Cisco Cius Installation guide
Overview of Cisco Cius
Cisco Cius is a mobile collaboration device built for business. It is designed to help organizations capitalize
on the value of mobility by enabling anywhere, anytime access to important business applications and
features.
Cisco Cius includes the following features:
• Campus mobility with a choice of wired Gigabit Ethernet connectivity through handset media station
or IEEE 802.11 a/b/g/n Wi-Fi connectivity
• An Intel Atom 1.6-GHz processor
• 1-GB RAM and 32-GB of eMMC flash memory
• Native support for Bluetooth headsets
• Bluetooth profile support, including Hands-Free Profile and Advanced Audio Distribution (A2DP)
Profile
• High-definition video through 7-inch (177.8 mm) high-resolution color screen.
• High-definition audio through integrated speakers
• Microphone
• Front- and rear-facing cameras
• Detachable and serviceable 8-hour battery
Cisco Cius, like other network devices, must be configured and managed. Cisco Cius devices encode
G.711a-law, G.711 u-law, G.722, G.729a, G.729ab, and iLBC, and decode G.711a-law, G.711u-law, G.722,
G.729, G.729a, G.729b, G.729ab, iSAC, iLBC, and H.264.
Using a mobile or GSM phone, or two-way radio in close proximity to Cisco Cius might cause interference.
For more information, see the manufacturer documentation of the interfering device.
Caution
This chapter comprises the following topics:
•Understanding Cisco Cius, page 2
•Supported Networking Protocols, page 6
•Supported Features on Cisco Cius, page 10
Cisco Cius Administration Guide, Release 9.2(3)
OL-26938-01 1
•Understanding Security Features for Cisco Cius, page 12
•Overview of Configuring and Installing Cisco Cius, page 21
Understanding Cisco Cius
The following image shows the front view of Cisco Cius.
Figure 1: Cisco Cius - Front View
The following table describes the keys and components on the front of Cisco Cius.
Table 1: Cisco Cius Keys and Components - Front View
DescriptionItemNo.
Indicates video statusCamera LED1
1-megapixel cameraFront-facing camera2
Ambient light sensorLight sensor3
Two speakers (located on each side of keys)Speaker (one of two)4
Displays menu optionsMenu key5
Returns to the home screenHome key6
Cisco Cius Administration Guide, Release 9.2(3)
2OL-26938-01
Overview of Cisco Cius
Understanding Cisco Cius
DescriptionItemNo.
Returns to the previous screenBack key7
The following image shows the back view of Cisco Cius.
Figure 2: Cisco Cius - Back View
The following table describes the components on the back of Cisco Cius.
Table 2: Cisco Cius Components - Back View
DescriptionItemNo.
5-megapixel camera with 8X digital zoomRear-facing camera1
Cisco Cius Administration Guide, Release 9.2(3)
OL-26938-01 3
Overview of Cisco Cius
Understanding Cisco Cius
The following image shows the left-side view of Cisco Cius.
Figure 3: Cisco Cius - Left Side
The following table describes the components on the left side of Cisco Cius.
Table 3: Cisco Cius Components - Left Side
DescriptionItemNo.
Mutes speakerMute button1
Turns speaker volume upVolume Up button2
Turns speaker volume downVolume Down button3
Location for SIM card.SIM slot4
Cisco Cius Administration Guide, Release 9.2(3)
4OL-26938-01
Overview of Cisco Cius
Understanding Cisco Cius
The following image shows the right-side view of Cisco Cius.
Figure 4: Cisco Cius - Right Side
The following table describes the components on the right side of Cisco Cius.
Table 4: Cisco Cius Features - Right Side
DescriptionItemNo.
Provides means for removing batteryBattery release1
Connects to external power supplyPower port2
The following image shows the top view of Cisco Cius.
Figure 5: Cisco Cius - Top View
The following table describes the components on the top of Cisco Cius.
Cisco Cius Administration Guide, Release 9.2(3)
OL-26938-01 5
Overview of Cisco Cius
Understanding Cisco Cius
Table 5: Cisco Cius Features - Top View
DescriptionItemNo.
For Android Debug Bridge (ADB) access to get Cisco Cius
debug data or to copy files to and from PC. Cannot attach
mouse or other accessories
Micro-USB port1
Location for MicroSD cardMicroSD card slot2
-Microphone3
Turns unit on and off.Power button4
The following image shows the bottom view of Cisco Cius.
Figure 6: Cisco Cius - Bottom View
The following table describes the components on the bottom of Cisco Cius.
