Cisco Cisco Expressway Maintenance Manual
Policy
Behavior
Treat as
authenticated
authenticated
Message credentials are not checked and all messages are classified as authenticated.
SIP
(meaning whether the Expressway trusts any pre-existing authenticated indicators - known as P-Asserted-
Identity headers - within the received message).
Identity headers - within the received message).
Policy
Trust
Behavior
Check
credentials
credentials
Off
Messages are not challenged for authentication.
All messages are classified as unauthenticated.
Any existing P-Asserted-Identity headers are removed.
On
Messages are not challenged for authentication.
Messages with an existing P-Asserted-Identity header are classified as authenticated,
and the header is passed on unchanged.
and the header is passed on unchanged.
Messages without an existing P-Asserted-Identity header are classified as
unauthenticated.
unauthenticated.
Do not check
credentials
credentials
Off
Messages are not challenged for authentication.
All messages are classified as unauthenticated.
Any existing P-Asserted-Identity headers are removed.
On
Messages are not challenged for authentication.
Messages with an existing P-Asserted-Identity header are classified as authenticated,
and the header is passed on unchanged.
and the header is passed on unchanged.
Messages without an existing P-Asserted-Identity header are classified as
unauthenticated.
unauthenticated.
Treat as
authenticated
authenticated
Off
Messages are not challenged for authentication.
All messages are classified as unauthenticated.
Any existing P-Asserted-Identity headers are removed.
On
Messages are not challenged for authentication.
Messages with an existing P-Asserted-Identity header are classified as authenticated,
and the header is passed on unchanged.
and the header is passed on unchanged.
Messages without an existing P-Asserted-Identity header are classified as
unauthenticated.
unauthenticated.
SIP authentication trust
requests. If the Expressway then forwards the request on to a neighbor zone such as another Expressway,
that receiving system will also authenticate the request. In this scenario the message has to be
authenticated at every hop.
that receiving system will also authenticate the request. In this scenario the message has to be
authenticated at every hop.
To simplify this so that a device’s credentials only have to be authenticated once (at the first hop), and to
reduce the number of SIP messages in your network, you can configure neighbor zones to use the
Authentication trust mode setting.
reduce the number of SIP messages in your network, you can configure neighbor zones to use the
Authentication trust mode setting.
Cisco Expressway Administrator Guide (X8.5.1)
Page 110 of 399
Device authentication
About device authentication