eison.net | Technically Amusing

Yeah, I know the title is pretty boring, but I wanted it to be clear what this one is all about, especially if you’re looking specifically for something like this.

So, here’s the deal: Cisco 99xx and 79xx phones out on the internet somewhere connecting back to an ASA over an SSL tunnel to register with an internal network’s Call Manager, using only self-signed certificates. To me, this is the best option, rather than having users try to type usernames and passwords into the phone interface. For some users, that really is just too much to ask. This method makes it easy on them, and still gives the ASA administrator and Call Manager administrator the ability to prevent a stolen or misused phone from connecting to the network.

This configuration absolutely depends on a few things:

• Working Call Manager that supports VPN configurations for phones. I have no idea what licenses or versions are required.
• Working ASA, with it’s outside interface connected to the internet. This doesn’t work without internet access.
• ASA is licensed specifically for “AnyConnect for phone”. show version, as well as some other commands, will tell you which features are enabled.

Once those items are out of the way, the configuration for the ASA is pretty simple, as long as you understand the basics. This configuration is for code version 8.4, but 8.0+ is very similar. There are a few keywords that are different, so type slowly, rather than just bulk copy-and-paste.

A few things are happening here:

• generating keys to generate a self-signed certificate to share with the Call Manager
• configuring a webvpn group-policy and tunnel-group that will allow the phone to connect to a very specific URL and present certificates for authentication
• importing two certificates from Call Manager into the ASA

If you read through the configuration example, my notes should explain each step. I also refer to a couple of Cisco documents that were very helpful.

! based on this cisco.com ASA AnyConnect for Phone configuration example:
! https://supportforums.cisco.com/docs/DOC-9124
! http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808efbd2.shtml

! generate crypto keypair for ASA
crypto key generate rsa label ssl_vpn_key modulus 1024

! create trustpoint and enroll with the self-signed key above
crypto ca trustpoint phone_ssl_vpn_trustpoint
 enrollment self
 fqdn ac-phone.your-domain-here.com
 subject-name CN=ac-phone.your-domain-here.com
 keypair ssl_vpn_key
 exit

crypto ca enroll phone_ssl_vpn_trustpoint noconfirm
ssl trust-point phone_ssl_vpn_trustpoint outside

! export the certificate trustpoint to import into CallManager
crypto ca export phone_ssl_vpn_trustpoint identity-certificate

! copy the anyconnect client to the ASA
copy tftp://<tftp_server>/anyconnect-win-3.0.5080-k9.pkg flash

! enable webvpn and select an image
webvpn
anyconnect image disk0:/anyconnect-win-3.0.5080-k9.pkg 1
enable outside
anyconnect enable

! create an IP pool not already in use and assign
ip local pool ac_phone_ip_pool_01 10.0.242.1-10.0.242.255 mask 255.255.255.0

! create group policy for phones
group-policy gp_anyconnect_phone internal
group-policy gp_anyconnect_phone attributes
 dns-server value 10.10.41.183 10.10.41.4
 vpn-tunnel-protocol ssl-client
 default-domain < value your-domain-here.com >
 address-pools value ac_phone_ip_pool_01

! permit interface ACL bypass for IPSec and SSL clients globally
sysopt connection permit-vpn

! create a certificate map to map the 'ac-phone' certificate to a specific
! tunnel-group: 'tg_anyconnect_phone' --> 10
! this will be the cert the phone presents as a part of it's authentication.
! when presented, it'll trigger the use of the tunnel-group below.
crypto ca certificate map cm_anyconnect_phone 10
subject-name co ac-phone

! create a tunnel group and URL alias
tunnel-group tg_anyconnect_phone type remote-access
tunnel-group tg_anyconnect_phone general-attributes
 default-group-policy gp_anyconnect_phone
  username-from-certificate CN

tunnel-group tg_anyconnect_phone webvpn-attributes
 authentication certificate
 group-alias anyconnect-phone enable
 ! this URL has to exactly match what's in the CallManager config
 group-url https://name-or-ip-of-outside-int-of-asa/anyconnect-phone enable
 ! permit rules to determine which tunnel-group is used
 tunnel-group-map enable rules
 ! match the certificate map to the tunnel-group
 tunnel-group-map cm_anyconnect_phone 10 tg_anyconnect_phone


! configure nat exemption (no nat, nat 0) for phone address pool, version 8.3 and above
! https://supportforums.cisco.com/docs/DOC-11639, bug is fixed in later version of 8.3, 8.4
! http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtf89372
object network obj_ac_phone_ip_pool_01
 ! subnet <ac_phone_ip_pool_network> <ac_phone_ip_pool_netmask>
 subnet 10.0.242.0 255.255.255.0
 
nat (INSIDE,OUTSIDE) source static any any destination static obj_ac_phone_ip_pool_01 obj_ac_phone_ip_pool_01

! create new trustpoints and import CallManager certificates
!
! IP phones that have MICs: 99xx
crypto ca trustpoint Cisco_Manufacturing_CA
 enrollment terminal
crypto ca authenticate Cisco_Manufacturing_CA
! < paste Cisco_Manufacturing_CA pem >

! IP phones that have CAPFs: 79xx
crypto ca trustpoint CAPF
 enrollment terminal
crypto ca authenticate CAPF
! < paste Cisco_Manufacturing_CA pem >

All of the configuration words that have underscores are my own and can be changed to anything you choose–as long as you’re consistent with them. I’ve tried to make a habit of using underscores for my configuration variables, since Cisco doesn’t use them in configuration keywords. I also like to use gp_, tg_, and other similar abbreviations so it’s really clear in my configurations which items are which based on their names alone.

This configuration absolutely works. In fact, we have our phones configured with a primary and secondary “concentrator” (ASA); if the primary doesn’t answer, the phone will automatically try to connect to the secondary.