For anyone that has not talked to me in the past few weeks, I wanted to let you know that I officially accepted an offer to work for Cisco Systems in San Jose, CA. I will be starting there this summer in June. I will be entering through the Cisco Choice Program as a Software Engineer which I will explain in a little more detail below.

Before starting work, Dad, William, and I will be taking a cross country road trip (similar to the one I took to get to California for my internship last summer) This time we will be taking the more southern route to get a different view along the way. Of course pictures of the trip and progress will be posted.

Now on to the details about Cisco Choice…

Cisco Choice for full time is very similar to the process of my internship in that I will get to select the department I wish to work with. The main difference this time is we are armed with a little more information. With the internship you are picking with a more limited view of the group based on a summary provided for each group participating. For full time the process is much more in depth.

It starts out with a week of introductions and presentations by the various groups and managers. Week 2 allows us to interview potential groups we are interested and get an idea of what some of the interesting projects they are working on. Finally you select the top several choices and after Week 3 you start working with that group.

Now all that is left is to finish one more semester at Purdue. Here is hoping that Senioritis doesnt kick in too early ;-)

Here we go (attempted to keep in order of occurrence):

1. Accepted internship with Cisco
2. Road trip across the country (to get to Cisco in San Jose)
3. Visited Garden of the Gods
4. Climbed to the top of Pikes Peak (well, drove to the top)
5. Visited Las Vegas
6. Got a tour of the Googleplex
7. Spent 2 days in Yosemite National Park
8. Went to the Google I/O Conference
9. Visited the Mystery Spot
10. Visited San Francisco
11. Got my laptop stolen (from a locked trunk) in San Francisco
12. Traveled the 17 Mile Drive in Monterey
13. Redesigned Hydra Labs web site (work in progress)
14. Got hired by Cisco to work through the school year
15. Vacationed at Deep Creek Lake in Maryland
16. Released 1.2.0 of Dtella
17. Wrote this post

Time it took me to do all this: 13 weeks! Lets see if I can keep up this momentum as I head back to school…

1. ETG – Emerging Technology Group
Creates solutions in new and adjacent markets built around advanced video, voice, and data communications.

2. CDO Ops
Enhance productivity and operating efficiency in the CDO organization, improve hardware and software quality across Cisco products and systems

3. NMTG – Network Management Technology Group
Implements network management solutions capability for Cisco products and supporting key Cisco markets.

I am hoping for Emerging Technology as it sounds like they work with a diverse range of technologies and are always on the bleeding edge of development and technology.

The Cisco 7970G IP Phone is by far one of the nicest VoIP Phones i have ever used. However, getting it to work outside the standard Cisco Call Manager environment with Asterisk can be a challenge. After weeks of testing various configurations and tweaking settings on both the phone and Asterisk, i was able to finally get a working configuration that works for both local network connections and NAT as well.

As with any setup there are some prerequisites that must be met to perform this setup. It is possible that other configurations and software versions will work, however this is what I have currently working. You are welcome to let me know if you have other setups that work.

My Configuration & Setup

1. Asterisk 1.4.18
2. Cisco 7970G (firmware: SIP70.8-3-4SR1S)
3. 2 Cisco 1811 routers (IOS: 12.4(15)T1)

I successfully tested the following configurations with the phone:

The NAT Setup*

7970G <–> 1811 (w/ NAT) <–> Internet <–> 1811 (w/ NAT) <–> Asterisk

The DMVPN Setup (Same as a local network)

7970G <–> 1811 <–> Internet (VPN) <–> 1811 <–> Asterisk

The DMVPN setup was the most trivial as it was essentially a local network with the Asterisk server. The NAT setup was the harder one to get working, however, once I got a configuration file that worked with NAT, the same configuration worked for the DMVPN or local setup as well.

*I believe that one of the keys to getting the 7970G working over NAT was the fact that it was behind a Cisco router (the 1811). Because this router’s NAT implementation is SIP aware, it is able to properly handle SIP messages over NAT from the 7970G. This being said, the 7970G may not function properly over NAT on other routers.

XML Configuration File

Below you will find the link to my XML configuration file (with passwords and IP’s of my private network removed of course)

Cisco 7970 Configuration XML

NOTE: The file should be in the form “SEPmac_address.cnf.xml” when you place it on your TFTP server. where mac_address is the MAC address of your Cisco IP phone.

Asterisk Configuration

In order to get the Cisco 7970G to register to asterisk (either over NAT or VPN) the NAT flag in your sip.conf (or in FreePBX) must be set to “never” and qualify must be set to “yes”. I know it seems counter intuitive to keep NAT turned off when you are behind it but for some reason Asterisk’s NAT implementation breaks Cisco phone connections. Qualify is needed because it keeps the NAT translation open between the Cisco phone and the Asterisk server. Should the translation be allowed to close, Asterisk will not be able to reach the Cisco phone.

MWI Fixes

The second part to this was making sure that MWI worked on the phone. This has become somewhat of an issue due to a couple reasons:

1. Asterisk adds some extra (and seemingly unneeded information) to the voice mail notices
2. Cisco decided not to follow the RFC on the SIP protocol and thus it ignores these notices with extra information.

