2.8 Configuring Required Services

Several services and functions of the Call Data Analysis module require special database permissions or configuration. Unless specified, all permission and configuration requirements apply to all Data Source types.

2.8.1 Internet Authentication Service (IAS)

If you are using Cisco H.323 gateways as Data Sources, configure Microsoft Internet Authentication Service (IAS) on each Data Mart computer. IAS is a Windows component that provides a RADIUS server, which AppManager uses to receive the RADIUS accounting records sent by a Cisco H.323 gateway.

If you are using Windows Server 2008 or Windows Server 2008 R2, see the following procedure about Network Policy Server (NPS), which replaces IAS for those operating systems.

To configure IAS on the Data Mart computer:

  1. Ensure IAS is installed on the Data Mart computer.

  2. Navigate to the Control Panel, double-click Administrative Tools, and then double-click Internet Authentication Service.

  3. Right-click Internet Authentication Service and select Properties.

  4. Click the Ports tab.

    Although RADIUS in general can provide authentication as well as accounting, AppManager is interested only in the accounting part for purposes of analyzing call data.

    By default, UDP ports 1813 and 1646 are specified. UDP port 1813 is the RADIUS standard, although many network access servers use port 1646. If you make a change, your list of ports must include the port configured on the network access server (gateway).

  5. Click OK.

  6. Right-click RADIUS Clients and select New RADIUS Client.

  7. In the Friendly name field, type the client-friendly name of the RADIUS client (gateway) that will send accounting records to IAS.

  8. In the Client address field, type the client’s IP address or DNS name. The IP address must match the IP address the gateway will actually use when sending the RADIUS records. It may not be the same as the IP address you get by doing a DNS lookup on the gateway name.

  9. Click Next.

  10. In the Client-Vendor field, select the vendor of your RADIUS client: RADIUS Standard or Cisco. AppManager does not support the other client-vendor options.

  11. In the Shared secret and Confirm shared secret fields, type the password that matches the RADIUS secret configured on the gateway.

    NOTE:Do not select Request must contain the Message Authenticator attribute.

  12. Click Finish.

  13. Repeat steps 5-12 to add a client for each gateway that will send RADIUS records.

  14. Select Remote Access Logging. In the right pane, right-click Local File, and select Properties.

  15. On the Settings tab, select Accounting requests.

  16. On the Log File tab, in the Directory field, type or Browse to the log output folder.

  17. Select IAS as the log format type.

    NOTE:You must use IAS format because it provides full access to the Vendor-Specific Attributes contained in the RADIUS record. AppManager does not support logs files written with the Database compatible file format.

  18. Select Daily as the new log time period.

  19. Click OK.

2.8.2 Network Policy Server (NPS)

If you are using Windows Server 2008 or Windows Server 2008 R2 and want to set up a Cisco router as a RADIUS client, you first have to configure Network Policy Server (NPS). NPS is a replacement for Internet Authentication Service (IAS), which was available in Windows Server 2003.

To configure NPS on the Data Mart computer:

  1. On the Data Mart computer, open Server Manager and click Add Roles.

  2. On the Select Server Roles page of the Add Roles wizard, select Network Policy and Access Services and click Next.

  3. On the Select Role Services page of the Add Roles wizard, select Network Policy Server and click Next.

  4. On the Confirmation page of the Add Roles wizard, click Install.

  5. After the role is installed, navigate to the Control Panel.

  6. Double-click Administrative Tools, and then double-click Network Policy Server.

  7. Right-click NPS and select Properties.

  8. Click the Ports tab. Although RADIUS can provide authentication as well as accounting, AppManager is interested only in the accounting part for purposes of analyzing call data.

  9. Specify a port number as needed. By default, UDP ports 1813 and 1646 are specified for accounting. UDP port 1813 is the RADIUS standard, although many network access servers use port 1646. If you make a change, your list of ports must include the port configured on the network access server (gateway).

