Cisco Cisco Expressway Maintenance Manual
Configuring Authentication to Use the Local Database
The local authentication database is included as part of your Expressway system and does not require any specific
connectivity configuration. It is used to store user account authentication credentials. Each set of credentials
consists of a name and password.
connectivity configuration. It is used to store user account authentication credentials. Each set of credentials
consists of a name and password.
The credentials in the local database can be used for device (SIP), traversal client, and TURN client authentication.
Adding credentials to the local database
To enter a set of device credentials:
1.
Go to Configuration > Authentication > Devices > Local database and click New.
2.
Enter the Name and Password that represent the device’s credentials.
3.
Click Create credential.
Note that the same credentials can be used by more than one device.
Credentials managed within Cisco TMS (for device provisioning)
When the Expressway is using TMS Provisioning Extension services, the credentials supplied by the Users service are
stored in the local authentication database, along with any manually configured entries. The Source column
identifies whether the user account name is provided by TMS, or is a Local entry. Only Local entries can be edited.
stored in the local authentication database, along with any manually configured entries. The Source column
identifies whether the user account name is provided by TMS, or is a Local entry. Only Local entries can be edited.
Incorporating Cisco TMS credentials within the local database means that Expressway can authenticate all messages
(i.e. not just provisioning requests) against the same set of credentials used within Cisco TMS.
(i.e. not just provisioning requests) against the same set of credentials used within Cisco TMS.
Local database authentication in combination with H.350 directory authentication
You can configure the Expressway to use both the local database and an H.350 directory.
If an H.350 directory is configured, the Expressway will always attempt to verify any Digest credentials presented to it
by first checking against the local database before checking against the H.350 directory.
by first checking against the local database before checking against the H.350 directory.
Local database authentication in combination with Active Directory (direct) authentication
If Active Directory (direct) authentication has been configured and NTLM protocol challenges is set to Auto, then
NTLM authentication challenges are offered to those devices that support NTLM.
NTLM authentication challenges are offered to those devices that support NTLM.
■
NTLM challenges are offered in addition to the standard Digest challenge.
■
Endpoints that support NTLM will respond to the NTLM challenge in preference to the Digest challenge, and
the Expressway will attempt to authenticate that NTLM response.
the Expressway will attempt to authenticate that NTLM response.
Authenticating with External Systems
The Outbound connection credentials page (Configuration > Authentication > Outbound connection credentials) is
used to configure a username and password that the Expressway will use whenever it is required to authenticate with
external systems.
used to configure a username and password that the Expressway will use whenever it is required to authenticate with
external systems.
For example, when the Expressway is forwarding an invite from an endpoint to another Expressway, that other system
may have authentication enabled and will therefore require your local Expressway to provide it with a username and
password.
may have authentication enabled and will therefore require your local Expressway to provide it with a username and
password.
Note that these settings are not used by traversal client zones. Traversal clients, which must always authenticate
with traversal servers before they can connect, configure their connection credentials per traversal client zone.
with traversal servers before they can connect, configure their connection credentials per traversal client zone.
121
Cisco Expressway Administrator Guide
Device Authentication