Administrative Access Overview

Cisco IPC Express is a converged office communications system deployed by several different types of businesses:

• Small and medium businesses with one or more sites (using the standalone or multisite deployment scenarios, as discussed in Chapter 2, "Building a Cisco IPC Express Network")
• A branch office of an enterprise network of any size (also using the standalone or multisite deployment scenarios)
• A customer premises equipment (CPE) solution offered by service providers (SPs) as a managed service

These different ways in which you can deploy Cisco IPC Express require different types of administrative interfaces and different levels of access. For that reason, a Cisco IPC Express system offers a full command-line interface (CLI), a browser-based graphical user interface (GUI) for the key features, and several setup wizards to expedite system initialization tasks.

System installation and setup always require CLI access to install and provision enough of the system to be able to drive a GUI. You can set up the general call processing, AA, and voice mail features using either the CLI or the GUI. End-user interaction with voice mailboxes uses a Telephony User Interface (TUI), which means that users use a phone to interact with the system.

User IDs, logins, and passwords are defined at various levels. Different types of administrator accounts exist to partition access to different aspects of the system.

Cisco CME also offers several application programming interfaces (APIs) to interface with external applications for monitoring, configuration, and end-user phone applications.

Command-Line Interface

CLI is typically preferred by large enterprises and managed services networks where hundreds or thousands of systems must be provisioned. These are often scripted by higher-level network management systems centralized in a data center or a network operations center (NOC). Resellers and system integrators often use the CLI for initial system setup before they bring the system to your office. For the expert user, CLI access is often more expeditious than using a GUI.

The CLI for Cisco CME is part of the Cisco IOS router CLI. Access to the Cisco UE CLI requires that you log into the router CLI and then open a session to the Cisco UE application's CLI, which is modeled on Cisco IOS CLI but is not exactly the same. If you're a system administrator and are familiar with Cisco IOS and CLI commands, you can Telnet to the Cisco CME router (or use the console port), access the Cisco UE service engine from the same Cisco CME router, and perform all the setup and configuration tasks by using CLI commands.

Users unfamiliar with CLI in general and Cisco IOS router CLI in particular might find it much more intuitive to perform day-to-day moves, adds, and changes using the system GUI after an administrator or system reseller has set up the initial system for you and created a GUI account.

The following sections briefly summarize the Cisco CME and Cisco UE CLI commands.

Cisco CME CLI Command Summary

General Cisco CME CLI commands are under the telephony-service command on the router. Other key Cisco CME commands are ephone and ephone-dn, where many of the phone and call processing features are configured. You can find a more in-depth description of all the Cisco CME commands in the Cisco CME Administrator and Command Reference Guides on Cisco.com (http://www.cisco.com/go/ccme under "Feature Guides").

Example 13-1 shows the parameters of the telephony-service command.

