The popular standard, used most often with the free Adobe® Reader® software.
This e Book requires no passwords or activation to read.
When configuring a SIP Trunk with Unified Communications Manager to a SIP Service Provider there is a need to use a router running CUBE (Cisco Unified Border Element) between UCM and the provider offering the SIP Trunk.
One benefit is this automatically alleviates the challenges most IP PBX’s face with hosted nat traversal specific to SIP and RTP.
37 Monitor Mode 38 Choosing Your End-State Mode 40 End-State Choice 1: Low-Impact Mode 42 End-State Choice 2: Closed Mode 44 Transitioning from Monitor Mode into an End-State Mode 45 Summary 46 Section III The Foundation, Building a Context-Aware Security Policy Chapter 6 Building a Cisco ISE Network Access Security Policy 47 What Makes Up a Cisco ISE Network Access Security Policy?
47 Network Access Security Policy Checklist 48 Involving the Right People in the Creation of the Network Access Security Policy 49 Determining the High-Level Goals for Network Access Security 51 Common High-Level Network Access Security Goals 52 Defining the Security Domains 55 Understanding and Defining ISE Authorization Rules 57 Commonly Configured Rules and Their Purpose 58 Establishing Acceptable Use Policies 59 Defining Network Access Privileges 61 Enforcement Methods Available with ISE 61 Commonly Used Network Access Security Policies 62 Summary 65 Chapter 7 Building a Device Security Policy 67 Host Security Posture Assessment Rules to Consider 67 Sample NASP Format for Documenting ISE Posture Requirements 72 Common Checks, Rules, and Requirements 74 Method for Adding Posture Policy Rules 74 Research and Information 75 Establishing Criteria to Determine the Validity of a Security Posture Check, Rule, or Requirement in Your Organization 76 Method for Determining Which Posture Policy Rules a Particular Security Requirement Should Be Applied To 77 Method for Deploying and Enforcing Security Requirements 78 ISE Device Profiling 79 ISE Profiling Policies 80 ISE Profiler Data Sources 81 Using Device Profiles in Authorization Rules 82 Summary 82 Chapter 8 Building an ISE Accounting and Auditing Policy 83 Why You Need Accounting and Auditing for ISE 83 Using PCI DSS as Your ISE Auditing Framework 84 ISE Policy for PCI 10.1: Ensuring Unique Usernames and Passwords 87 ISE Policy for PCI 10.2 and 10.3: Audit Log Collection 89 ISE Policy for PCI 10.5.3, 10.5.4, and 10.7: Ensure the Integrity and Confidentiality of Log Data 90 ISE Policy for PCI 10.6: Review Audit Data Regularly 91 Cisco ISE User Accounting 92 Summary 94 Section IV Configuration Chapter 9 The Basics: Principal Configuration Tasks for Cisco ISE 95 Bootstrapping Cisco ISE 95 Using the Cisco ISE Setup Assistant Wizard 98 Configuring Network Devices for ISE 106 Wired Switch Configuration Basics 106 Wireless Controller Configuration Basics 109 Completing the Basic ISE Setup 113 Install ISE Licenses 113 ISE Certificates 114 Installing ISE Behind a Firewall 116 Role-Based Access Control for Administrators 121 RBAC for ISE GUI 121 RBAC: Session and Access Settings and Restrictions 121 RBAC: Authentication 123 RBAC: Authorization 124 Summary 126 Chapter 10 Profiling Basics 127 Understanding Profiling Concepts 127 Probes 130 Probe Configuration 130 Deployment Considerations 133 DHCP 134 Deployment Considerations 135 Net Flow 137 Deployment Considerations 137 RADIUS 137 Deployment Considerations 138 Network Scan (NMAP) 138 Deployment Considerations 139 DNS 139 Deployment Considerations 139 SNMP 140 Deployment Considerations 140 IOS Device-Sensor 141 Change of Authorization 142 Co A Message Types 142 Configuring Change of Authorization in ISE 143 Infrastructure Configuration 144 DHCP Helper 145 SPAN Configuration 145 VLAN Access Control Lists (VACL) 146 VMware Configurations to Allow Promiscuous Mode 148 Best Practice Recommendations 149 Examining Profiling Policies 152 