Table 6: Cisco Cius Features - Bottom View
DescriptionItemNo.
3.5 mm single-plug stereo headphone connectionHeadset port1
Connects to Cisco Cius media stationDock ports2
Type-D mini-HDMIHDMI port3
Supported Networking Protocols
Cisco Cius supports several industry-standard and Cisco networking protocols that are required for voice
communication. The following table provides an overview of the networking protocols that Cisco Cius supports.
Cisco Cius Administration Guide, Release 9.2(3)
6OL-26938-01
Overview of Cisco Cius
Supported Networking Protocols
Table 7: Supported Networking Protocols on Cisco Cius
Usage notesPurposeNetworking protocol
Cisco Cius supports Bluetooth 2.1+EDR.
Cisco Cius supports Hands-Free Profile
(HFP) and Advanced Audio Distribution
(A2DP) Profile.
Bluetooth is a wireless personal area
network (WPAN) protocol that
specifies how devices communicate
over short distances.
Bluetooth
-BootP enables a network device, such
as Cisco Cius, to discover certain
startup information, such as its IP
address.
Bootstrap Protocol
(BootP)
Cisco Cius uses CDP to communicate
information such as auxiliary VLAN ID,
per port power-management details, and
Quality of Service (QoS) configuration
information with the Cisco Catalyst
switch.
CDP is a device-discovery protocol that
runs on all Cisco-manufactured
equipment.
Using CDP, a device can advertise its
existence to other devices and receive
information about other devices in the
network.
Cisco Discovery Protocol
(CDP)
The Peer Firmware Sharing feature uses
CPPDP.
CPPDP is a Cisco proprietary protocol
that is used to form a peer-to-peer
hierarchy of devices. This hierarchy
distributes firmware files from peer
devices to their neighboring devices.
Cisco Peer-to-Peer
Distribution Protocol
(CPPDP)
DHCP is enabled by default. If DHCP
is disabled, you must manually configure
the IP address, gateway, netmask, and a
TFTP server on Cisco Cius locally.
Cisco recommends that you use DHCP
custom option 150. With this method,
you configure the TFTP server IP
address as the option value. For
additional supported DHCP
configurations, see the following
chapters in the Cisco Unified
Communications Manager System
Guide:
• Dynamic Host Configuration
Protocol
• Cisco TFTP
If you cannot use option 150, try using
DHCP option 66.
DHCP dynamically allocates and
assigns an IP address to network
devices.
DHCP enables you to connect Cisco
Cius into the network and have Cisco
Cius become operational without your
needing to manually assign an IP
address or to configure additional
network parameters.
Dynamic Host
Configuration Protocol
(DHCP)
Cisco Cius Administration Guide, Release 9.2(3)
OL-26938-01 7
Overview of Cisco Cius
Supported Networking Protocols
Usage notesPurposeNetworking protocol
Cisco Cius uses HTTP for XML services
and for troubleshooting purposes.
HTTP is the standard way of
transferring information and moving
documents across the Internet and the
web.
Hypertext Transfer
Protocol (HTTP)
Web applications with both HTTP and
HTTPS support have two URLs
configured.
HTTPS is a combination of the
Hypertext Transfer Protocol with the
SSL/TLS protocol to provide
encryption and secure identification of
servers and for transferring Cisco Cius
firmware images.
Hypertext Transfer
Protocol Secure (HTTPS)
Cisco Cius implements the IEEE 802.1X
standard by providing support for the
following authentication methods:
EAP-FAST and EAP-TLS, PEAP, and
CCKM.
After 802.1X authentication is enabled
on Cisco Cius, disable the PC port on
the media station and voice VLAN. See
the Supporting 802.1X Authentication
on Cisco Cius, on page 19 for additional
information.
The IEEE 802.1X standard defines a
client-server-based access control and
authentication protocol that restricts
unauthorized clients from connecting
to a LAN through publicly accessible
ports.
Until the client is authenticated, 802.1X
access control allows only Extensible
Authentication Protocol over LAN
(EAPOL) traffic through the port to
which the client is connected. After
authentication is successful, normal
traffic can pass through the port.
IEEE 802.1X
The 802.11 interface is a deployment
option for cases when Ethernet cabling
is unavailable or undesirable.
The IEEE 802.11 standard specifies
how devices communicate over a
wireless local area network (WLAN).
