Cisco Cisco Expressway Maintenance Manual
To simplify this so that a device’s credentials only have to be authenticated once (at the first hop), and to reduce the
number of SIP messages in your network, you can configure neighbor zones to use the Authentication trust mode
setting.
number of SIP messages in your network, you can configure neighbor zones to use the Authentication trust mode
setting.
This is then used in conjunction with the zone's authentication policy to control whether pre-authenticated SIP
messages received from that zone are trusted and are subsequently treated as authenticated or unauthenticated
within the Expressway. Pre-authenticated SIP requests are identified by the presence of a P-Asserted-Identity field in
the SIP message header as defined by
messages received from that zone are trusted and are subsequently treated as authenticated or unauthenticated
within the Expressway. Pre-authenticated SIP requests are identified by the presence of a P-Asserted-Identity field in
the SIP message header as defined by
The Authentication trust mode settings are:
■
On: pre-authenticated messages are trusted without further challenge and subsequently treated as
authenticated within the Expressway. Unauthenticated messages are challenged if the Authentication policy
is set to Check credentials.
authenticated within the Expressway. Unauthenticated messages are challenged if the Authentication policy
is set to Check credentials.
■
Off: any existing authenticated indicators (the P-Asserted-Identity header) are removed from the message.
Messages from a local domain are challenged if the Authentication policy is set to Check credentials.
Messages from a local domain are challenged if the Authentication policy is set to Check credentials.
Note:
■
We recommend that you enable authentication trust only if the neighbor zone is part of a network of trusted
SIP servers.
SIP servers.
■
Authentication trust is automatically implied between traversal server and traversal client zones.
Configuring Authentication to Use the Local Database
The local authentication database is included as part of your Expressway system and does not require any specific
connectivity configuration. It is used to store user account authentication credentials. Each set of credentials
consists of a name and password.
connectivity configuration. It is used to store user account authentication credentials. Each set of credentials
consists of a name and password.
The credentials in the local database can be used for device (SIP and H.323), traversal client and TURN client
authentication.
authentication.
Adding credentials to the local database
To enter a set of device credentials:
1.
Go to Configuration > Authentication > Local database and click New.
2.
Enter the Name and Password that represent the device’s credentials.
3.
Click Create credential.
Note that the same credentials can be used by more than one device.
Authenticating with External Systems
The Outbound connection credentials page (Configuration > Authentication > Outbound connection credentials) is
used to configure a username and password that the Expressway will use whenever it is required to authenticate with
external systems.
used to configure a username and password that the Expressway will use whenever it is required to authenticate with
external systems.
For example, when the Expressway is forwarding an invite from an endpoint to another Expressway, that other system
may have authentication enabled and will therefore require your local Expressway to provide it with a username and
password.
may have authentication enabled and will therefore require your local Expressway to provide it with a username and
password.
Note that these settings are not used by traversal client zones. Traversal clients, which must always authenticate
with traversal servers before they can connect, configure their connection credentials per traversal client zone.
with traversal servers before they can connect, configure their connection credentials per traversal client zone.
99
Cisco Expressway Administrator Guide
Device Authentication