Cisco Cisco TelePresence Video Communication Server Expressway Maintenance Manual
1.
Add the VCS's trusted CA and server certificate files (on the Trusted CA certificate and Server certificate
pages, respectively).
pages, respectively).
2.
Configure certificate revocation lists (on the CRL management page).
3.
Use the Client certificate testing page to verify that the client certificate you intend to use is valid.
4.
Set Client certificate-based security to Certificate validation (on the System administration page).
5.
Restart the VCS.
6.
Use the Client certificate testing page again to set up the required regex and format patterns to extract the
username credentials from the certificate.
username credentials from the certificate.
7.
Only when you are sure that the correct username is being extracted from the certificate, set Client
certificate-based security to Certificate-based authentication.
certificate-based security to Certificate-based authentication.
Authentication Versus Authorization
When the VCS is operating in certificate-based authentication mode, user authentication is managed by a process
external to the VCS.
external to the VCS.
When a user attempts to log in to the VCS, the VCS will request a certificate from the client browser. The browser
may then interact with a card reader to obtain the certificate from the smart card (or alternatively the certificate may
already be loaded into the browser). To release the certificate from the card/browser, the user will typically be
requested to authenticate themselves by entering a PIN. If the client certificate received by the VCS is valid (signed
by a trusted certificate authority, in date and not revoked by a CRL) then the user is deemed to be authenticated.
may then interact with a card reader to obtain the certificate from the smart card (or alternatively the certificate may
already be loaded into the browser). To release the certificate from the card/browser, the user will typically be
requested to authenticate themselves by entering a PIN. If the client certificate received by the VCS is valid (signed
by a trusted certificate authority, in date and not revoked by a CRL) then the user is deemed to be authenticated.
To determine the user's authorization level (read-write, read-only and so on) the VCS must extract the user's
authorization username from the certificate and present it to the relevant local or remote authorization mechanism.
authorization username from the certificate and present it to the relevant local or remote authorization mechanism.
The following diagram shows an example authorization and authentication process. It shows how a certificate is
obtained from a card reader and then validated by the VCS. It then shows how the VCS obtains the user's
authorization level from an Active Directory service.
obtained from a card reader and then validated by the VCS. It then shows how the VCS obtains the user's
authorization level from an Active Directory service.
Note that if the client certificate is not protected (by a PIN or some other mechanism) then unauthenticated access to
the VCS may be possible. This lack of protection may also apply if the certificates are stored in the browser, although
some browsers do allow you to password protect their certificate store.
the VCS may be possible. This lack of protection may also apply if the certificates are stored in the browser, although
some browsers do allow you to password protect their certificate store.
289
Cisco TelePresence Video Communication Server Administrator Guide