802.11a operates at the 5 GHz band
and 802.11b and 802.11g operate at the
2.4 GHz band.
802.11.n operates in either 2.4 GHz or
5Ghz band.
IEEE 802.11a/b/g/n
To communicate using IP, network
devices must have an assigned IP
address, gateway, and netmask.
IP address, gateway, and netmask
identifications are automatically assigned
if you are using Cisco Cius with DHCP.
If you are not using DHCP, you must
manually assign these properties to each
Cisco Cius locally.
IP is a messaging protocol that
addresses and sends packets across the
network.
Internet Protocol (IP)
Cisco Cius Administration Guide, Release 9.2(3)
8OL-26938-01
Overview of Cisco Cius
Supported Networking Protocols
Usage notesPurposeNetworking protocol
-LLDP is a standardized network
discovery protocol (similar to CDP)
that is supported on some Cisco and
third-party devices.
Link Layer Discovery
Protocol (LLDP)
Cisco Cius supports LLDP-MED on the
media station switch port to
communicate information such as:
• Voice VLAN configuration
• Device discovery
• Power management
• Inventory management
For more information about LLDP-MED
support, see the LLDP-MED and Cisco
Discovery Protocol white paper at this
URL:
http://www.cisco.com/en/US/
technologies/tk652/tk701/technologies_
white_paper0900aecd804cd46d.html
LLDP-MED is an extension of the
LLDP standard developed for voice
products.
Link Layer Discovery
Protocol-Media Endpoint
Devices (LLDP-MED)
Cisco Cius uses RTP to send and receive
real-time voice and video traffic from
other devices and gateways.
RTP is a standard protocol for
transporting real-time data, such as
interactive voice and video, over data
networks.
Real-Time Transport
Protocol (RTP)
RTCP is disabled by default, but you can
use Cisco Unified Communications
Manager to enable it on a per-device
basis.
RTCP works in conjunction with RTP
to provide QoS data (such as jitter,
latency, and round-trip delay) on RTP
streams. RTCP is also used to
synchronize the audio and video stream
in order to provide a better video
experience.
Real-Time Control
Protocol (RTCP)
SDP capabilities, such as codec types,
DTMF detection, and comfort noise, are
normally configured on a global basis
by Cisco Unified Communications
Manager or Media Gateway in operation.
Some SIP endpoints may allow these
parameters to be configured on the
endpoint itself.
SDP is the portion of the SIP protocol
that determines which parameters are
available during a connection between
two endpoints. Conferences are
established by using only the SDP
capabilities that are supported by all
endpoints in the conference.
Session Description
Protocol (SDP)
Cisco Cius Administration Guide, Release 9.2(3)
OL-26938-01 9
Overview of Cisco Cius
Supported Networking Protocols
Usage notesPurposeNetworking protocol
Like other VoIP protocols, SIP is
designed to address the functions of
signaling and session management
within a packet telephony network.
Signaling allows call information to be
carried across network boundaries.
Session management provides the ability
to control the attributes of an end-to-end
call.
SIP is the IETF standard for
multimedia conferencing over IP. SIP
is an ASCII-based application-layer
control protocol (defined in RFC 3261)
that can be used to establish, maintain,
and terminate calls between two or
more endpoints.
Session Initiation
Protocol (SIP)
Cisco Cius uses TCP to connect to Cisco
Unified Communications Manager and
to access XML services.
TCP is a connection-oriented transport
protocol.
Transmission Control
Protocol (TCP)
Cisco Cius uses the TLS protocol after
registering with Cisco Unified
Communications Manager securely.
TLS is a standard protocol for securing
and authenticating communications.
Transport Layer Security
TFTP requires a TFTP server in your
network, that can be automatically
identified from the DHCP server. If you
want Cisco Cius to use a TFTP server
other than the one specified by the
DHCP server, you must use the Network
Configuration menu on Cisco Cius to
assign the IP address of the TFTP server
manually.
For more information, see the Cisco
TFTP chapter in the Cisco Unified
Communications Manager System
Guide.
TFTP allows you to transfer files over
the network.
On Cisco Cius, TFTP enables you to
obtain a configuration file specific to
Cisco Cius.
Trivial File Transfer
Protocol (TFTP)
Cisco Cius transmits and receives RTP
streams, which utilize UDP.
UDP is a connectionless messaging
protocol for delivery of data packets.