Example 13-1. Summary of the Cisco CME telephony-service Command

router(config)#configure terminal
router(config)#telephony-service
router(config-telephony)#?
Cisco Call Manager Express configuration commands.
For detailed documentation see:
www.cisco.com/univercd/cc/td/doc/product/access/ip_ph/ip_ks/index.htm
 after-hours define after-hours patterns, date, etc
 application The selected application
 auto Define dn range for auto assignment
 call-forward Configure parameters for call forwarding
 caller-id Configure caller id parameters
 calling-number Replace calling number with local for hairpin
 create create cnf for ethernet phone
 date-format Set date format for IP Phone display
 default Set a command to its defaults
 dialplan-pattern Define E.164 telephone number prefix
 directory Define directory naming order or add an entry
 dn-webedit enable Edit DN through Web
 exit Exit from telephony-service configuration mode
 fxo FXO port support option in ITS
 ip Define IP address and port for Telephony-Service/Fallback
 keepalive Define keepalive timeout period to unregister IP phones
 load Select the IP phone firmware load file
 log Define log table parameters
 login set the login timeouts
 max-conferences Define max number of 3 party G.711 conferences
 max-dn Maximum directory numbers supported
 max-ephones Define max number of IP phones
 max-redirect Define max number of redirect per call
 moh Define music-on-hold filename
 multicast Configure ip multicast parameters
 mwi Define IP address and port for MWI Server
 network-locale Define ephone network locale
 night-service define night-service options
 no Negate a command or set its defaults
 reset reset ethernet phone
 restart restart ethernet phone
 secondary-dialtone configure the secondary dial tone
 service Service configuration in ITS
 system Define system message
 time-format Set time format for IP Phone display
 time-webedit enable Edit Time through Web
 timeouts Define timeout value for IP phone
 transfer-pattern Define valid call transfer destinations
 transfer-system Define call transfer system: blind/consult and
 local/end-to-end
 url Define Ephone URL's
 user-locale Define ephone user locale
 voicemail Set the voicemail access number called when the MESSAGES
 IP phone button is pressed
 web define username for admin user
 xmlschema Command for setting xml schema
 xmltest Command for testing xml apis
 xmlthread Command for setting xml thread

Example 13-2 displays the parameters of the ephone-dn command.

Example 13-2. Summary of the Cisco CME ephone-dn Command

router(config)#ephone-dn 100
router(config-ephone-dn)#?
Ephone DN configuration commands - configure phone lines for ephone
For detailed documentation see:
www.cisco.com/univercd/cc/td/doc/product/access/ip_ph/ip_ks/index.htm
 application The selected application
 call-forward Define E.164 telephone number for call forwarding
 caller-id Configure port caller id parameters
 cor Class of Restriction on dial-peer for this dn
 default Set a command to its defaults
 description dn desc, for DN Qualified Display Name
 exit Exit from ephone-dn configuration mode
 feed set live feed multicast stream mode
 hold-alert Set Call On-Hold timeout alert parameters
 huntstop Stop hunting on Dial-Peers
 intercom Define intercom/auto-call extension number
 label dn label, for DN Display text
 loopback-dn Define dn-tag to create loopback dn pair with this ephone-dn
 moh set live-feed music-on-hold mode (with optional multicast)
 mwi set message waiting indicator options (mwi)
 name Define dn user name
 night-service Define night-service bell
 no Negate a command or set its defaults
 number Define E.164 telephone number
 paging set audio paging mode
 park-slot set ephone-dn as park slot
 pickup-group set the call pickup group number for the DN
 preference Preference for the attached dial-peer for the primary dn number
 transfer-mode Define call transfer mode: blind vs. consult
 translate Translation rule

Example 13-3 shows the parameters of the ephone command.

Example 13-3. Summary of the Cisco CME ephone Command

router(config)#ephone 40
router(config-ephone)#?
Ethernet phone configuration commands
For detailed documentation see:
www.cisco.com/univercd/cc/td/doc/product/access/ip_ph/ip_ks/index.htm
 after-hour ephone exempt from after-hour blocking
 auto-line Automatically select the most appropriate phone line when the
 telephone handset is lifted offhook for both incoming and
 outgoing calls. The 'no' form of this command requires the
 phone user to always explicitly select the phone line to use
 by pressing the appropriate phone Line button
 button Assign ephone-dn phone lines to phone using format with
 feature options.
 default Set a command to its defaults
 exit Exit from ephone configuration mode
 fastdial Define ip-phone fastdial number
 keepalive Define keepalive timeout period to unregister IP phone
 keyphone Identify an IP phone as keyphone
 mac-address define ethernet phone MAC address
 night-service Define night-service bell
 no Negate a command or set its defaults
 paging-dn set audio paging dn group for phone
 pin Define 4-8 digit personal identification number
 reset reset ethernet phone
 restart restart ethernet phone
 speed-dial Define ip-phone speed-dial number
 type Define ip-phone type
 username define username to access ethernet phone from Web
 vm-device-id define voice-mail id string

 

Cisco UE CLI Command Summary

You access the Cisco UE CLI by using the service-module service-engine x/y session command on the router (where x/y denotes the slot number where Cisco UE is present on your system).

