Peter Sakala - University of Žilinapalo/Rozne/cisco-expo-2009/Presentati… · © 2006, Cisco...
Transcript of Peter Sakala - University of Žilinapalo/Rozne/cisco-expo-2009/Presentati… · © 2006, Cisco...
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicIP Telephony &IBNSscadora 1
IP Telefónia v prostredísietí s 802.1x
Peter [email protected]
© 2009 Cisco Systems, Inc. All rights reserved. 2IP Telephony&IBNSscadora
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
© 2009 Cisco Systems, Inc. All rights reserved. 3IP Telephony&IBNSscadora
Session Objectives
� Understand How Phones Work on an 802.1X-Enabled Network
–Challenges
–Techniques
–Best Practices
� Learn How Deployment Scenarios Can Simplify IP Telephony + 802.1X Implementations
–Monitor Mode
–Low Impact Mode
© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicIP Telephony &IBNSscadora 4
How Phones Work in an 802.1X-
Enabled Network
How Phones Work in an 802.1X -Enabled Network
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
© 2009 Cisco Systems, Inc. All rights reserved. 5IP Telephony&IBNSscadora
HTTP
EAPoL
SWITCHPORTSWITCHPORT
DHCP
TFTP
KRB5
SWITCHPORTSWITCHPORT
DHCP
TFTP
KRB5
HTTP
Known Phone:CP-7961G-SEP001E4AA900A8
All traffic All traffic except except EAPoLEAPoL is droppedis dropped
After Authentication
Before Authentication
?
802.1XNo 802.1X = No Access!
802.1X + IPT: First Challenge
© 2009 Cisco Systems, Inc. All rights reserved. 6IP Telephony&IBNSscadora
�Multiple MACs not allowed• Helps ensure validity of
authenticated session• Negative Consequences for
Phones
interface fastEthernet 3/48authentication port-control autodot1xpae-authenticator
SWITCHPORT
SECURITY VIOLATION
√ Authenticated
802.1X
802.1X + IPT: Second Challenge
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
© 2009 Cisco Systems, Inc. All rights reserved. 7IP Telephony&IBNSscadora
SWITCHPORT
√ Authenticated
Data VLANVoice VLAN
EAPoL
CDP
CDP
interface fastEthernet 3/48
switchport voice vlan 10
authentication port-control auto
dot1xpae-authenticator
Benefits Deployment Considerations
Easy phone interop in 802.1X-enabled network CDP-capable hackers get full access, too.
Default behavior: Cisco IP Phones get access if voice VLAN configured
Voice is no more secure than it was before 802.1X -- No visibility, No access control
Works for all Cisco phone models Incompatible with dynamic VVID, dACLs&Web Auth for PCs
Quick & Easy Not Identity-Enabled
First Solution: CDP Bypass
© 2009 Cisco Systems, Inc. All rights reserved. 8IP Telephony&IBNSscadora
interface fastEthernet 3/48
authentication host-mode multi-domain
SWITCHPORT
EAPoL, MAC
√ Authenticated
√ AuthenticatedData Domain
Voice Domain
EAPoL
Benefits Deployment Considerations
Secure 802.1X or MAB Authentication of the IP phone AND PC (removes CDP vulnerability)
Authentication type impacts timing, pre-deployment tasks
Compatible with IBNS features: dynamic VVID, downloadable ACLs (dACLs), Web Auth
AAA server dependency -- Centralized policy assigns phones to voice domain
Works for all phones, but retains Cisco-on-Cisco value for Cisco phones
Not all phones support 802.1X
Second Solution: Multi-Domain Authentication (MDA) Host Mode
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
© 2009 Cisco Systems, Inc. All rights reserved. 9IP Telephony&IBNSscadora
AAA Server Considerations� Scalability – do phones double the AAA server load?
–Phones stay authenticated until link down (or re-auth).
• Wired phones don’t move much.
• 802.1X can be selectively enabled on phones (no avalanche)
–Use centralized policy to exempt phones from re-auth.