User Datagram Protocol
(UDP)
Related Topics
Understanding Interactions with Other Cisco Unified IP Telephony Products
Understanding Cisco Cius Startup Process
Ethernet Settings Menu
Supported Features on Cisco Cius
Cisco Cius is a business device that delivers anytime, anywhere access to Cisco Collaboration applications,
including Unified Communications features. Cisco Cius also provides access to other business and Android
applications.
Cisco Cius Administration Guide, Release 9.2(3)
10 OL-26938-01
Overview of Cisco Cius
Supported Features on Cisco Cius
Related Topics
Feature Overview, on page 11
Configuring Telephony Features, on page 11
Configuring Network Parameters Using Cisco Cius, on page 12
Providing Users with Feature Information, on page 12
Feature Overview
Cisco Cius is a mobile collaboration device for business. Cisco Cius provides an integrated suite of collaborative
applications, including Cisco Quad, Cisco WebEx, Cisco Unified Presence, instant messaging, email, visual
voice mail, and Cisco Unified Communications Manager voice and video telephony features. Cisco Cius also
provides Virtual Desktop Infrastructure (VDI) and cloud computing and support for a wide range of applications
through Cisco AppHQ Developer Network Marketplace. Cisco Cius also supports applications from the
Google Android Marketplace. For an overview of the features that Cisco Cius supports and for tips on
configuring them, see Configuring Features, Templates, Services, and Users.
As with other network devices, you must configure Cisco Cius to prepare to access Cisco Unified
Communications Manager and the rest of the IP network. By using DHCP, you have fewer settings to configure
on Cisco Cius, but if your network requires it, you can manually configure an IP address, TFTP server, netmask
information, and so on. For instructions on configuring the network settings on Cisco Cius, see the Setup
Menus on Cisco Cius.
Finally, because Cisco Cius is a network device, you can obtain detailed status information from it directly.
This information can assist you with troubleshooting problems that users might encounter when using their
Cisco Cius devices. See Viewing Model Information Status and Statistics on Cisco Cius for more information.
Related Topics
Configuring Settings on Cisco Cius
Configuring Features, Templates, Services, and Users
Troubleshooting and Maintenance
Configuring Telephony Features
You can modify settings for Cisco Cius from Cisco Unified Communications Manager Administration. Use
this web-based application to set up Cisco Cius registration criteria and calling search spaces, to configure
corporate directories and services, and to modify phone button templates, among other tasks.
For more information, see the Telephony Features Available for Cisco Cius and the Cisco Unified
Communications Manager Administration Guide. You can also use the context-sensitive help available within
the application for guidance.
You can access Cisco Unified Communications Manager documentation at this location:
http://www.cisco.com/en/US/products/sw/voicesw/ps556/tsd_products_support_series_home.html
You can access Cisco Unified Communications Manager Business Edition 5000 documentation at this location:
http://www.cisco.com/en/US/products/ps7273/tsd_products_support_series_home.html
Cisco Cius Administration Guide, Release 9.2(3)
OL-26938-01 11
Overview of Cisco Cius
Feature Overview
Configuring Network Parameters Using Cisco Cius
You can configure parameters, such as DHCP, TFTP, and IP settings, on the Cisco Cius device. You can also
obtain statistics about a current call or firmware versions on Cisco Cius.
For more information about configuring features and viewing statistics from Cisco Cius, see Configuring
Settings on Cisco Cius and Viewing Model Information Status and Statistics on Cisco Cius.
Providing Users with Feature Information
You are likely the primary source of information for Cisco Cius users in your network or company. To ensure
that you distribute the most current feature and procedural information, familiarize yourself with Cisco Cius
documentation. Make sure to visit the Cisco Cius website:
http://www.cisco.com/en/US/products/ps11156/tsd_products_support_series_home.html
From this site, you can view the user guide and quick start documentation.
The Cisco Cius User Guide is also available directly through a link on the tablet. Choose Settings >About
Cius >Cisco Cius User Guide.
Note
In addition to providing documentation, it is important to inform users about available Cisco Cius features,
including those specific to your company or network, and about how to access and customize those features,
if appropriate.
For a summary of some of the key information that Cisco Cius users may need, see Providing Information to
Users Through a Website.
Understanding Security Features for Cisco Cius
Implementing security in the Cisco Unified Communications Manager system prevents data tampering, and
prevents call-signaling and media-stream tampering of the Cisco Cius and the Cisco Unified Communications
Manager server.
To alleviate these threats, the Cisco IP telephony network establishes and maintains secure (encrypted)
communication streams between Cisco Cius and the server, digitally signs files before they are transferred to
Cisco Cius, and encrypts media streams and call signaling between Cisco Cius devices.