You can find a more in-depth description of the Cisco UE CLI commands in the Cisco UE Administrator Guide on Cisco.com (http://www.cisco.com/go/cueunder "Administration Guides").

Example 13-4 briefly lists the general Cisco UE CLI administration commands.

Example 13-4. Summary of Cisco UE Basic CLI Commands

router#service-module service-engine 1/0 session
Trying 172.19.153.38, 2033 ... Open
cue>
cue#?
 ccn Telephony application
 configure Enter configuration mode
 copy Copy data from one location to another
 disable Turn off privileged commands
 echo print the arguments
 enable enter privileged mode
 erase Erase a configuration
 exit quit the cli
 groupname Group descriptions and accounts
 mwi Message Waiting Indicator
 no Negate a command
 offline Change the system to administration mode
 ping Send echo messages
 reload Reboot the system
 remote commands associated with remote info
 show Show running system information
 shutdown Halt the system
 terminal Configure this session's terminal
 trace Enable trace events for debugging
 username User descriptions and accounts
 voicemail voicemail application
 web define username for GUI user
 write Write running configuration to memory or terminal

Example 13-5 shows the Cisco UE configuration commands.

Example 13-5. Summary of Cisco UE Configuration CLI Commands

cue#configure terminal
cue(config)#?
 backup Save data to a server
 calendar Configure calendar schedule information
 ccn Telephony application
 clock software clock
 default Return a configuration value to its default
 end Exit from configure mode
 exit Exit configuration mode
 groupname Group descriptions and accounts
 hostname set the system name
 ip internet protocol
 list Public Distribution List
 log System event messages
 network network application
 no delete configuration command
 ntp Network Time Protocol
 privilege Privileges
 remote Remote info.
 security Configure security features
 username User descriptions and accounts
 voicemail voicemail application

Example 13-6 summarizes the Cisco UE show commands.

Example 13-6. Summary of Cisco UE show CLI Commands

cue#show ?
arp ARP table
backup Print backup utility configuration
calendar Print calendar schedule information
ccn Telephony Application
clock Display the system clock
configuration Contents of Non-Volatile memory
crash Show kernel crash information
debugging State of each debugging option
errors Print statistics about system events
exception Exception information
group Print information about a single group
groups Print list of known group names
hosts IP domain-name, lookup style, nameservers, and host table
interfaces Show interface status and configuration
ip IP application
list Print information about a single distribution list
lists Distribution lists
log Print recent system event messages
logging Show console logging options
logs List the logs
memory Memory statistics
network Networking application
ntp Network time protocol
packets Network traffic
privilege Print information about a single privilege
privileges Print list of known privileges
processes Application subsystem state
remote Commands associated with remote info
running-config Current operating configuration
security Print information about a security settings
software Program and Options
startup-config Contents of startup configuration
sysdb System configuration database
tech-support Summary of diagnostic information for Cisco TAC
trace Show trace information
user Print information about a single user
users Print list of known usernames
version System hardware and software status
voicemail Telephony application
web GUI interface

 

Browser-Based GUI

The GUI is helpful to users interested in doing ongoing maintenance on the system, such as day-to-day moves, adds, and changes. For example, you might use the GUI when a new employee joins your company and needs a phone, extension, and mailbox, or when you want your AA menu to change to provide location information to callers to your business.

By using the GUI, you can accomplish configuration tasks without having the expert-level understanding of the system that is often required by the CLI. You cannot access all the Cisco IPC Express features and capabilities via the GUI. Most notably, installation, upgrading, and troubleshooting always require CLI access. You can access most other features via either the CLI or GUI.

The Cisco IPC Express GUI integrates Cisco CME and Cisco UE features and allows you to add, delete, and configure IP phones, extensions, and some of the Cisco CME system-wide dial plan and phone-based features, such as call-forward-no-answer (CFNA) destination. The GUI also lets you set up the Cisco UE subscriber voice mail, group voice mail, and the AA.

