Getting Started with Cisco XML Authentication Service
- System Requirements
- Installing Internet Information Services (IIS)
- Installing Cisco XML Authentication Service
- Configuring Users
- Configuring Cisco IP Phone XML Files
- Microsoft .NET Framework 4.0
After installing the .NET Framework, we strongly recommend running Windows Update and installing the latest Important and Optional updates. Note that .NET Framework 4.5 includes the required .NET Framework 4.0 components.
- Active Directory Infrastructure
You must have a domain controller and a valid Active Directory infrastructure already configured. Cisco XML Authentication Service does NOT need to be installed on the domain controller.
- Microsoft Internet Information Services (IIS) role with ASP.NET
The Internet Information Services (IIS) role needs to be installed in Windows, and ASP.NET needs to be enabled. IIS versions 7, 7.5, 8 and 8.5 are supported. See instructions below to install the IIS role.
- Windows Server 2012, 2008 R2, 2008 or Windows Vista, 7 or 8
Both 32-bit (x86) and 64-bit (x64) versions of Windows are supported. Desktop operating systems (Windows Vista, Windows 7 and Windows 8) are not recommended for use with more than 10 IP phone users.
The latest service pack for Windows is recommended. For Windows Server 2003 and Windows Server 2003 R2, a minimum of SP2 is recommended. For Windows Server 2008 and Windows Server 2008 R2, a minimum of SP2 is recommended.
As the Cisco XML Authentication Service requires Internet Information Services, ensure this is installed before proceeding.
- In Windows Server 2012, in the Server Manager, select Manage, Add Roles and Features. In Windows Server 2008, select the Roles section of the Server Manager and click Add Roles in the right-hand pane. In Windows Vista, 7 or Windows 8, open Programs and Features in Control Panel and select Turn Windows Features on or off in the left pane.
- If prompted with the Before you begin page in the wizard, click next.
- If prompted with the Installation type page in the wizard, select Role-based or feature-based installation and click Next.
- On the Server Selection page, the current server will be selected by default. Click Next.
- On the Server Roles page, select the Application Server Role and ensure that Web Server (IIS) Support underneath it is selected. Also ensure that .NET Framework 4.5 is also selected.
- If prompted to add required features, as shown below, click Add Features.
- On the Features page, ensure that .NET Framework 4.5 Features is selected. Click Next.
- Click Next and Finish to complete the wizard.
When installing Cisco XML Authentication Service, you can select the IIS Web Site and Application Pool which will be used. If they do not exist they will be created. It is strongly recommended that the default settings be used. If the server is not currently hosting any other web applications, it is not necessary to customize these settings.
If other web applications are hosted on the server, you may want to install to an IIS Web Site other than Default Web Site. In this case, you should also select a port other than 80 (e.g. 81) to avoid creating a conflict.
By default a separate Application Pool will be created using the Network Service account. If you specify a different account, it must already exist. The installer will not create a new account. If you select an account other than NetworkService, you may need to manually modify the permissions on the installation directory after installation to allow read access by the account you specify.
There are no other customizable options in the installer. Click Next through the wizard to complete setup.
Testing the Installation of the Cisco XML Authentication Service
If you installed to the Default Web Site on port 80, you can use the shortcut created on the Start Menu to launch the Cisco XML Authentication Service welcome page in a web browser (default URL is http://localhost/CiscoXmlAuthenticationService). If you installed to a non-default website or port, the URL will depend on the port and IP address the Web Site is bound to. The URL to access the welcome page will be in the form http://<IPAddress>:<Port>/CiscoXmlAuthenticationService
If you are unable to access the welcome page at this point, open the Internet Information Services Manager under Administrative Tools in Control Panel. Check that the Default Web Site (or the selected web site) are started and that the CiscoXmlAuthenticate application pool is running.
Users are configured in the Users.xml file, located in the installation directory. By default this is %ProgramFiles%\Quantum Software Solutions\Cisco XML Authentication Service.
<?xml version="1.0" encoding="utf-8" ?> <users> <user userName="Administrator" deviceName="SEP000000000000" /> </users>
For each user, add a line matching the template Administrator line (before the closing </users> tag), specifying the appropriate username and MAC address of each IP phone the user is permitted to access. The MAC address must be preceded by the letters SEP. See the knowledgebase article for instructions on locating the MAC address of an IP phone.
Updating Cisco IP Phone XML Configuration Files (SEP<MAC>.cnf.xml)
The authenticationURL section of the XML configuration file (SEP<MAC>.cnf.xml, where <MAC> is the MAC address of the IP phone) for each phone needs to be updated to point to the server which the Cisco XML Authentication Service was installed on. The excerpt below shows the section of the configuration file which needs to be updated. If the IIS Web Site was installed on a port other than 80, :PortNumber needs to be appended to the end of the IP address, for example, http://192.168.0.1:81/CiscoXmlAuthenticationService/api/Authenticate
</networkLocaleInfo> <deviceSecurityMode>1</deviceSecurityMode> <authenticationURL>http://<IPAddress>/CiscoXmlAuthenticationService/api/Authenticate</authenticationURL> <directoryURL></directoryURL> <idleURL></idleURL>
If the authenticationURL section doesn't exist in your configuration file, it is recommended to add it above directoryURL. If the directoryURL section is not present, add it below networkLocaleInfo, or above any other URLs such as idleURL or servicesURL, or before the section dscpForSCCPPhoneServices.
After performing the authentication test suggested on the service welcome page, the simplest way to test the installation end-to-end is to install the trial version of Outlook Click to Dial and attempt to connect to an IP phone directly.