Cisco Cius uses a security profile that defines whether the device is nonsecure or secure. For information
about applying the security profile to the device, see the Cisco Unified Communications Manager Security
Guide.
If you configure security-related settings in Cisco Unified Communications Manager Administration, the
phone configuration file contains sensitive information. To ensure the privacy of a configuration file, you
must configure the file for encryption. For detailed information, see the “Configuring Encrypted Phone
Configuration Files” chapter in Cisco Unified Communications Manager Security Guide.
The following table shows where you can find information about security in this and other documents.
Cisco Cius Administration Guide, Release 9.2(3)
12 OL-26938-01
Overview of Cisco Cius
Configuring Network Parameters Using Cisco Cius
Table 8: Cisco Cius and Cisco Unified Communications Manager Security Topics
ReferenceTopic
See the Cisco Unified Communications Manager
Security Guide.
Detailed explanation of security, including setup,
configuration, and troubleshooting information for
Cisco Unified Communications Manager and Cisco
Cius
See the Overview of Supported Security Features,
on page 14.
See the Cisco Cius Wireless LAN Deployment Guide.
Security features supported on Cisco Cius
See the Security Restrictions, on page 21.Restrictions regarding security features
Table 9: Overview of Security Features, on page 14
provides an overview of the security features that
Cisco Cius supports. For more information about
these features and about Cisco Unified
Communications Manager and Cisco Unified IP
Phone security, see the Cisco Unified
Communications Manager Security Guide.
Viewing a security profile name
See the Identifying Secure (Encrypted) Phone Calls,
on page 17.
Identifying phone calls for which security is
implemented
See the Supported Networking Protocols, on page
6.
See the Adding Cisco Cius Mobile Collaboration
Endpoints with Cisco Unified Communications
Manager Administration.
TLS connection
See the Understanding Cisco Cius Startup Process.Security and Cisco Cius startup process
See the Adding Cisco Cius Mobile Collaboration
Endpoints with Cisco Unified Communications
Manager Administration.
Security and Cisco Cius configuration files
See the TFTP Server Settings Menu.Changing the TFTP Server 1 or TFTP Server 2 option
on Cisco Cius after security is implemented
See the Location and Security Setup Menu.Items on the Security Setup menu that you access
from Cisco Cius
See the Enabling and Disabling Web Page Access.Disabling access to a device web page
See the Troubleshooting Cisco Cius Security.
See the Cisco Unified Communications Manager
Security Guide.
Troubleshooting
Cisco Cius Administration Guide, Release 9.2(3)
OL-26938-01 13
Overview of Cisco Cius
Understanding Security Features for Cisco Cius
ReferenceTopic
See theResetting Cisco Cius.Deleting the CTL/ITL file from Cisco Cius
See the Resetting Cisco Cius.Resetting or restoring Cisco Cius
See these sections:
•Supporting 802.1X Authentication on Cisco
Cius, on page 19.
•Enterprise Security Settings.
•Troubleshooting Cisco Cius Security.
802.1X Authentication for Cisco Cius
Overview of Supported Security Features
The following table provides an overview of the security features that Cisco Cius supports. For more information
about these features and about Cisco Unified Communications Manager and Cisco Cius security, see the Cisco
Unified Communications Manager Security Guide and the Wireless Security chapter of the Cisco Cius Wireless
LAN Deployment Guide.
For information about current security settings on Cisco Cius, press the Menu key and choose Settings >
Location and security. For more information, see the Location and Security Setup Menu.
Table 9: Overview of Security Features
DescriptionFeature
Signed binary files (with the extension .sbn) prevent tampering
with the firmware image before it is loaded on a Cisco Cius
device. Tampering with the image causes Cisco Cius to fail the
authentication process and reject the new image.
Image authentication
Each Cisco Cius requires a unique certificate for device
authentication. Cisco Cius devices include a manufacturing
installed certificate (MIC), but for additional security, you can
specify in Cisco Unified Communications Manager
Administration that a certificate be installed by using the
Certificate Authority Proxy Function (CAPF). Alternatively,
you can install a Locally Significant Certificate (LSC) from the
Enterprise security menu on the device. See the Configuring
Security on Cisco Cius for more information.