� ACS 5 Improvements
–New Linux-based architecture: Flexible & powerful policy model, incremental replication, distributed deployment, single master model, centralized logging
–Free 90 day license for VM: http://www.cisco.com/cgi-bin/tablebuild.pl/acs5-eval
© 2009 Cisco Systems, Inc. All rights reserved. 10IP Telephony&IBNSscadora
MDA with MAC Authentication Bypass (MAB)
00.18.ba.c7.bc.ee
EAP-Identity-Request
Fallback to MAB
Learn MAC
RADIUS-AccessRequest: 00.18.ba.c7.bc.ee
RADIUS-Access Acceptdevice-traffic-class=voiceVoice VLAN Enabled√√
Link up
EAP-Identity-Request
EAP-Identity-Request
0:000:010:050:100:200:30
0:000:010:050:100:200:30
0:000:010:050:100:200:30
Timeout
Timeout
Timeout
No Response
No Response
No Response
Benefits Deployment Considerations
No client, no credential needed ->Works for all Cisco phone models
Default 802.1X timeout = 90 seconds latency
Enables visibility & access control. PAP is not process-intensive
Must create & maintain phone MAC database (internal to AAA server or LDAP)
Compatible with IBNS features AAA server must be configured to assign phone to voice domain
Layer 2 Point-to-Point Layer 3 Link
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
© 2009 Cisco Systems, Inc. All rights reserved. 11IP Telephony&IBNSscadora
3.Low Impact ModeMore on this later…
MAB Latency Solutions
1.Shorten 802.1X TimeoutTimeout = (max-reauth-req + 1) * tx-period
max-reauth-req : maximum number of times (default: 2) that the switch retransmits an EAP-Identity-Request frame on the wire
tx-period : number of seconds (default: 30) that the switch waits for a response to an EAP-Identity-Request frame before retransmitting
2 seconds to MAB
MAB on first packet
2. Flex-Auth OrderDo MAB first for all devicesControl Plane Traffic increases for all devices
© 2009 Cisco Systems, Inc. All rights reserved. 13IP Telephony&IBNSscadora
Phone MAC Database
1) Manual Import of Phone MACs to ACS Internal DB
script
ExportFormatImport
2) Pre-deployment Phone Profiling
LDAP Bind:00.18.ba.c7.bc.ee?Cisco 7960 IP Phone!
00.18.ba.c7.bc.ee?
Access-Acceptdevice-traffic-class=voice
Today DBs are kept in-sync manually !
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
© 2009 Cisco Systems, Inc. All rights reserved. 14IP Telephony&IBNSscadora
MDA with 802.1X
Layer 2 Point-to-Point Layer 3 Link
EAPoL Start
AuthenticatorAuthenticator AAA ServerAAA ServerSupplicantSupplicant
EAPoL Request Identity
EAPoL Response Identity
EAP-Response: TLS
RADIUS Access Request[AVP: EAP-Response: CP-79xx-xxxxxxxx
EAP-Request: TLS Client Hello
EAP SuccessRADIUS Access-Accept[AVP:device-traffic-class=voice]
[[AVP:AVP:voicevoice VLAN 10, VLAN 10, dACLdACL--nn]]
RADIUS Access-Challenge[AVP:EAP-Response: TLS]
RADIUS Access Request[AVP: EAP-Request: TLS Server Hello]
Actual Exchanges depend on EAP Method (MD5, TLS, FAST)
Benefits Deployment Considerations
Strong Authentication with Minimal Delay Choice of EAP Method impacts deployability
Can be deployed without touching the phone or creating a database.
