cisco Cius acts as the 802.1X supplicant, which initiates the request to access the network.
- Cisco Catalyst Switch (or other third-party switch) - The switch must support 802.1X, so that it can act as the authenticator and pass the messages between Cisco Cius and the authentication server. When the exchange is completed, the switch grants or denies access to the network to the device.
Requirements and Recommendations
The requirements and recommendations for 802.1X authentication on Cisco Cius include the following:
- Enable 802.1X Authentication - If you want to use the 802.1X standard to authenticate Cisco Cius, be sure that you properly configure the other components before enabling 802.1X authentication on the device. See the Enterprise Security Settings for more information.
- Configure PC Port on Media Station - The 802.1X standard does not take into account the use of VLANs and thus recommends that only a single device be authenticated to a specific switch port. However, some switches (including Cisco Catalyst switches) support multidomain authentication. The switch configuration determines whether you can connect a PC to a Cisco Cius media station PC port.
- Enabled - If you are using a switch that supports multidomain authentication, you can enable the media station PC port and connect a PC to it. In this case, Cisco Cius supports proxy EAPOL-Logoff to monitor the authentication exchanges between the switch and the attached PC. For more information about IEEE 802.1X support on the Cisco Catalyst switches, see the Cisco Catalyst switch configuration guides at: http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html
- Disabled - If the switch does not support multiple 802.1X-compliant devices on the same port, disable the media station PC Port when 802.1X authentication is enabled. See the Ethernet Settings Menu for more information. If you do not disable this port and subsequently attempt to attach a PC to it, the switch denies network access to both the device and the PC.
- Configure Voice VLAN - Because the 802.1X standard does not account for VLANs, configure this setting based on the switch support.
- Enabled - If you are using a switch that supports multidomain authentication, continue to use the voice VLAN.
- Disabled - If the switch does not support multidomain authentication, disable the Voice VLAN and consider assigning the port to the native VLAN. See the Ethernet Settings Menu for more information.
Security Restrictions
A user cannot barge in to an encrypted call if the Cisco Cius device that is used to barge is not configured for encryption. When barge fails in this case, a fast busy tone plays on the Cisco Cius on which the user initiated the barge.
If the initiator Cisco Cius device is configured for encryption, the barge initiator can barge in to a nonsecure call from the encrypted Cisco Cius device. After the barge occurs, Cisco Unified Communications Manager classifies the call as nonsecure.
If the initiating Cisco Cius is configured for encryption, the barge initiator can barge in to an encrypted call, and Cisco Cius indicates that the call is encrypted.
Overview of Configuring and Installing Cisco Cius
When deploying a new IP telephony system, system administrators and network administrators must complete several initial configuration tasks to prepare the network for IP telephony service. For information and a checklist for setting up and configuring a Cisco IP telephony network, see the System Configuration Overview chapter in the Cisco Unified Communications Manager System Guide.
After you set up the IP telephony system and configure system-wide features in Cisco Unified Communications Manager, you can add Cisco Cius to the system.
The following topics provide an overview of procedures for adding Cisco Cius to your network:
Configuring Cisco Cius in Cisco Unified Communications Manager
Use the following methods to add Cisco Cius devices to the Cisco Unified Communications Manager database:
- Auto-registration
- Cisco Unified Communications Manager Administration
- Bulk Administration Tool (BAT)
- BAT and the Tool for Auto-Registered Phones Support (TAPS)
For more information about these choices, see the Understanding How Cisco Cius Interacts with Cisco Unified Communications Manager.
For general information about configuring Cisco Cius devices in Cisco Unified Communications Manager, see the following documentation:
Checklist for Configuring Cisco Cius in Cisco Unified Communications Manager
ProcedureThe following procedure outlines the configuration tasks for Cisco Cius in Cisco Unified Communications Manager Administration. The procedure presents a suggested order to guide you through the Cisco Cius configuration process. Some tasks are optional, depending on your system and user needs. For detailed procedures and information, see the listed sources.
Step 1 Gather the following information about Cisco Cius:
- MAC address (Ethernet MAC address)
Note Cisco Cius uses two addresses: Ethernet MAC and Wireless LAN MAC. When adding Cisco Cius to the Cisco Unified Communications Manager, it must be provisioned using the Ethernet MAC address.
- Physical location of Cisco Cius
- Name or user ID of Cisco Cius user
- Device pool
- Partition, calling search space, and location information
- Number of lines and associated directory numbers (DNs) to assign to Cisco Cius
- Cisco Unified Communications Manager user to associate with Cisco Cius
- Cisco Cius usage information that affects telephony features, or applications
These values provide list of configuration requirements for setting up Cisco Cius. These values also identify the preliminary configuration that you must perform before configuring Cisco Cius
For more information, go to the Cisco Unified IP Phones chapter in the Cisco Unified Communications Manager System Guide.
Step 2 Verify that you have sufficient unit licenses for your Cisco Cius. For more information, go to the Licensing chapter in the Cisco Unified Communications Manager Features and Services Guide.
Step 3 Add and configure Cisco Cius by completing the required fields in the Phone Configuration window of Cisco Unified Communications Manager Administration. Required fields are indicated by an asterisk (*) next to the field name; for example, MAC address and device pool.
This step adds the device with its default settings to the Cisco Unified Communications Manager database.
For more information, go to the Cisco Unified IP Phone Configuration chapter in the Cisco Unified Communications Manager Administration Guide.
For information about Product Specific Configuration fields, use the ? button in the Phone Configuration window.