Customer-site certificate installation
Cisco Cius Administration Guide, Release 9.2(3)
14 OL-26938-01
Overview of Cisco Cius
Overview of Supported Security Features
DescriptionFeature
Occurs between the Cisco Unified Communications Manager
server and Cisco Cius when each entity accepts the certificate
of the other entity. Determines whether a secure connection
between Cisco Cius and Cisco Unified Communications
Manager occurs and, if necessary, creates a secure signaling
path between the entities by using TLS protocol. Cisco Unified
Communications Manager will not register Cisco Cius devices
unless Cisco Unified Communications Manager can authenticate
them.
Device authentication
Validates digitally signed files that Cisco Cius downloads.
Cisco Cius validates the signature to make sure that file
tampering did not occur after file creation. Files that fail
authentication are not written to Flash memory on Cisco Cius.
Cisco Cius rejects such files without further processing.
File authentication
Encryption prevents sensitive information from being revealed
while the file is in transit to Cisco Cius. In addition, Cisco Cius
validates the signature to make sure that file tampering did not
occur after file creation. Files that fail authentication are not
written to Flash memory on the Cius. Cisco Cius rejects such
files without further processing.
File encryption
Uses the TLS protocol to validate that no tampering has
occurred to signaling packets during transmission.
Signaling Authentication
Each Cisco Cius contains a unique manufacturing-installed
certificate (MIC), which is used for device authentication. The
MIC provides permanent unique proof of identity for the device
and allows Cisco Unified Communications Manager to
authenticate Cisco Cius.
Manufacturing installed certificate
Uses SRTP to ensure that the media streams between supported
devices are secure and that only the intended device receives
and reads the data. Includes creating a media master key pair
for the devices, delivering the keys to the devices, and securing
the delivery of the keys.
Media encryption
Implements parts of the certificate generation procedure that
are too processing-intensive for Cisco Cius, and interacts with
Cisco Cius for key generation and certificate installation. The
CAPF can be configured to request certificates from
customer-specified certificate authorities on behalf of Cisco
Cius, or it can be configured to generate certificates locally.
CAPF (Certificate Authority Proxy
Function)
Cisco Cius Administration Guide, Release 9.2(3)
OL-26938-01 15
Overview of Cisco Cius
Overview of Supported Security Features
DescriptionFeature
Defines whether Cisco Cius is nonsecure, authenticated,
encrypted, or protected. For more information about these
features and about Cisco Unified Communications Manager
and Cisco Cius security, see the Cisco Unified Communications
Manager Security Guide.
Security profiles
Lets you ensure the privacy of Cisco Cius configuration files.Encrypted configuration files
For security purposes, you can prevent access to a Cisco Cius
web page (which indicates a variety of operational statistics for
the device) and user options pages. For more information, see
the Enabling and Disabling Web Page Access.
Optional disabling of the web server
functionality for Cisco Cius
Additional security options, which you control from Cisco
Unified Communications Manager Administration:
• Disabling PC port on the media station
• Disabling Gratuitous ARP (GARP)
• Disabling PC Voice VLAN access
• Providing restricted access to the web applications
• Disabling Bluetooth Accessory Port
• Disabling access to web pages
• Requiring a screen lock
• Controlling access to Google Android market.
• Controlling access to installation of applications from
unknown sources
Phone hardening
Cisco Cius can use 802.1X authentication to request and gain
access to the network. See the Supporting 802.1X
Authentication on Cisco Cius, on page 19 for more
information.
802.1X Authentication
After you configure an SRST reference for security and then
reset the dependent devices in Cisco Unified Communications
Manager Administration, the TFTP server adds the SRST
certificate to the Cisco Cius cnf.xml file and sends the file to
the device. A secure device then uses a TLS connection to
interact with the SRST-enabled router.
Secure SIP Failover for SRST
Ensures that all SIP signaling messages that are sent between
the device and the Cisco Unified CM server are encrypted.
Signaling encryption
Cisco Cius Administration Guide, Release 9.2(3)
16 OL-26938-01
Overview of Cisco Cius
Overview of Supported Security Features
Related Topics
Identifying Secure (Encrypted) Phone Calls, on page 17
Security Restrictions, on page 21
Understanding Security Profiles
All Cisco Cius devices that support Cisco Unified Communications Manager use a security profile, which
defines whether the device is nonsecure, authenticated, or encrypted. For information about configuring the
security profile and applying the profile to the device, see the Cisco Unified Communications Manager Security
Guide.
To view the security mode that is set for Cisco Cius, view the Signaling security mode setting in the Enterprise
security settings menu.