The Cisco CME GUI uses HTTP to transfer information between the Cisco CME router and the administrator's computer or a user's phone. The Cisco UE GUI also uses an HTTP server that resides on the Cisco UE module itself. Therefore, the integrated Cisco IPC Express GUI is implemented using HTTP servers and by proxying requests between the two.

The following sections cover the GUI's highlights and introduce how to set up the GUI for a Cisco CME system.

Cisco IPC Express GUI Highlights

You can configure and change many of the general system features via the GUI. These include viewing, adding, changing, and deleting IP phones, extensions, voice mailboxes, AA scripts, and AA voice prompts. Call processing features, such as hunting and speed dials, can also be administered via the GUI.

Access to administering system features is based on the administrator's access level. The section "Levels of Administrative Access" discusses this in more detail.

Setting Up a System for GUI Access

The Cisco IPC Express system requires Microsoft Internet Explorer (IE) 6.0 or later. The Netscape browser is not supported because of its lack of support for some of the standard HTML 4.0 tags and attributes that cause the back and forward buttons to work correctly. You must enable JavaScript in the browser.

If you have a Cisco CME system where Cisco UE is not installed, to access the Cisco CME GUI, go to http://router_ipaddr/ccme.html, where router_ipaddr is the IP address of your Cisco CME router. For example, if the IP address of your Cisco CME router is 172.19.153.129, you would enter http://172.19.153.129/ccme.html in your browser. You can also use HTTP over SSL (HTTPS) to administer Cisco CME.

Note

Cisco UE up to release 2.1 does not support HTTPS access.

Figure 13-1 shows the login pop-up menu you use to log into the system.

Figure 13-1. Cisco CME Login Screen

If you have an integrated Cisco CME and Cisco UE system, go to http://CUE_ipaddr/ to access the Cisco IPC Express GUI, where CUE_ipaddr is the IP address of your Cisco UE module. For example, if the IP address of your Cisco UE module is 172.19.153.40, you would go to http://172.19.153.40/.

Figure 13-2 shows the login pop-up menu you use to log into the combined Cisco CME and Cisco UE systems.

Figure 13-2. Cisco IPC Express Login Screen

 

Telephony User Interface

Systems with an integrated Cisco UE offer a TUI, which is used to access AA and voice mail. A TUI means that you interact with the system from a phone and press digits on the keypad in response to menus or prompts spoken by the system.

Callers use the TUI to interact with your business's AA and to leave voice mail for your employees. End users (subscribers) use it to access their voice mail, and administrators use it to set up and change AA greetings.

Levels of Administrative Access

Cisco IPC Express CLI access offers no user ID or password control beyond that which is already offered by the Cisco IOS router. In other words, access to the CLI is controlled by normal router methods. All the tools to restrict access to certain commands or to configure authentication, authorization, and accounting (AAA)/Remote Authentication Dial-In User Service (RADIUS) authentication for CLI access can be reused for Cisco CME and UE. Access to the service-module service-engine x/y session command to access Cisco UE from the router CLI requires enable mode on the router and, hence, requires enable password access.

Cisco IPC Express GUI access is controlled by defining user IDs and passwords that must be provided on the web login screens shown in Figures 13-1 and 13-2. The features available to you in the GUI after you are logged in depend on the access level of the user ID you entered.

The next sections describe access levels for Cisco CME and Cisco UE.

Cisco CME Access Levels

Cisco CME implements three levels of access and shows the appropriate screen based on the login name and password entered:

• System administrator This user type, shown in Figure 13-3, has access to all system and phone-based features. The system administrator role is most effective for users who are familiar with Cisco IOS software and voice over IP (VoIP) network configuration.

