The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes how to configure the Cisco IOS® Router and Call Manager devices so that Cisco IP Phones can establish VPN connections to the Cisco IOS Router. These VPN connections are needed in order to secure the communication with either of these two client authentication methods:
There are no specific requirements for this document.
The information in this document is based on these hardware and software versions:
For a complete list of supported phones in your CUCM version, complete these steps:
The releases used in this configuration example include:
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
This section covers the information needed in order to configure the features described in this document.
Note: Use the Command Lookup Tool (registered customers only) in order to obtain more information on the commands used in this section.
The topology used in this document includes one Cisco IP Phone, the Cisco IOS Router as the Secure Sockets Layer (SSL) VPN Gateway, and CUCM as the voice gateway.
This section describes how to configure the Cisco IOS head-end in order to allow inbound SSL VPN connections.
Router(config)#crypto key generate rsa general-keys label SSL modulus 1024
Router(config)#crypto pki trustpoint server-certificate
enrollment selfsigned
usage ssl-server
serial-number
subject-name CN=10.198.16.144
revocation-check none
rsakeypair SSL
Router(config)#crypto pki enroll server-certificate
% Include an IP address in the subject name? [no]: no
Generate Self Signed Router Certificate? [yes/no]: yes
Router Self Signed Certificate successfully created
Router(config)#webvpn install svc flash:anyconnect-win-3.1.03103-k9.pkg
Router(config)#crypto vpn anyconnect flash:/webvpn/anyconnect-win-
3.1.03103-k9.pkg sequence 1
webvpn gateway SSL
ip address 10.198.16.144 port 443
ssl encryption 3des-sha1 aes-sha1
http-redirect port 80
ssl trustpoint server-certificate
inservice
Note: Either the IP address used here needs to be on the same subnet as the interface to which the phones connect, or the gateway needs to be sourced directly from an interface on the Router. The gateway is also used in order to define which certificate is used by the Router in order to validate itself to the client.
ip local pool ap_phonevpn 192.168.100.1 192.168.100.254
This section describes the commands you need in order to configure the AAA server or the local database in order to authenticate your phones. If you plan to use certificate-only authentication for the phones, continue to the next section.
Configure the User Database
Either the Local Database of the Router or an external AAA Server can be used for authentication:
aaa new-model
aaa authentication login SSL local
username phones password 0 phones
aaa new-model
aaa authentication login SSL group radius
radius-server host 192.168.100.200 auth-port 1812 acct-port 1813
radius-server key cisco
Configure the Virtual Context and the Group-Policy
The Virtual Context is used in order to define the attributes that govern the VPN connection, such as:
These commands are an example of a context that uses AAA authentication for the client:
webvpn context SSL
aaa authenticate list SSL
gateway SSL domain SSLPhones
!
ssl authenticate verify all
inservice
!
policy group phones
functions svc-enabled
svc address-pool "ap_phonevpn" netmask 255.255.255.0
svc keep-client-installed
default-group-policy phones
This section describes the commands you need in order to configure certificate-based client authentication for the phones. However, in order to do this, knowledge of the various types of phone certificates is required:
Caution: Due to the increased security risk, Cisco recommends the use of MICs solely for LSC installation and not for continued use. Customers who configure Cisco IP phones in order to use MICs for Transport Layer Security (TLS) authentication, or for any other purpose, do so at their own risk.
In this configuration example, the LSC is used in order to authenticate the phones.
Tip: The most secure way to connect your phone is to use dual authentication, which combines certificate and AAA authentication. You can configure this if you combine the commands used for each under one virtual context.
Configure the Trustpoint in Order to Validate the Client Certificate
The Router must have the CAPF certificate installed in order to validate the LSC from the IP phone. In order to get that certificate and install it on the Router, complete these steps:
Note: This location might change based on the CUCM version.
Router(config)#crypto pki trustpoint CAPF
enrollment terminal
authorization username subjectname commonname
revocation-check none
Router(config)#crypto pki authenticate CAPF
Router(config)#
<base-64 encoded CA certificate>
quit
Things to Note:
Jun 17 21:49:46.695: CRYPTO_PKI: (A0076) Starting CRL revocation check
Jun 17 21:49:46.695: CRYPTO_PKI: Matching CRL not found
Jun 17 21:49:46.695: CRYPTO_PKI: (A0076) CDP does not exist. Use SCEP to
query CRL.
Jun 17 21:49:46.695: CRYPTO_PKI: pki request queued properly
Jun 17 21:49:46.695: CRYPTO_PKI: Revocation check is complete, 0
Jun 17 21:49:46.695: CRYPTO_PKI: Revocation status = 3
Jun 17 21:49:46.695: CRYPTO_PKI: status = 0: poll CRL
Jun 17 21:49:46.695: CRYPTO_PKI: Remove session revocation service providers
CRYPTO_PKI: Bypassing SCEP capabilies request 0
Jun 17 21:49:46.695: CRYPTO_PKI: status = 0: failed to create GetCRL
Jun 17 21:49:46.695: CRYPTO_PKI: enrollment url not configured
Jun 17 21:49:46.695: CRYPTO_PKI: transaction GetCRL completed
Jun 17 21:49:46.695: CRYPTO_PKI: status = 106: Blocking chain verification
callback received status
Jun 17 21:49:46.695: CRYPTO_PKI: (A0076) Certificate validation failed
Configure the Virtual Context and the Group-Policy
This part of the configuration is similar to the configuration used previously, except for two points:
The commands are shown here:
webvpn context SSL
gateway SSL domain SSLPhones
authentication certificate
ca trustpoint CAPF
!
ssl authenticate verify all
inservice
!
policy group phones
functions svc-enabled
svc address-pool "ap_phonevpn" netmask 255.255.255.0
svc keep-client-installed
default-group-policy phones
This section describes the Call Manager configuration steps.