Related Topics
Identifying Secure (Encrypted) Phone Calls, on page 17
Security Restrictions, on page 21
Identifying Secure (Encrypted) Phone Calls
Security is implemented for Cisco Cius by enabling the “Protected Device” parameter from the Cisco Unified
Communications Manager Administration Phone window. When security is implemented, you can identify
secure phone calls by the Secure Call icon on the Cisco Cius screen. In a secure call, all call signaling and
media streams are encrypted. A secure call offers a high level of security, providing integrity and privacy to
the call. When a call in progress is being encrypted, the Security Mode status on Cisco Cius Enterprise security
settings menu indicates “Encrypted.”
If the call is routed through non-IP call legs (for example, PSTN), the call may be nonsecure even though
it is encrypted within the IP network and has a lock icon associated with it.
Note
In a secure call, a 2-second tone plays to notify the users when a call is encrypted and both devices are
configured as protected devices, and if secure tone features are enabled on Cisco Unified Communications
Manager. The tone plays for both parties when the call is answered. The tone does not play unless both devices
are protected and the call occurs over encrypted media. If the system determines that the call is not encrypted,
Cisco Cius plays a nonsecure indication tone (6 beeps) to alert the user that the call is not protected. For a
detailed description of the secure indication tone feature and the configuration requirements, see the Cisco
Unified Communications Manager Security Guide.
Video is transmitted as nonsecure. So, even if both Cisco Cius devices are secure, the Encrypted lock
icon will not be displayed for video calls.
Note
Related Topics
Understanding Security Features for Cisco Cius, on page 12
Security Restrictions, on page 21
Cisco Cius Administration Guide, Release 9.2(3)
OL-26938-01 17
Overview of Cisco Cius
Understanding Security Profiles
Establishing and Identifying Secure Calls
A secure call is established when your Cisco Cius and a phone on the other end are configured for secure
calling. They can be in the same Cisco IP network, or on a network outside the IP network. A secure conference
call is established by using this process:
1A user initiates the call from a secured Cisco Cius (Encrypted security mode).
2Cisco Cius indicates the Encrypted status on the Enterprise security menu. This status indicates that Cisco
Cius is configured for secure calls, but does not mean that the other connected phone is also secured.
3A security tone plays if the call is connected to another secured device, indicating that both ends of the
conversation are encrypted and secured. Otherwise, nonsecure tone will be played.
Secure tone is played only when enabled on Cisco Unified Communications Manager. If disabled on Cisco
Unified Communications Manager, no secure tone will be played even the call is secure. For more
information, see the Configuring Secure and Nonsecure Indication Tones chapter of the Cisco Unified
Communications Manager Security Guide.
Note
Establishing and Identifying Secure Conference Calls
You can initiate a secure conference call and monitor the security level of participants. A secure conference
call is established by using this process:
1A user initiates the conference from a secure Cisco Cius device.
2Cisco Unified Communications Manager assigns a secure conference bridge to the call.
3As participants are added, Cisco Unified Communications Manager verifies the security mode of each
device and maintains the secure level for the conference.
4Cisco Cius indicates the security level of the conference call.
Various interactions, restrictions, and limitations affect the security level of the conference call, depending
on the security mode of the participant devices and the availability of secure conference bridges. Cisco
Cius supports secure audio conference calls only; video will not be secure.
Note
Related Topics
Checklist for Configuring Cisco Cius in Cisco Unified Communications Manager, on page 22
Checklist for Installing Cisco Cius, on page 25
Call Security Interactions and Restrictions
Cisco Unified Communications Manager checks the Cisco Cius security status when conferences are established
and changes the security indication for the conference or blocks completion of the call to maintain integrity
Cisco Cius Administration Guide, Release 9.2(3)
18 OL-26938-01
Overview of Cisco Cius
Identifying Secure (Encrypted) Phone Calls
and also security in the system. The following table provides information about changes to call security levels
when Barge is used.
Table 10: Call Security Interactions When Barge Is Used
Results of actionCall security levelFeature usedInitiator device
security level
Call barged and identified as nonsecure
call
Encrypted callBargeNonsecure
Call barged and identified as secure callEncrypted callBargeSecure
The following table provides information about changes to conference security levels depending on the initiator
device security level, the security levels of participants, and the availability of secure conference bridges.