  10. Click OK.

  11. Right-click RADIUS Clients and select New RADIUS Client.

  12. In the Friendly name field, type the client-friendly name of the RADIUS client (gateway) that will send accounting records to NAS.

  13. In the Address field, type the client IP address or DNS name. The IP address must match the IP address the gateway will actually use when sending the RADIUS records. It may not be the same as the IP address you get by doing a DNS lookup on the gateway name.

  14. In the Vendor name field, select the vendor of your RADIUS client: RADIUS Standard or Cisco. AppManager does not support any other client-vendor options.

  15. In the Shared secret and Confirm shared secret fields, type the password that matches the RADIUS secret configured on the gateway.

    NOTE:

    • Do not select Access-Request messages must contain the Message Authenticator attribute.

    • Do not select Radius client is NAP-capable.

  16. Click Finish.

  17. Repeat steps 7-16 to add a client for each gateway that will send RADIUS records.

  18. Select Accounting. In the right pane, right-click Configure Local File Logging.

  19. On the Log File tab, specify the location of the log output folder in the Directory field.

  20. Select IAS as the log format type.

  21. Select Daily as the new log time period.

  22. Click OK.

  23. Right-click NPS and select Start NPS service.

2.8.3 IOS aaa Accounting

In order for Cisco H.323 gateways to send RADIUS records, enable IOS aaa accounting on the gateway’s router. For details, see your Cisco documentation.

The following IOS commands are relevant to AppManager for Call Data Analysis:

  • aaa new-model; initiates the AAA script

  • aaa accounting connection h323 stop-only radius

  • gw-accounting aaa; enables gateway-specific accounting

  • acct-template callhistory-detail (under gw-accounting-aaa); sends all voice Vendor-Specific Attributes (VSAs) for accounting. By default, all voice VSAs are not sent, so RADIUS records will not include such statistics as lost-packets and late-packets unless you issue this IOS command.

  • radius-server host N.N.N.N auth-port 1645 acct-port 1813

  • radius-server key < XXX >

  • radius-server vsa send accounting

2.8.4 Client Resource Monitor Service

The AppManager Client Resource Monitor service (netiqmc) has different authentication requirements for the Data Warehouse computer and the Report agent computer.

  • The netiqmc service on the Data Warehouse computer accesses the Data Warehouse and the Data Marts. It will use either Windows authentication or SQL authentication, depending on what you choose in the CallData_AddDataSource and Discovery_CallDataAnalysis Knowledge Scripts.

    If the Data Warehouse and Data Mart databases are located on the same computer and you choose Windows authentication, the service may run as Local System. If the Data Warehouse and Data Mart databases are located on different computers and you choose Windows authentication, the netiqmc service must be running as an account that has administrative privileges for both the local SQL Server and the SQL Server on the remote Data Mart computer.

  • The netiqmc service on the Report agent computer uses Windows authentication to access SQL Server on the Data Warehouse computer. The netiqmc service should be running under a user account that has access to the NQCDA_Warehouse database on the Data Warehouse computer.

2.8.5 SQLSERVERAGENT Service

The SQLSERVERAGENT service on the Data Mart computer accesses the Data Warehouse and the Data Source. You can specify one type of authentication for accessing the Data Warehouse and a different type of authentication for accessing the Data Source. You specify which authentication to use in the AddDataSource_CiscoCallMgr and AddDataSource_CiscoCM Knowledge Scripts. Use AppManager Security Manager to update the authentication information.

The SQLSERVERAGENT service should be running under a user account that has access to the Data Warehouse database (NQCDA_Warehouse). Do not configure the service under the Local System account unless NQCDA_Warehouse and the Data Mart are on the same computer.

Cisco Unified Communications Manager version 4.x does not permit connections to SQL Server using SQL authentication. You must connect using Windows authentication. For more information, see Section 2.11, Connecting to a Unified Communications Manager 4.x Data Source.

The SQLSERVERAGENT authentication requirement applies only to environments using Cisco Unified Communications Manager as a Data Source.