Requires : 7970G, 79x1, 79x2, 79x5 with X.509 cert support & firmware 8.5(2)
Compatible with IBNS features AAA server dependency
1.5 seconds
© 2009 Cisco Systems, Inc. All rights reserved. 15IP Telephony&IBNSscadora
802.1XEAP Methods on Phones
Method Phone Credential Deployment Considerations
EAP-MD5 Username / password • Password manually configured on phone
• Phone name / password must be in AAA databaseDIFF
ICULT To
Deploy
DIFFICUL
T To Dep
loy
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
© 2009 Cisco Systems, Inc. All rights reserved. 16IP Telephony&IBNSscadora
EAP-FAST with TLS
MIC or LSC for initial PAC provisioning, then PAC
• Not supported on ACS 5.0 or 5.1• Supported on ACS 4.2 with PAC-Free + PKIAuthz Bypass feature in NAPDeployable
With ACS4.2Deployable
With ACS4.2
802.1XEAP Methods on Phones
Method Phone Credential Deployment Considerations
EAP-MD5 Username / password • Password manually configured on phone
• Phone name / password must be in AAA databaseDIFF
ICULT To
Deploy
DIFFICUL
T To Dep
loy
EAP-TLS MIC or LSC • Never need to touch the phone: All config done from CUCM GUI (7.1.2)
• ACS 5 does not require username lookup after TLS cert validation -> No need to enter phone names in any database
© 2009 Cisco Systems, Inc. All rights reserved. 17IP Telephony&IBNSscadora
EAP-FAST with TLS
MIC or LSC for initial PAC provisioning, then PAC
• Not supported on ACS 5.0 or 5.1• Supported on ACS 4.2 with PAC-Free + PKIAuthz Bypass feature in NAPDeployable
With ACS4.2Deployable
With ACS4.2
802.1XEAP Methods on Phones
Method Phone Credential Deployment Considerations
EAP-MD5 Username / password • Password manually configured on phone
• Phone name / password must be in AAA databaseDIFF
ICULT To
Deploy
DIFFICUL
T To Dep
loy
EAP-TLS MIC or LSC • Never need to touch the phone: All config done from CUCM GUI (7.1.2)
• ACS 5 does not require username lookup after TLS cert validation -> No need to enter phone names in any database
Deployable
With ACS5.xDeployable
With ACS5.x
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
© 2009 Cisco Systems, Inc. All rights reserved. 18IP Telephony&IBNSscadora
EAP-TLS: MIC or LSC?� MIC comes on every 802.1X-EAP-TLS-capable phone
–LSCs are more work to configure on CUCM side, but security-conscious customers may already be doing the work
–From 802.1X perspective, both are same amount of config
� Security policy can leverage certificate type
–Every TLS-capable Cisco phone will have a MIC
–Only a customer’s phone will have LSC
� Example: use both MIC &LSC to bootstrap phone:
1)EAP-TLS with MIC -> Limited Accesspermit TFTP to CUCM (to pull the CTL and config file)permit TCP port 3804 to CUCM (to request LSC)
2)EAP-TLS with LSC -> Full Accesspermit ip any any
© 2009 Cisco Systems, Inc. All rights reserved. 19IP Telephony&IBNSscadora
EAP Method Selection
� Phone with 802.1X enabled has all EAP methods enabled
� Problem : If ACS proposes MD5, phone will agree even if no password configured on phone -> failed auth.
� Solution : disable MD5 on ACS. If MD5 is required for other devices, disable MD5 in a phone-specific Access Service.
Must be unchecked for phonesMust be unchecked for phones
ACS 5 tries each method in orderACS 5 tries each method in order
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
© 2009 Cisco Systems, Inc. All rights reserved. 20IP Telephony&IBNSscadora
Enabling 802.1X on phonesOld Way
New Way (CUCM 7.1.2)
• In Phone Config or BAT Template• Select “Enabled”• No need to touch the phone• Phone must be on the network when you
do this.