Note If you want to add both Cisco Cius and user to the Cisco Unified Communications Manager database at the same time, go to the User/Phone Add Configuration chapter in the Cisco Unified Communications Manager Administration Guide.
Step 4 Add and configure directory numbers (lines) on Cisco Cius by completing the required fields in the Phone Configuration window in Cisco Unified Communications Manager Administration. . Required fields are indicated by an asterisk (*) next to the field name; for example, directory number and presence group
This step adds primary and secondary directory numbers and features associated with directory numbers to Cisco Cius.
For more information, go to the Directory Number Configuration chapter in the Cisco Unified Communications Manager Administration Guide.
Step 5 (Optional)Configure speed-dial buttons and assign speed-dial numbers. This step adds speed-dial buttons and numbers.
Users can change speed-dial settings on their Cisco Cius by using Cisco Unified Communications Manager User Options.
For more information, go to the Configuring Speed-Dial Buttons or Abbreviated Dialing section in the Cisco Unified IP Phone Configuration chapter in the Cisco Unified Communications Manager Administration Guide.
Step 6 (Optional)Configure Cisco Cius services and assign services. This step provides Cisco Cius services.
Users can add or change services on their Cisco Cius by using the Cisco Unified Communications Manager User Options.
For more information, go to the IP Phone Services Configuration chapter in the Cisco Unified Communications Manager Administration Guide.
Step 7 Add user information by configuring required fields. Required fields are indicated by an asterisk (*); for example, User ID and last name.
Note Assign a password for User Options web pages.
This step adds user information to the global directory for Cisco Unified Communications Manager.
For more information, go to the End User Configuration chapter in the Cisco Unified Communications Manager Administration Guide.
See the Configuring Reset Options/Load Upgrades.
If your company uses a Lightweight Directory Access Protocol (LDAP) directory to store information about users, you can install and configure Cisco Unified Communications Manager to use your existing LDAP directory.
If you want to add both Cisco Cius and user to the Cisco Unified Communications Manager database at the same time, go to the User/Phone Add Configuration chapter in the Cisco Unified Communications Manager Administration Guide.
Step 8 Associate a user to a user group. This step assigns users a common list of roles and permissions that apply to all users in a user group. Administrators can manage user groups, roles, and permissions to control the level of access (and, therefore, the level of security) for system users. For example, you must add users to the standard Cisco CCM End Users group so users can access Cisco Unified Communications Manager User Options.
See the following sections in the Cisco Unified Communications Manager Administration Guide:
Step 9 Associate a user with Cisco Cius. This step provides users with control over their Cisco Cius for tasks such as forwarding calls or adding speed-dial numbers or services.
For more information, go to the Associating Devices to an End User section in the End User Configuration chapter in the Cisco Unified Communications Manager Administration Guide.
Installing Cisco Cius
After you add Cisco Cius to the Cisco Unified Communications Manager Administration database, you can complete Cisco Cius installation. You (or Cisco Cius users) can install Cisco Cius at the user location. For information about installing Cisco Cius, see the Cisco Cius User Guide, which is located at:
http://www.cisco.com/en/US/products/ps11156/products_user_guide_list.html
The Cisco Cius User Guide provides directions for connecting Cisco Cius media station, cables, and other accessories.
After Cisco Cius connects to the network, the Cisco Cius startup process begins and Cisco Cius registers with Cisco Unified Communications Manager. Cisco Cius will upgrade itself when connecting to Cisco Unified Communications Manager if a newer load is in its config file. To finish installing Cisco Cius, configure the network settings, including whether you enable or disable DHCP service.
If you used auto-registration, you must update the specific configuration information for Cisco Cius, such as associating Cisco Cius with a user, changing the button table, or adding the directory number.
Checklist for Installing Cisco Cius
ProcedureThe following procedure provides an overview of the installation tasks for Cisco Cius. The list presents a suggested order to guide you through Cisco Cius installation. Some tasks are optional, depending on your system and user needs. For detailed procedures and information, see the sources in the list.
For more information on installing Cisco Cius, see Installing Cisco Cius.
Step 1 Choose the power source for Cisco Cius: This step determines how Cisco Cius receives power.
See the Providing Power to Cisco Cius.
Step 2 Assemble Cisco Cius and media station, adjust Cisco Cius placement, and connect the network cable. Alternatively, connect Cisco Cius to the wireless network.
This step provides wired or wireless connectivity for Cisco Cius to the network.
See the Cisco Cius User Guide.
Step 3 Monitor the Cisco Cius startup process. This step adds primary and secondary directory numbers and features associated with directory numbers to Cisco Cius.
See the Verifying Cisco Cius Startup Process.
Step 4 Configure the Ethernet network settings on Cisco Cius. See the Configuring Startup Network Settings.
See the Ethernet Settings Menu.
Step 5 If you choose to deploy Cisco Cius on the wireless network, you must perform the following configuration:
- Configure the wireless network.
- Enable Wireless LAN for Cisco Cius devices on Cisco Unified Communications Manager Administration.
- Configure a wireless network profile on Cisco Cius.
Note Cisco Cius prefers wireless for telephony signaling and wired for telephony media data.
See Understanding the VoIP Wireless Network
See the Cisco Cius Wireless LAN Deployment Guide.
Step 6 Make calls using Cisco Cius. This step verifies that Cisco Cius and features work correctly.
See the Cisco Cius User Guide.
Step 7 Provide information to users about how to use their Cisco Cius and how to configure their Cisco Cius options. This step ensures that users have adequate information to use their Cisco Cius successfully.
See Providing Information to Users Through a Website
See the Cisco Cius User Guide.