Cisco firmware version 8.0.2SR1 is able to handle the extra information and thus this is the firmware that many people using this phone have stuck with despite the numerous newer releases that have come out. Any version after that must use one of the following methods to get MWI working again.

1. Asterisk 1.4 introduced the “BUGGYMWI” flag for the sip.conf file. When defining an extension simply add the line “BUGGYMWI = true” and it will make the proper adjustments to the notices for Cisco compatibility.
2. Before compiling the Asterisk source code you can modify a line in the “chan_sip.c” file to remove that extra information permanently.

I opted for option #2 for two reasons. First, it just seemed cleaner to make the change once and not have to worry about it again (until i upgrade that is) and secondly, FreePBX does not provide an easy way to add the “BUGGYMWI” flag into extensions.

In order to remove this from chan_sip.c permanently, go to your asterisk source code and then go to the “channels” folder. From there open up the chan_sip.c file and search for the following:

/* Cisco has a bug in the SIP stack where it can't accept the
(0/0) notification. This can temporarily be disabled in
sip.conf with the "buggymwi" option */

ast_build_string(&t, &maxbytes, "Voice-Message: %d/%d%s\r\n", newmsgs, oldmsgs,
(ast_test_flag(&p->flags[1], SIP_PAGE2_BUGGY_MWI) ? "" : "(0/0)"));

Now all you must do is simply replace the last line with this:

ast_build_string(&t, &maxbytes, "Voice-Message: %d/%d\r\n", newmsgs, oldmsgs);

And then compile Asterisk.

Epilogue

I hope this guide helps everyone that loves the Cisco 7970G phone to get it working with Asterisk. It can be a difficult task but is well worth the effort once it is working. Please feel free to leave comments with any suggestions to this article and let me know if you have gotten any other configurations working!

In addition to authentication of users it also allows for authorizing a given user to different levels of access. For example: Alice may only have access to view the current configuration of a router, while Bob has access to change the configuration.

Finally, TACACS provides accounting. This allows central logging of all commands a user executes for auditing purposes. That way if “someone” happens to destroy your configuration on a device, you know who to hunt down.

Just to note… In case you are wondering what the difference is between TACACS and TACACS+, TACACS+ is a completely new protocol and is not compatible with the older TACACS protocol. TACACS+ was created by Cisco Systems. The specific implementation I will be using is usually referred to as “tac_plus” and is also the name of the daemon.

Ok, so on to the fun stuff… For this project I used the following:

• CentOS Linux 5
  
• Shrubbery Networks’ TACACS+ Daemon

The first step was to install the daemon. As there is currently no RPM based packages for “tac_plus”, I had to build from source which was as painless as:

1. Extract the archive
2. ./configure
3. make install

Next, I had to draft up a configuration file:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

accounting file = /var/log/tac_plus/accounting.log
 
key = "insertkeyhere"
 
group = admin {
  default service = permit
  service = exec {
    priv-lvl = 15
  }
}
 
user = jfeisley {
  member = admin
  login = des "foobarbaz"
}

The next task was to code up a working init script for the tac_plus daemon:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68

#!/bin/bash
 
# Source function library.
. /etc/rc.d/init.d/functions
 
# Source networking configuration.
. /etc/sysconfig/network
 
# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0
 
# Some config parameters
#For config file
tacacs_config="/etc/tacacs.conf"
tacacs_log="/var/log/tac_plus/tac_plus.log"
#For debug option
debug=0
 
[ -f /usr/local/bin/tac_plus ] || exit 0
 
[ -f $tacacs_config ] || exit 0
 
# See how we were called.
case "$1" in
  start)
        # Start daemon.
        if [ $debug -gt 0 ]
        then
        echo -n "Starting TACACS+ with debug level $debug : "
        daemon /usr/local/bin/tac_plus -C $tacacs_config -d $debug -l $tacacs_log
        else
        echo -n "Starting TACACS+ :"
        daemon /usr/local/bin/tac_plus -C $tacacs_config -l $tacacs_log
        fi
        echo
        touch /var/lock/subsys/tac_plus
        ;;
  stop)
        # Stop daemons.
        echo -n "Shutting down TACACS+: "
        killproc tac_plus
        rm -f /var/lock/subsys/tac_plus
        echo
        ;;
  status)
        status tac_plus
        exit $?
        ;;
  restart)
        $0 stop
        $0 start
        ;;
 
  reload)
        echo "TACACS+ now reloading......"
        kill -SIGUSR1 `cat /var/run/tac_plus.pid`
        exit $?
        ;;
  test)
        echo "TACACS+ config being testing..."
        /usr/local/bin/tac_plus -P -C $tacacs_config
        ;;
  *)
        echo "Usage: tac_plus {start|stop|status|restart|reload|test}"
        exit 1
esac
 
exit 0

Finally, I configured my various Cisco devices to authenticate against the TACACS+ daemon.

Today I was offered an internship for the summer at Cisco!

I will be in San Jose, CA for the summer at the main Cisco campus. Since i am in the Cisco Choice program, when it gets closer to the summer I will be choosing business unit interests me and hopefully be placed into that. I am currently leaning toward wireless or software engineering, but of course that could change as it gets closer to summer.