Difficul
t to Dep
loy
EN Masse
© 2009 Cisco Systems, Inc. All rights reserved. 21IP Telephony&IBNSscadora
2. Do it the “Old Way”Works for one-offs, not mass deployments
4. Low Impact ModeMore on this later…
3. MAB ->802.1XUse MAB to get device on networkGrant just enough access to download config filePhone resets with 802.1X enabled
1. Non 802.1X Staging AreaInitial phone boot-up in network without 802.1X
Enabling 802.1X Post-Deployment
How do you enable 802.1X on a phone via the network if the phone needs 802.1X to get on the network?
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
© 2009 Cisco Systems, Inc. All rights reserved. 22IP Telephony&IBNSscadora
Default Security: Link State
IP Telephony obscures the 802.1X state machine of endpoint changes
Switch 802.1X State MachineSwitch 802.1X State Machine
Triggers on Link State Changes
Switch 802.1X State Machine with IP PhoneSwitch 802.1X State Machine with IP Phone
Undetectable Link State Changes
SWITCHPORT HAS NO KNOWLEDGE OF PC DISCONNECTSWITCHPORT HAS NO KNOWLEDGE OF PC DISCONNECTNO LINK STATE CHANGE NO LINK STATE CHANGE -- NO 802.1X AWARENESS NO 802.1X AWARENESS
Link Still UpLink Still Up
SWITCHPORTSWITCHPORTENDPOINTENDPOINT ENDPOINTENDPOINT
DisconnectsDisconnects
Link DownLink Down
LINK STATE CHANGESLINK STATE CHANGES
Link UpLink Up
Authentication
Authentication A
uthorization
Authorization
AccountingAccounting
802.1X State Machine802.1X State Machine
SWITCHPORTSWITCHPORT
TriggersTriggers
© 2009 Cisco Systems, Inc. All rights reserved. 23IP Telephony&IBNSscadora
IPT & 802.1X: The Link-State Problem
MODE
S TA CKS PE EDDUPLXS TA TMA ST RRP SS YS T
Catalys t 3750 SERIES
1 2 3 4 5 6 7 8 9 10
1 X
2 X
15X
16X
11 12 13 14 15 16 17 18 19 20 21 22 2 3 24 25 26
17X
18X
31X
32X
27 28 29 3 0 31 32 33 34 35 36 37 38 39 40 41 4 2
33X
34X
4 7X
4 8X
43 44 45 46 47 48
2 4
1 3
A
B
Port authorized for
0011.2233.4455 only
Security ViolationS:0011.2233.4455
S:6677.8899.AABB
1) Legitimate users cause security violation
MODE
S TA CKS PE EDDUPLX
S TA TMA ST RRP S
S YS T
Catalys t 3750 SERIES
1 2 3 4 5 6 7 8 9 10
1 X
2 X
15X
16X
11 12 13 14 15 16 17 18 19 20 21 22 2 3 24 25 26
17X
18X
31X
32X
27 28 29 3 0 31 32 33 34 35 36 37 38 39 40 41 4 2
33X
34X
4 7X
4 8X
43 44 45 46 47 48
2 4
1 3
ASecurity Hole
S:0011.2233.4455
S:0011.2233.4455
2) Hackers can spoof MAC to gain access without authenticating
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
© 2009 Cisco Systems, Inc. All rights reserved. 24IP Telephony&IBNSscadora
Link State: Three Solutions
CDP Link Down
MOD E
S TAC KS PE EDD UP LXS TATMAS TRR PSS YS T
Catalyst 3750 SERIES
1 2 3 4 5 6 7 8 9 10
1X
2X
15X
16X
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
17X
18X
31X
32X
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
33X
34X
4 7X
4 8X
43 44 45 46 47 48
2 4
1 3
MOD E
ST AC KSP EE DDU PL XST ATMAST RRP SSY ST
Catalyst 3750 SERIES
1 2 3 4 5 6 7 8 9 1 0
1X
2X
15X
16X
11 12 13 14 15 16 17 18 19 20 21 22 23 2 4 25 26
1 7X
1 8X
31X
32X
27 28 29 3 0 31 32 33 34 35 36 37 38 39 40 41 42
33X
34X
47 X
48 X
43 44 4 5 46 47 48
2 4
1 3
MO DE
STA CKSPE EDDU PLX
STA TMA STRRPS
SYS T
Catalyst 3750 SE RIE S
1 2 3 4 5 6 7 8 9 10
1X
2X
15X
16X
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
17X
18X
31X
32X
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
33X
34X
47X
48X
43 44 45 46 47 48
2 4
1 3
Proxy EAPoL-LogoffSSC
Inactivity Timer
SessionCleared
SessionCleared
Session Cleared
Proxy EAPoL-Logoff�Requires Logoff-capable phone�Only works for 802.1X endpoints
Inactivity Timer�Switch feature�Works for MAB endpoints�Port vulnerable during timeout�Quiet devices may get kicked off
CDP 2nd Port Status�Works for all 802.1X, MAB, Web-Auth.�Nothing to configure�Combined switch + phone feature.
