Cisco Cisco TelePresence Video Communication Server Expressway
Configuring the VCS
Cisco VCS Deployment Guide: Cisco VCS Starter Pack Express (X7.2)
Page 8 of 31
Configure device authentication
You are recommended to use device authentication – verifying that endpoints can identify themselves
with a username and password known to the VCS.
with a username and password known to the VCS.
The VCS supports 3 different methods of verifying authentication credentials:
against an on-box local database
via an LDAP connection to an external H.350 directory service
via direct access to an Active Directory server using a Kerberos connection (NTLM challenges
only)
only)
As from version X7.2, the VCS attempts to verify the credentials presented to it by first checking
against its on-box local database of usernames and passwords.
against its on-box local database of usernames and passwords.
If the username is not found in the local database, the VCS may then attempt to verify the credentials
via a real-time LDAP connection to an external H.350 directory service. The directory service, if
configured, must have an H.350 directory schema for either a Microsoft Active Directory LDAP server
or an OpenLDAP server.
via a real-time LDAP connection to an external H.350 directory service. The directory service, if
configured, must have an H.350 directory schema for either a Microsoft Active Directory LDAP server
or an OpenLDAP server.
Along with one of the above methods, for those devices that support NTLM challenges, the VCS can
alternatively verify credentials via direct access to an Active Directory server using a Kerberos
connection. This method is only supported by a limited range of endpoints – at the time of writing, only
Cisco Jabber for iPad, and Movi / Jabber Video 4.2 or later. If used, other non-supported endpoint
devices will continue to authenticate using one of the other two authentication methods. See
"Appendix 7 – Movi / Jabber Video and Active Directory (NTLM) authentication" for more information.
alternatively verify credentials via direct access to an Active Directory server using a Kerberos
connection. This method is only supported by a limited range of endpoints – at the time of writing, only
Cisco Jabber for iPad, and Movi / Jabber Video 4.2 or later. If used, other non-supported endpoint
devices will continue to authenticate using one of the other two authentication methods. See
"Appendix 7 – Movi / Jabber Video and Active Directory (NTLM) authentication" for more information.
Note that appropriate prompts are given to set up the user’s endpoint authentication credentials in the
local database when configuring user accounts.
local database when configuring user accounts.
See Device Authentication on Cisco VCS Deployment Guide for more information.
Configure the Default Zone to check credentials
This ensures that the VCS checks the credentials of provisioning requests, and call requests from
unregistered endpoints.
unregistered endpoints.
1. Go to the
Zones
page (
VCS configuration > Zones > Zones
).
2. Click on DefaultZone to go to the
Default Zone
page.
3. Configure the Authentication policy setting to Check credentials.
Note that Movi / Jabber Video users will not be able to sign in if the Authentication policy
setting is Do not check credentials.
setting is Do not check credentials.
4. Click Save.
Configure the Default Subzone to check credentials
This ensures that the VCS checks the credentials of messages received through the Default Subzone.
This includes registration requests, phone book requests and presence messages.
This includes registration requests, phone book requests and presence messages.