1 - No you can't add them to the domain. Your VCS setup is not domain membership, but rather using LDAP as the source of user authentication. This functionality is not available on the codecs.
2 - It would be best security practice to do so, but certificate management is not something most customers are very good at and many do not. The default certificates are not giving you trust of identity and authentication... simply ensuring there is encryption in play to 'someone...' which you hope is your device and no one in the middle.. and no one capturing the traffic. How significant that risk is, is something you must decide for yourself.
3 - Certificates would be unique per device and you would typically use hostnames to reach the systems, not IP addresses so the browser address can be matched to the common name in the certificate. DHCP changes can be integrated if you have DHCP giving dynamic updates to DNS.
#1 - In "VCS Authenticating Devices Deployment Guide X6".... it has the following:
To join the VCS into the AD domain, access to VCS via the root login is required. 1. Login as root over SSH or via the serial interface, then: a. Type domain_management you will be presented with the options: ---------------------------------------- 1) Join Domain 2) Leave Domain 3) VCS Status 4) Domain Information 5) Exit ---------------------------------------- b. Choose option 1) Join Domain. c. When asked, enter the domain administrator username. d. When asked, enter the domain administrator password (case sensitive).
I think LDAP query is used for Admin login An the direct AD join is for Provisioning Extension ??? Later this function was added to the web interlace of X7
Either way, I would think that others besides me would like the functionalityy of using AD/LDAP credentials to login to an endpoint.... Would love to see that on the roadmap
#2 - We have been using the included Certificates, but with the Heartbleed vulnerability it has caused us to change the Certs on all systems and possible revisit who is a Certificate Authority on those certs... not fun
#3 - I have since learned through a TAC case I opened, that if a Factory reset is done on the systems, it will re-generate a new self signed certificate and it appears in some cases a new cert will be generated during the upgrade process.
So on one of the test system we have on old Tandberg Cert with a date of 2010 and a new Cert from Apr 2014 that is Cisco...
We thing we can use the new one that was generated from the TC7.1.1 upgrade, however we cannot the old one from 2010
Generating our own Certs is not going to be fun....
>#1 - In "VCS Authenticating Devices Deployment Guide X6".... it has the following:
Yes, sorry, I overlooked that specific device authentication method. It's been far too long that I've been so specialized I've lost my SME-credentials on most other topics :) VCS has been offering a lot of advanced functionality that only the VCS SMEs can really keep up with :)
>#2 - We have been using the included Certificates, but with the Heartbleed vulnerability it has caused us to change the Certs on all systems and possible revisit who is a Certificate Authority on those certs... not fun
Certificate management is daunting for most people new to it, but deploying is not so bad.. it's the keeping tabs and upkeep that is the burden IMO. It's easy enough to cut certificates using OpenSSL utilities or a Microsoft CA if you are willing to use an internal CA. There is a lot of best practice overhead if you are really serious about it... but for people that have been running the default certs for so long, I doubt they are interested in going to the full on detached CA world :)
>#3 - I have since learned through a TAC case I opened, that if a Factory reset is done on the systems, it >will re-generate a new self signed certificate
This is an area you must approach device by device and version by version. Things have improved and evolved over time. It's good to hear they are re-generating certificates like that.
But for anyone concerned about heartbleed - you shouldn't been using self-signed certificates either as you do not have the identification validation part of SSL when using self-signed certificates or if you are always ignoring certificate errors. SSL is both encryption AND identification. Else, you risk just sending your traffic to anyone who inserts themselves in the conversation.
The short answer is that you don't.... That isn't entirely true while at
the same time it kind of is, but for the most part you don't configure
the softkeys. You enable or disable them via TCL. Here is the long
answer. Be sure to read the whole thing or e...
Topology: IP Phone > Switches > Microsoft NPS setup to forward 802.1x
proxy to > ISE 2.1 patch 3 Authentication: EAP-TLS using Cisco MIC SANs
Phone Models 802.1X support? 802.1x flavor Addtl Comment EAP-MD5 EAP-TLS
Cisco 3905 Y Y N Cisco 6911 Y Y N Cisco ...
This document describe how DST changes and how time changes are
implemented in DST. Daylight Saving Time (DST) is the practice of
setting the clocks forward 1 hour from standard time during the summer
months, and back again in the fall, in order to make b...