Cisco on Cisco Value!Cisco on Cisco Value!
© 2009 Cisco Systems, Inc. All rights reserved. 25IP Telephony&IBNSscadora
Best Practices: Summary
3rd Gen phone•X.509 cert support•firmware 8.5(2)
Catalyst switch•12.2(50)SE3 (2k, 3k)•12.2(52)SG (4k)•12.2(33)SXI (6K)
ACS version 5.0 CUCM 7.1.2
EAP-TLSCDP 2nd Port
802.1X with MDACDP 2nd PortMonitor/Low Impact
“Touchless” EAP-TLS
Remote 802.1X Enable
2nd Gen phone•firmware 8.1(1)
Catalyst switch•12.2(50)SE3 (2k, 3k)•12.2(52)SG (4k)•12.2(33)SXI (6K)
ACS CUCM
CDP 2nd Port
802.1X with MDACDP 2nd PortFlex-Auth, TimersMonitor/Low Impact
MAC Import/UpdateFinisher
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicIP Telephony &IBNSscadora 26
Deployment Scenarios
Deployment Scenarios
© 2009 Cisco Systems, Inc. All rights reserved. 27IP Telephony&IBNSscadora
� Features != a solution
� Deployment scenarios–Highlight effectiveness and applications of new features
–Simplify deployments by following a blueprint
–Combine features that interoperate most effectively
–Phase deployments for minimal impact to end users
–Customize basic blueprint as needed
� Two Scenarios:
–Monitor Mode
–Low Impact Mode
Why Deployment Scenarios?
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/whitepaper_C11-530469.html
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
© 2009 Cisco Systems, Inc. All rights reserved. 28IP Telephony&IBNSscadora
Monitor Mode: How To� Enable 802.1X&MAB
� Enable Open Access
� All traffic in addition to EAP is allowed
� Like not having 802.1X enabled except authentications still occur
� Enable Multi-Auth Host-Mode (superset of Multi-Domain)
� Disable VLAN/ ACLAuthorization
Monitor Mode Goals� No Impact to Existing Network
Access
� See……what is on the network…who has a supplicant…who has good credentials…who has bad credentials
� Deterrence through accountability
Scenario 1: Monitor Mode Overview
SSC
© 2009 Cisco Systems, Inc. All rights reserved. 29IP Telephony&IBNSscadora
SSC
� Evaluate Remaining Risk
� Analyze Failures
� Prepare the Network for Access Control in Later Phases
AAA Records Next Step
Phones passed 802.1X with phone profilePhones passed MAB with phone profile
Ready for access control
Phones passed 802.1X without phone profilePhones passed MAB without phone profile
Fix authorization rules in ACS
Phones failed 802.1X Disable MD5 on ACSImport correct CUCMcerts to ACS
Phones that failed MAB Import MAC to ACS, troubleshoot Profiler
Monitor Mode: Next Steps
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
© 2009 Cisco Systems, Inc. All rights reserved. 30IP Telephony&IBNSscadora
Low Impact Mode: How To
� Start from Monitor Mode
� Add new features for access-control
� downloadable ACLs
�Muli-Auth --> MDA
� Nothing to add to CUCM
Low Impact Mode Goals
� Begin to control/differentiate network access
� Minimize Impact to Existing Network Access
� Retain Visibility of Monitor Mode
� “Low Impact” == no need to re-architect your network
�Keep existing VLAN design
�Minimize LAN changes
Scenario 2: Low Impact Mode
