Cisco Cisco TelePresence MCU 4510 Release Notes
New features in 4.4
Cisco TelePresence MCU 4.4(3.57) Maintenance Release Notes
Page 3 of 28
the client to authenticate with the certificate. In all other cases, the MCU will reject the certificate and prevent
authentication.
authentication.
The MCU always uses its known OCSP server and does not check any OCSP servers specified by the
client certificate. The feature is configurable to include a nonce. Static Certificate Revocation Lists are not
supported.
client certificate. The feature is configurable to include a nonce. Static Certificate Revocation Lists are not
supported.
Certificate-based login
Users can now authenticate and log in using a client certificate, where previously they would always need to
enter a username and password. The ability to log in with a username and password is retained, so the MCU
can be configured to operate with or without certificate-based authentication.
enter a username and password. The ability to log in with a username and password is retained, so the MCU
can be configured to operate with or without certificate-based authentication.
CAUTION:
When setting certificate-based authentication options for the MCU it is possible inadvertently to
block all login access (including administrators) to the web interface. If you decide to implement certificate-
based authentication we strongly recommend that you first review the appended topic
based authentication we strongly recommend that you first review the appended topic
The MCU now supports four login modes, listed here from lowest to highest security level:
1
Not required
Certificate-based client authentication is not required (default) and client
certificates are ignored. Password-based authentication is required for all
client access, whether by users over HTTPS or applications making API calls.
certificates are ignored. Password-based authentication is required for all
client access, whether by users over HTTPS or applications making API calls.
2
Verify certificate
Incoming HTTPS connections are only permitted if the client certificate is
signed by an authority that the MCU trusts, but password-based login is still
required to authenticate the client, for HTTPS, API, and other client
connections.
signed by an authority that the MCU trusts, but password-based login is still
required to authenticate the client, for HTTPS, API, and other client
connections.
3
Certificate-based
authentication allowed
authentication allowed
Incoming HTTPS connections are only permitted if the client certificate is
signed by an authority that the MCU trusts and, if the certificate's common
name matches a stored username, the client logs in as that user. However, if
the certificate is trusted and the common name does not match, the client may
log in with username and password.
signed by an authority that the MCU trusts and, if the certificate's common
name matches a stored username, the client logs in as that user. However, if
the certificate is trusted and the common name does not match, the client may
log in with username and password.
4
Certificate-based
authentication required
authentication required
Incoming HTTPS connections are only permitted if the client certificate is
signed by an authority that the MCU trusts. The common name of the
certificate must also match a stored username and password-based client
authentication is not allowed.
signed by an authority that the MCU trusts. The common name of the
certificate must also match a stored username and password-based client
authentication is not allowed.
HTTP and FTP logins are blocked. If Require administrator login is checked
(on
(on
Settings > Security
), then console access is restricted to functions that do
not require a login.
Note: The MCU requires every user account to have a password, even if
Certificate-based authentication required is selected and thus clients may
not use their passwords. Furthermore, if the MCU is in advanced account
security mode, passwords must be replaced every 60 days. Users are not
prompted to change their passwords when they log in using certificate-based
authentication, so the passwords will expire and generate security warnings.
Certificate-based authentication required is selected and thus clients may
not use their passwords. Furthermore, if the MCU is in advanced account
security mode, passwords must be replaced every 60 days. Users are not
prompted to change their passwords when they log in using certificate-based
authentication, so the passwords will expire and generate security warnings.
For the purpose of any timed access restrictions that exist on user accounts
(typically password change intervals and inactive account expiry rules) any
log in using a certificate is treated as a standard password-based login and
will reset the timer accordingly.
(typically password change intervals and inactive account expiry rules) any
log in using a certificate is treated as a standard password-based login and
will reset the timer accordingly.