  Figure 13-3. Cisco CME GUI Home Page with System Administrator Privileges

• Customer administrator This user type has limited access to Cisco CME features according to the rules defined in the XML configuration file created by the system administrator. The login home screen looks similar to Figure 13-3. However, based on the rules defined in the XML file, some features are not listed on the screen and, thus, are not accessible to the customer administrator. This is discussed in more detail in the later section "Cisco CME GUI Customization Via XML." The customer administrator does not need to be familiar with the Cisco IOS CLI to be effective.
• Phone user This type of user can only configure and change his or her own phone and search the Cisco CME directory. As shown in Figure 13-4, this user type can access the Configure, Search, and Help menus but cannot access the Voice Mail, Administration, and Reports menus available to the system administrator. The phone user does not need any knowledge of or familiarity with the Cisco IOS CLI to be effective.

  Figure 13-4. Cisco CME GUI Home Page with Phone User Privileges

The system administrator can access all the Cisco CME GUI functions, whereas the customer administrator is limited to what the system administrator allows his or her login to do. Only an administrator can perform the following functions:

• View, add, change, and delete IP phones
• View, add, change, and delete phone extensions
• View, add, change, and delete system configuration
• View, add, change, and delete an administrator's login account
• View, add, change, and delete a customer administrator's login account
• View a call history report
• Launch help information
• Add, delete, and change certain call processing and system features:

  - Speed dial

  - Page trunks

  - Intercom

  - Call park slots

  - Hunt group settings and huntstop channels

  - Ephone-dn labels

  - Call blocking

  - System date and time format

  - Dial plan patterns

  - Directory service

  - Extension login clearing

  - IP phone URLs

  - Maximum number of IP phones

  - Night service bell configuration

  - Secondary dial tone pattern

  - System message

  - System time

  - Timeout setting

  - Transfer patterns

  - IP phone loads

  - Music on hold (MOH) file

A customer administrator might have access to all or a subset of the features the system administrator can access. On the Cisco CME system, you can configure which features the customer administrator can access. Doing so is further discussed in the later section "Cisco CME GUI Customization Via XML."

A phone user login (where the username and password are configured in ephone configuration mode) is granted limited access rights to perform certain operations:

• Viewing or changing the phone (the user's own phone) configuration, such as adding or removing speed-dial numbers or changing the user's password
• Viewing or changing user information (the user's own information)
• Searching the local directory
• Launching help information

Cisco UE Access Levels

Cisco UE implements two levels of access and shows the appropriate screen based on the login name and password entered:

• System administrator This user type, shown in Figure 13-5, has access to all Cisco CME GUI screens as well as the Cisco UE AA and voice mail features.

  Figure 13-5. Cisco UE GUI Home Page with System Administrator Privileges

• Subscriber This type of user, shown in Figure 13-6, can only configure and change his or her own phone and voice mailbox.

  Figure 13-6. Cisco UE GUI Home Page with Subscriber Privileges

The Cisco UE system administrator can carry out all the GUI functions, including the following:

• Access all Cisco CME administrator functions
• View, add, change, and delete voice mailboxes
• Change the voice mail user and system parameters
• Change AA script parameter values
• Upload, download, and delete AA scripts
• Upload, download, and delete AA prompts
• Access the Administrator Management TUI to change AA prompts and features, such as the Emergency Alternate Greeting (EAG) for the AA
• Refresh the Message Waiting Indicator (MWI) per user or system-wide
• View, add, and change the MWI configuration
• View, add, and change the AA and voice mail pilot numbers
• Back up and restore the AA and voice mail configuration and data

The Cisco UE administrator privileges cannot be customized via XML. An administrator has full access to all system features available in the GUI.

A subscriber login is granted limited access rights to perform operations such as

• Viewing and changing mailbox (the user's own mailbox) configuration, such as changing the active greeting and the PIN on the account
• Obtaining limited access to the group the user is a member of

User Login Authentication

User and administrator access to both Cisco CME and Cisco UE requires a login/password combination and, therefore, a user authentication cycle. However, Cisco CME and Cisco UE use different methods of login authentication, as discussed in the following sections.