In order to export the certificate from the Router and import the certificate into Call Manager as a Phone-VPN-Trust certificate, complete these steps:
Router#show webvpn gateway SSL
SSL Trustpoint: server-certificate
Router(config)#crypto pki export server-certificate pem terminal
The Privacy Enhanced Mail (PEM) encoded identity certificate follows:
-----BEGIN CERTIFICATE-----
<output removed>
-----END CERTIFICATE-----
In the Common Phone Profile Configuration window, click Apply Config in order to apply the new VPN configuration. You can use the standard Common Phone Profile or create a new profile.
If you created a new profile for specific phones/users, navigate to the Phone Configuration window. In the Common Phone Profile field, choose the Standard Common Phone profile.
The following guide can be used to install Locally Significant Certificates on Cisco IP phones. This step is only needed if authentication using the LSC is used. Authentication using the Manufacterer Installed Certificate (MIC) or username and password does not require an LSC to be installed.
Install an LSC on a Phone with CUCM Cluster Security Mode set to Non-Secure.
This is the final step in the configuration process.
In order to check the statistics of the VPN session in the Router, you can use these commands, and check the differences between the outputs (highlighted) for username and certificate authentication:
For username/password authentication:
Router#show webvpn session user phones context SSL
Session Type : Full Tunnel
Client User-Agent : Cisco SVC IPPhone Client v1.0 (1.0)
Username : phones Num Connection : 1
Public IP : 172.16.250.34 VRF Name : None
Context : SSL Policy Group : SSLPhones
Last-Used : 00:00:29 Created : 15:40:21.503 GMT
Fri Mar 1 2013
Session Timeout : Disabled Idle Timeout : 2100
DPD GW Timeout : 300 DPD CL Timeout : 300
Address Pool : SSL MTU Size : 1290
Rekey Time : 3600 Rekey Method :
Lease Duration : 43200
Tunnel IP : 10.10.10.1 Netmask : 255.255.255.0
Rx IP Packets : 106 Tx IP Packets : 145
CSTP Started : 00:11:15 Last-Received : 00:00:29
CSTP DPD-Req sent : 0 Virtual Access : 1
Msie-ProxyServer : None Msie-PxyPolicy : Disabled
Msie-Exception :
Client Ports : 51534
DTLS Port : 52768
Router#
Router#show webvpn session context all
WebVPN context name: SSL
Client_Login_Name Client_IP_Address No_of_Connections Created Last_Used
phones 172.16.250.34 1 00:30:38 00:00:20
For certificate authentication:
Router#show webvpn session user SEP8CB64F578B2C context all
Session Type : Full Tunnel
Client User-Agent : Cisco SVC IPPhone Client v1.0 (1.0)
Username : SEP8CB64F578B2C Num Connection : 1
Public IP : 172.16.250.34 VRF Name : None
CA Trustpoint : CAPF
Context : SSL Policy Group :
Last-Used : 00:00:08 Created : 13:09:49.302 GMT
Sat Mar 2 2013
Session Timeout : Disabled Idle Timeout : 2100
DPD GW Timeout : 300 DPD CL Timeout : 300
Address Pool : SSL MTU Size : 1290
Rekey Time : 3600 Rekey Method :
Lease Duration : 43200
Tunnel IP : 10.10.10.2 Netmask : 255.255.255.0
Rx IP Packets : 152 Tx IP Packets : 156
CSTP Started : 00:06:44 Last-Received : 00:00:08
CSTP DPD-Req sent : 0 Virtual Access : 1
Msie-ProxyServer : None Msie-PxyPolicy : Disabled
Msie-Exception :
Client Ports : 50122
DTLS Port : 52932
Router#show webvpn session context all
WebVPN context name: SSL
Client_Login_Name Client_IP_Address No_of_Connections Created Last_Used
SEP8CB64F578B2C 172.16.250.34 1 3d04h 00:00:16
Confirm that the IP Phone is registered with the Call Manager with the assigned address the Router provided to the SSL connection.
Router#show debug
WebVPN Subsystem:
WebVPN (verbose) debugging is on
WebVPN HTTP debugging is on
WebVPN AAA debugging is on
WebVPN tunnel debugging is on
WebVPN Tunnel Events debugging is on
WebVPN Tunnel Errors debugging is on
Webvpn Tunnel Packets debugging is on
PKI:
Crypto PKI Msg debugging is on
Crypto PKI Trans debugging is on
Crypto PKI Validation Path debugging is on
Cisco bug ID CSCty46387 , IOS SSLVPN: Enhancement to have a context be a default
Cisco bug ID CSCty46436 , IOS SSLVPN: Enhancement to client certificate validation behavior