© 2009 Cisco Systems, Inc. All rights reserved. 31IP Telephony&IBNSscadora
Monitor mode vs. Low-impact mode
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
© 2009 Cisco Systems, Inc. All rights reserved. 32IP Telephony&IBNSscadora
Example: Using Low Impact Mode to bootstrap a new phone
SWITCHPORTSWITCHPORT
RADIUS Access-Accept:
ACL: AUTH
permit ip host 10.100.20.200 anypermit udp any anyeqbootpspermit udp any host 10.100.10.238 eqtftppermit udp any host 10.100.10.238 range 32768 61000
EAPoL
Pre-AuthACL
TFTP
CTL, CNF
DHCP
� Pre-auth ACL allows just enough access for config, CTL
� New config enables 802.1X on phone
� After 802.1X, phone has full access
� Same idea can give MAB phones access before 802.1X times out
10.100.10.238
© 2009 Cisco Systems, Inc. All rights reserved. 33IP Telephony&IBNSscadora
Configuring Monitor / Low Impact Modes
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/whitepaper_C11-530469.html
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicIP Telephony &IBNSscadora 34
Conclusion
Conclusion
© 2009 Cisco Systems, Inc. All rights reserved. 35IP Telephony&IBNSscadora
Cisco Identity End-to-End
Client IP Telephony Campus Access Servers
Solution Expertise
Cisco LAN Switches
• Catalyst Switch Portfolio
Single Vendor Support
Cisco
• IP Phones
• CUCM
Cisco RADIUS
• Cisco ACS 5.0
NAC
• Profiler/Guest
Cisco Identity
• Secure Services Client
SSC
Cisco Stability
CDP 2nd port
MDA
Monitor Mode
Low Impact Mode
Touchless TLS
EAP-TLS MAB DB
MIC/LSC
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
© 2009 Cisco Systems, Inc. All rights reserved. 36IP Telephony&IBNSscadora
Platforms & VersionsFeature Switch (3k, 4k, 6k) Phones CUCM ACS
CDP Bypass 12.2(25)SEA12.1(20)EWA12.2(33)SXH
n/a n/a n/a
MDA 12.2(35)SEE12.2(44)SG12.2(33)SXI
n/a n/a Any
MAB 12.2(25)SEE12.2(31)SG12.2(33)SXH
n/a n/a Any
Flex-Auth Order 12.2(50)SE 12.2(52)SG12.2(33)SXI
n/a n/a n/a
EAP-TLS / FAST n/a 8.5(2) 7.1.2 5.0 / 4.2802.1X Remote Enable n/a 8.5(2) 7.1.2 n/a
Proxy Eapol-Logoff n/a 7.2(3) n/a n/a
Inactivity Timer 12.2(50)SE12.2(40)SG12.2(33)SXI
n/a n/a n/a
CDP 2nd port 12.2(50)SE12.2(52)SG12.2(33)SXI
8.1(1), 8.5(2) n/a n/a
Monitor Mode / Low Impact
12.2(50)SE 12.2(52)SG12.2(33)SXI
n/a n/a n/a
© 2009 Cisco Systems, Inc. All rights reserved. 37IP Telephony&IBNSscadora
Key Takeaways
� IP Telephony + 802.1X showcases Cisco-on-Cisco value
� New Features Significantly Simplify Deployment
� Deployment Scenarios Can be Used For a Crawl-Walk-Run Approach
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
© 2009 Cisco Systems, Inc. All rights reserved. 38IP Telephony&IBNSscadora
© 2009 Cisco Systems, Inc. All rights reserved. 39IP Telephony&IBNSscadora
Exporting MAC addresses from Call Manager to ACS5.0
� The process described below has been tested using CUCM 7.1.2 and ACS 5.0
� Step 1: Exporting MAC Address from Call Manager
� Begin the export process at the Bulk Administration menu of the Cisco Unified CM Administration interface. Under Bulk Administration , select Phones , ExportPhones , Specific Details .