Cisco CME

Before gaining access to the Cisco CME GUI, all users are required to log in and are authenticated. The Cisco CME GUI provides a login dialog box for local authentication via HTTP 1.1 and the Cisco IOS HTTP login infrastructure. The Cisco CME router must be configured as an HTTP server.

Cisco CME logins for the system administrator can be configured to use AAA. The customer administrator and normal phone user logins are authenticated against local accounts on the router and are clear-text-based.

You can configure Cisco CME login accounts for the system administrator and customer administrator under the telephony-service configuration modes via the CLI. You can configure a phone user under the ephone CLI. These commands are shown in Example 13-7.

Example 13-7. Cisco CME Login Account Sample Configuration

router#show running-config
telephony-service
 web admin system name admin password admpswd 
 web admin customer name custadmin password custpswd 
 !
ephone 1
 username "user1" password user1-pswd 
 mac-address 000D.BC50.DEC6
 type 7960
 button 1:1

You might also configure or change the customer administrator and phone user login accounts via the Cisco CME GUI. From the Configure > System Parameters menu, choose Administrator's Login Account. The resulting screen is shown in Figure 13-7.

Figure 13-7. Configuring and Changing the Customer Administrator's Login Account

You can change the phone user login accounts from the Configure > Phone menu. Select and click the phone to which the normal user has been assigned, and then scroll down to Login Account, as shown in Figure 13-8.

Figure 13-8. Configuring and Changing the Normal Phone User Login Account

Note

To prevent a phone user from accidentally gaining access to system administrator pages by having the same password as the router enable password, Cisco CME must have ip http authentication aaa or ip http authentication local configured. As soon as Cisco CME has either of these commands configured, the user must have privilege level 15 router access in local configuration or in the AAA server (in case the ip http authentication aaa command is used) to access system administrator pages. Refer to Cisco IOS documentation on Cisco.com for more information on router enable password and privilege level 15 access if you are unfamiliar with these router capabilities.

 

Cisco UE

Cisco UE logins for the system administrator are stored in the local Lightweight Directory Access Protocol (LDAP) directory on Cisco UE. They cannot be authenticated with any external directory.

First configure login accounts for Cisco UE system administrators as normal users on the Cisco UE system, and then add them as members of the administrators group. This group membership awards administrator privileges to the user account. A subscriber does not have this group membership. These commands are shown in Example 13-8.

Example 13-8. Cisco UE Login Account Sample Configuration

cue#show running-config
username ggarrett create
username admin create 
username ggarrett phonenumberE164 "4445553001"
groupname Administrators member admin 

You might also configure and change the system administrator and subscriber accounts via the Cisco UE GUI. From the Configure > Users menu, choose the user ID of the account to change. The resulting screen is shown in Figure 13-9.

Figure 13-9. Configuring and Changing the Cisco UE Administrator Login Account

At this level of configuration, there is no difference between a Cisco UE administrator and subscriber. The screen shown in Figure 13-9 looks the same for both types of accounts. The attribute that awards administrator privileges to a user ID on the Cisco UE system is its membership in the administrators group, as shown in Figure 13-10.

Figure 13-10. Configuring and Changing the Cisco UE Administrator Login Account

 

Application Programming Interfaces

Several programming interfaces to Cisco CME let management applications interface with the system. CME supports the following:

• XML cascading style sheets (files with a .css suffix) to customize the customer administrator browser GUI display. This is further discussed in the later section "Cisco CME GUI Customization Via XML."
• Integration with other network management applications via the XML Layer (AXL) application programming interface (API). This API provides a mechanism for inserting, retrieving, updating, and removing data from the Cisco Call Manager database using an XML Simple Object Access Protocol (SOAP) interface. This is further discussed in Chapter 14.

Cisco UE with Cisco CME deployments does not support any programmatic interfaces at this time.

System Installation and Initial Setup