Cisco Cisco Expressway Maintenance Manual
SIP
(meaning whether the Expressway trusts any pre-existing authenticated indicators - known as P-Asserted-
Identity headers - within the received message).
Identity headers - within the received message).
Policy
Trust
Behavior
Check
credentials
credentials
Off
Messages are not challenged for authentication.
All messages are classified as unauthenticated.
Any existing P-Asserted-Identity headers are removed.
On
Messages are not challenged for authentication.
Messages with an existing P-Asserted-Identity header are classified as authenticated,
and the header is passed on unchanged.
and the header is passed on unchanged.
Messages without an existing P-Asserted-Identity header are classified as
unauthenticated.
unauthenticated.
Do not check
credentials
credentials
Off
Messages are not challenged for authentication.
All messages are classified as unauthenticated.
Any existing P-Asserted-Identity headers are removed.
On
Messages are not challenged for authentication.
Messages with an existing P-Asserted-Identity header are classified as authenticated,
and the header is passed on unchanged.
and the header is passed on unchanged.
Messages without an existing P-Asserted-Identity header are classified as
unauthenticated.
unauthenticated.
Treat as
authenticated
authenticated
Off
Messages are not challenged for authentication.
All messages are classified as unauthenticated.
Any existing P-Asserted-Identity headers are removed.
On
Messages are not challenged for authentication.
Messages with an existing P-Asserted-Identity header are classified as authenticated,
and the header is passed on unchanged.
and the header is passed on unchanged.
Messages without an existing P-Asserted-Identity header are classified as
unauthenticated.
unauthenticated.
SIP authentication trust
requests. If the Expressway then forwards the request on to a neighbor zone such as another Expressway,
that receiving system will also authenticate the request. In this scenario the message has to be
authenticated at every hop.
that receiving system will also authenticate the request. In this scenario the message has to be
authenticated at every hop.
To simplify this so that a device’s credentials only have to be authenticated once (at the first hop), and to
reduce the number of SIP messages in your network, you can configure neighbor zones to use the
Authentication trust mode setting.
reduce the number of SIP messages in your network, you can configure neighbor zones to use the
Authentication trust mode setting.
This is then used in conjunction with the zone's authentication policy to control whether pre-authenticated
SIP messages received from that zone are trusted and are subsequently treated as authenticated or
unauthenticated within the Expressway. Pre-authenticated SIP requests are identified by the presence of a
P-Asserted-Identity field in the SIP message header as defined by
SIP messages received from that zone are trusted and are subsequently treated as authenticated or
unauthenticated within the Expressway. Pre-authenticated SIP requests are identified by the presence of a
P-Asserted-Identity field in the SIP message header as defined by
.
Cisco Expressway Administrator Guide (X8.1.1)
Page 73 of 343
Device authentication
About device authentication