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
© 2009 Cisco Systems, Inc. All rights reserved. 40IP Telephony&IBNSscadora
© 2009 Cisco Systems, Inc. All rights reserved. 41IP Telephony&IBNSscadora
� The Find and List Phones screen appears. Click Find to lookup all phones, or enter more specific criteria to filter out specific phones. For example, if you only want to export the MAC addresses of phones that cannot support IEEE 802.1X, you could filter on Device Type.
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
© 2009 Cisco Systems, Inc. All rights reserved. 42IP Telephony&IBNSscadora
� When you have all the phones listed that you wish to export, click Next to continue the export. The Export Phone Configuration screen appears. Specify a filename for the exported MAC addresses and select the Simple Phone Format File Format. Click Submit .
© 2009 Cisco Systems, Inc. All rights reserved. 43IP Telephony&IBNSscadora
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
© 2009 Cisco Systems, Inc. All rights reserved. 44IP Telephony&IBNSscadora
© 2009 Cisco Systems, Inc. All rights reserved. 45IP Telephony&IBNSscadora
�
� #!C:\Perl\bin\perl.exe
� #script name: convert.pl
� #Description: Converts MAC address files exported from Cisco Call Manager
� # to a format that can be imported into ACS 5
� #usage: convert.pl InputFile OutputFile EnableFlag IdentityGroup
� #alternative usage: convert.pl InputFile OutputFile EnableFlag
� #alternative usage: convert.pl InputFile OutputFile
� if ($#ARGV < 1) {
� die "Insufficient arguments.\nUsage:
� convert.pl InputFile OutputFile EnableFlag IdentityGroup
� convert.pl InputFile OutputFile EnableFlag
� convert.pl InputFile OutputFile\n";
� } elsif ($#ARGV < 2) {
� $EnableFlag = "true";
� } else {
� $EnableFlag = $ARGV[2];
� }
� open(InFile, $ARGV[0]) or die "Can't open input file $ARGV[0]\n";
� open(OutFile, ">$ARGV[1]") or die "Can't open output file $ARGV[1]\n";
� #print Required ACS Template Header to OutFile
� print OutFile 'MACAddress:String(64):Required,description:String(1024),"enabled:Boolean(true,false):Required",HostIdentityGroup:String(256)', "\n";
� #Reformat fields and print to OutFile
� while (<InFile>) {
� if (s/^SEP//) {
� @field = split /,/;
� $field[0] =~ s/(..)(..)(..)(..)(..)/\1-\2-\3-\4-\5-/ ;
� print OutFile ($mac,$field[0],",",$field[1],",",$EnableFlag,",",$ARGV[3],"\n");
�
� }
� }
� close(InFile);
� close(OutFile);
�
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
© 2009 Cisco Systems, Inc. All rights reserved. 46IP Telephony&IBNSscadora
© 2009 Cisco Systems, Inc. All rights reserved. 47IP Telephony&IBNSscadora
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
© 2009 Cisco Systems, Inc. All rights reserved. 48IP Telephony&IBNSscadora
© 2009 Cisco Systems, Inc. All rights reserved. 49IP Telephony&IBNSscadora
2nd Gen. and 3 rd Gen. Phones
� 3rd Gen.: These are the 7906, 7911, 7931, 7941, 7942, 7945, 7961, 7962, 7965, 7970, 7971, 7975.
� 2nd Gen.: phones that do not support X.509 certs, e.g. 7902, 7905, 7910, 7912, 7920, 7935, 7936, 7940, 7960