Cisco Cisco TelePresence MCU 4510 Maintenance Manual
Certificate-
based
authentication
required
based
authentication
required
Incoming HTTPS connections are only permitted if the client certificate is signed by an authority
that the MCU trusts. The common name of the certificate must also match a stored username and
password-based client authentication is not allowed.
that the MCU trusts. The common name of the certificate must also match a stored username and
password-based client authentication is not allowed.
HTTP and FTP logins are blocked. If Require administrator login is checked (on Settings >
Security), then console access is restricted to functions that do not require a login.
Security), then console access is restricted to functions that do not require a login.
Note:
The MCU requires every user account to have a password, even if Certificate-based
authentication required is selected and thus clients may not use their passwords. Furthermore, if
the MCU is in advanced account security mode, passwords must be replaced every 60 days. Users
are not prompted to change their passwords when they log in using certificate-based
authentication, so the passwords will expire and generate security warnings.
the MCU is in advanced account security mode, passwords must be replaced every 60 days. Users
are not prompted to change their passwords when they log in using certificate-based
authentication, so the passwords will expire and generate security warnings.
For the purpose of any timed access restrictions that exist on user accounts (typically password
change intervals and inactive account expiry rules) any log in using a certificate is treated as a
standard password-based login and will reset the timer accordingly.
change intervals and inactive account expiry rules) any log in using a certificate is treated as a
standard password-based login and will reset the timer accordingly.
For information about how these options affect the API interface, see the Cisco TelePresence
MCU API Reference Guide.
MCU API Reference Guide.
Configuring Server Certificate Security
1.
Go to Network > SSL certificates.
2.
Go to the HTTPS trust store section.
3.
Select one of the options from the Server certificate security field.
4.
Click Apply changes.
Server Certificate Security Options
No
verification
verification
The MCU does not verify the server's certificate (if one is presented) when it makes an OCSP request
or when it sends HTTPS feedback messages.
or when it sends HTTPS feedback messages.
Verify
certificate
certificate
The MCU requires a server certificate from the OCSP server or feedback receiver, and must be able to
verify that the certificate is trusted by one of the authorities in its HTTPS trust store, before it
completes the OCSP request or sends the HTTPS feedback message.
verify that the certificate is trusted by one of the authorities in its HTTPS trust store, before it
completes the OCSP request or sends the HTTPS feedback message.
OCSP Checks for Client Certificate Revocation
You can optionally configure an external OCSP server, which the MCU will use to check the revocation status of
client certificates presented with incoming HTTPS connection requests. The following details describe the MCU's
OCSP checking mechanism.
client certificates presented with incoming HTTPS connection requests. The following details describe the MCU's
OCSP checking mechanism.
■
For chained certificates the OCSP check is performed only against the leaf certificate.
■
The MCU supports SHA-1 hashing for OCSP.
■
If the response from the OCSP server is anything other than 'good' (that is, the client certificate is invalid,
revoked, unknown, timed out, or in some other error condition) the MCU rejects the associated connection
request.
revoked, unknown, timed out, or in some other error condition) the MCU rejects the associated connection
request.
■
No further OCSP checking takes place after the connection is established. An active session will continue if a
certificate is revoked during that session, but any subsequent connection attempts with the revoked
certificate will be rejected.
certificate is revoked during that session, but any subsequent connection attempts with the revoked
certificate will be rejected.
CAUTION:
If you enable OCSP checking for the MCU it is possible inadvertently to block all login access (including
administrators) to the MCU. If you want to enable OCSP checking, we strongly recommend that you first review the
option descriptions below and then follow the process in
option descriptions below and then follow the process in
228
Cisco TelePresence MCU Series Online Printable Help