Endpoint Profile Policies 152 Cisco IP Phone 7970 Example 155 Using Profiles in Authorization Policies 161 Endpoint Identity Groups 161 End Point Policy 163 Logical Profiles 164 Feed Service 166 Configuring the Feed Service 166 Summary 168 Chapter 11 Bootstrapping Network Access Devices 169 Bootstrap Wizard 169 Cisco Catalyst Switches 170 Global Configuration Settings for All Cisco IOS 12.2 and 15.x Switches 170 Configure Certificates on a Switch 170 Enable the Switch HTTP/HTTPS Server 170 Global AAA Commands 171 Global RADIUS Commands 172 Create Local Access Control Lists 174 Global 802.1X Commands 175 Global Logging Commands (Optional) 175 Global Profiling Commands 177 Interface Configuration Settings for All Cisco Switches 179 Configure Interfaces as Switch Ports 179 Configure Flexible Authentication and High Availability 179 Configure Authentication Settings 182 Configure Authentication Timers 184 Apply the Initial ACL to the Port and Enable Authentication 184 Cisco Wireless LAN Controllers 184 Configure the AAA Servers 185 Add the RADIUS Authentication Servers 185 Add the RADIUS Accounting Servers 186 Configure RADIUS Fallback (High Availability) 187 Configure the Airespace ACLs 188 Create the Web Authentication Redirection ACL 188 Create the Posture Agent Redirection ACL 191 Create the Dynamic Interfaces for the Client VLANs 193 Create the Employee Dynamic Interface 193 Create the Guest Dynamic Interface 194 Create the Wireless LANs 195 Create the Guest WLAN 195 Create the Corporate SSID 199 Summary 202 Chapter 12 Authorization Policy Elements 205 Authorization Results 206 Configuring Authorization Downloadable ACLs 207 Configuring Authorization Profiles 209 Summary 212 Chapter 13 Authentication and Authorization Policies 215 Relationship Between Authentication and Authorization 215 Authentication Policies 216 Goals of an Authentication Policy 216 Accept Only Allowed Protocols 216 Route to the Correct Identity Store 216 Validate the Identity 217 Pass the Request to the Authorization Policy 217 Understanding Authentication Policies 217 Conditions 218 Allowed Protocols 220 Identity Store 224 Options 224 Common Authentication Policy Examples 224 Using the Wireless SSID 225 Remote-Access VPN 228 Alternative ID Stores Based on EAP Type 230 Authorization Policies 232 Goals of Authorization Policies 232 Understanding Authorization Policies 233 Role-Specific Authorization Rules 237 Authorization Policy Example 237 Employee and Corporate Machine Full-Access Rule 238 Internet Only for i Devices 240 Employee Limited Access Rule 243 Saving Attributes for Re-Use 246 Summary 248 Chapter 14 Guest Lifecycle Management 249 Guest Portal Configuration 251 Configuring Identity Source(s) 252 Guest Sponsor Configuration 254 Guest Time Profiles 254 Guest Sponsor Groups 255 Sponsor Group Policies 257 Authentication and Authorization Guest Policies 258 Guest Pre-Authentication Authorization Policy 258 Guest Post-Authentication Authorization Policy 262 Guest Sponsor Portal Configuration 263 Guest Portal Interface and IP Configuration 264 Sponsor and Guest Portal Customization 264 Customize the Sponsor Portal 264 Creating a Simple URL for Sponsor Portal 265 Guest Portal Customization 265 Customizing Portal Theme 266 Creating Multiple Portals 268 Guest Sponsor Portal Usage 271 Sponsor Portal Layout 271 Creating Guest Accounts 273 Managing Guest Accounts 273 Configuration of Network Devices for Guest CWA 274 Wired Switches 274 Wireless LAN Controllers 275 Summary 277 Chapter 15 Device Posture Assessment 279 ISE Posture Assessment Flow 280 Configure Global Posture and Client Provisioning Settings 283 Posture Client Provisioning Global Setup 283 Posture Global Setup 285 General Settings 285 Reassessments 286 Updates 287 Acceptable Use Policy 287 Configure the NAC Agent and NAC Client Provisioning Settings 288 Configure Posture Conditions 289 Configure Posture Remediation 292 Configure Posture Requirements 