Table 11: Security Restrictions With Conference Calls
Results of actionSecurity level of
participants
Feature usedInitiator device
security level
Nonsecure conference bridge
Nonsecure conference
SecureConferenceNonsecure
Secure conference bridge
Nonsecure conference
At least one member
is nonsecure
ConferenceSecure
Secure conference bridge
Secure encrypted level conference
SecureConferenceSecure
Supporting 802.1X Authentication on Cisco Cius
These sections provide information about 802.1X support on Cisco Cius:
•Overview, on page 19
•Required Network Components, on page 20
•Requirements and Recommendations, on page 20
Overview
Cisco Cius and Cisco Catalyst switches traditionally use Cisco Discovery Protocol (CDP) to identify each
other and determine parameters such as VLAN allocation and inline power requirements. Cisco Cius also
uses CDP; however, CDP does not identify any locally attached PCs; therefore, an EAPOL pass-through
mechanism is used, whereby a PC that is attached locally to Cisco Cius may pass EAPOL messages to the
Cisco Cius Administration Guide, Release 9.2(3)
OL-26938-01 19
Overview of Cisco Cius
Supporting 802.1X Authentication on Cisco Cius
802.1X authenticator in the LAN switch. This mechanism prevents Cisco Cius from having to act as the
authenticator, yet allows the LAN switch to authenticate a data endpoint before accessing the network.
In conjunction with the EAPOL pass-through mechanism, Cisco Cius provides a proxy EAPOL-Logoff
mechanism. If the locally attached PC disconnects from Cisco Cius, the LAN switch does not detect the
physical link fail, because the link between the LAN switch and Cisco Cius is maintained. To avoid
compromising network integrity, Cisco Cius sends an EAPOL-Logoff message to the switch on behalf of the
downstream PC, and this action triggers the LAN switch to clear the authentication entry for the downstream
PC.
Cisco Cius contains an 802.1X supplicant in addition to the EAPOL pass-through mechanism. This supplicant
allows network administrators to control the connectivity of Cisco Cius to the LAN switch ports. The current
release of the 802.1X supplicant uses the EAP-FAST and EAP-TLS options for network authentication.
Required Network Components
Support for 802.1X authentication on Cisco Cius requires several components, including the following:
• Cisco Cius - Cisco Cius acts as the 802.1X supplicant, which initiates the request to access the network.
• Cisco Catalyst Switch (or other third-party switch) - The switch must support 802.1X, so that it can act
as the authenticator and pass the messages between Cisco Cius and the authentication server. When the
exchange is completed, the switch grants or denies access to the network to the device.
Requirements and Recommendations
The requirements and recommendations for 802.1X authentication on Cisco Cius include the following:
• Enable 802.1X Authentication - If you want to use the 802.1X standard to authenticate Cisco Cius, be
sure that you properly configure the other components before enabling 802.1X authentication on the
device. See the Enterprise Security Settings for more information.
• Configure PC Port on Media Station - The 802.1X standard does not take into account the use of VLANs
and thus recommends that only a single device be authenticated to a specific switch port. However, some
switches (including Cisco Catalyst switches) support multidomain authentication. The switch configuration
determines whether you can connect a PC to a Cisco Cius media station PC port.
◦ Enabled - If you are using a switch that supports multidomain authentication, you can enable the
media station PC port and connect a PC to it. In this case, Cisco Cius supports proxy EAPOL-Logoff
to monitor the authentication exchanges between the switch and the attached PC. For more
information about IEEE 802.1X support on the Cisco Catalyst switches, see the Cisco Catalyst
switch configuration guides at:
http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html
◦ Disabled - If the switch does not support multiple 802.1X-compliant devices on the same port,
disable the media station PC Port when 802.1X authentication is enabled. See the Ethernet Settings
Menu for more information. If you do not disable this port and subsequently attempt to attach a
PC to it, the switch denies network access to both the device and the PC.
• Configure Voice VLAN - Because the 802.1X standard does not account for VLANs, configure this
setting based on the switch support.
Cisco Cius Administration Guide, Release 9.2(3)
20 OL-26938-01
Overview of Cisco Cius
Supporting 802.1X Authentication on Cisco Cius
Other manuals for Cius
4
Table of contents
Other Cisco Tablet manuals
Cisco
Cisco TelePresence DX70 User manual
Cisco
Cisco TelePresence Touch 10 User manual
Cisco
Cisco Webex DX80 User manual
Cisco
Cisco Cius User manual
Cisco
Cisco TelePresence User manual
Cisco
Cisco Cius User manual
Cisco
Cisco Z70 User manual
Cisco
Cisco Smart+Connected User manual
Cisco
Cisco Cius User manual
Cisco
Cisco TelePresence Touch 10 User manual