295 Configure Posture Policy 296 Enabling Posture Assessment in the Network 298 Summary 299 Chapter 16 Supplicant Configuration 301 Comparison of Popular Supplicants 302 Configuring Common Supplicants 303 Mac OS X 10.8.2 Native Supplicant Configuration 303 Windows GPO Configuration for Wired Supplicant 305 Windows 7 Native Supplicant Configuration 309 Cisco Any Connect Secure Mobility Client NAM 312 Summary 317 Chapter 17 BYOD: Self-Service Onboarding and Registration 319 BYOD Challenges 320 Onboarding Process 322 BYOD Onboarding 322 Dual SSID 322 Single SSID 323 Configuring NADs for Onboarding 324 ISE Configuration for Onboarding 329 End-User Experience 330 Configuring ISE for Onboarding 347 BYOD Onboarding Process Detailed 357 MDM Onboarding 367 Integration Points 367 Configuring MDM Integration 368 Configuring MDM Onboarding Policies 369 Managing Endpoints 372 Self Management 373 Administrative Management 373 The Opposite of BYOD: Identify Corporate Systems 374 EAP Chaining 375 Summary 376 Chapter 18 Setting Up a Distributed Deployment 377 Configuring ISE Nodes in a Distributed Environment 377 Make the Policy Administration Node a Primary Device 377 Register an ISE Node to the Deployment 379 Ensure the Persona of All Nodes Is Accurate 381 Understanding the HA Options Available 382 Primary and Secondary Nodes 382 Monitoring and Troubleshooting Nodes 382 Policy Administration Nodes 384 Promoting the Secondary PAN to Primary 385 Node Groups 385 Create a Node Group 386 Add the Policy Services Nodes to the Node Group 387 Using Load Balancers 388 General Guidelines 388 Failure Scenarios 389 Summary 390 Chapter 19 Inline Posture Node 391 Use Cases for the Inline Posture Node 391 Overview of IPN Functionality 392 IPN Configuration 393 IPN Modes of Operation 393 Summary 394 Section V Deployment Best Practices Chapter 20 Deployment Phases 395 Why Use a Phased Approach?
Drawing on their cutting-edge experience supporting Cisco enterprise customers, the authors present detailed sample configurations to help you plan your own integrated identity solution.
Whether you’re a technical professional or an IT manager, this guide will help you provide reliable secure access for BYOD, CYOD (Choose Your Own Device), or any IT model you choose.
Below is the SIP Invite in its entirety as originated by UCM and sent towards the Cisco router running CUBE where the Diversion header only contains the 4 digit DN.
The call flow is a PSTN call originated from 4802317040 to a number on UCM 9494289948 and the UCM number forwards back to PSTN 7023100500.
*Oct 14 .355: //-1/xxxxxxxxxxxx/SIP/Msg/ccsip Display Msg: Sent: INVITE sip:[email protected]:5060 SIP/2.0 Via: SIP/2.0/UDP 1.60;branch=z9h G4b K81718 From: “HOLLOWAY MARK ” Date: Wed, GMT Call-ID: [email protected] Supported: 100rel,timer,resource-priority,replaces,sdp-anat Min-SE: 1800 Cisco-Guid: 3682385244-3079541214-2149163035-4044138496 User-Agent: Cisco-SIPGateway/IOS-12.x Allow: INVITE, OPTIONS, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY, INFO, REGISTER CSeq: 101 INVITE Timestamp: 1255479906 Contact: ;privacy=off;reason=unconditional;screen=yes Content-Type: application/sdp Content-Disposition: session;handling=required Content-Length: 216 You do not need to build the profile for multiple numbers since the router is using the pilot user (from sip-ua) as the Diversion number. This allows the customer to send any outbound caller-id they want without the call being rejected.
It’s common for Service Providers to build a trunk group in a parent-child hierarchy so if the redirect number is the pilot number, regardless of which DN is doing the forwarding, the call is permitted. In the following examples the customer in Broadworks would have their Trunk Group Identifier set by the Service Provider.
request REGISTER sip-header Contact modify “” Below is another example where a call coming from UCM includes the leading 9 for outside dial tone.