Cisco Cisco TelePresence Video Communication Server Expressway
Authentication Methods
Configuring VCS Authentication Methods
The VCS supports 3 different methods of verifying authentication credentials:
■
■
via an LDAP connection to an external H.350 directory service
■
The VCS attempts to verify the credentials presented to it by first checking against its on-box local database of
usernames and passwords. The local database also includes checking against credentials supplied by Cisco TMS if
your system is using device provisioning. If the username is not found in the local database, the VCS may then
attempt to verify the credentials via a real-time LDAP connection to an external H.350 directory service. The directory
service, if configured, must have an H.350 directory schema for either a Microsoft Active Directory LDAP server or an
OpenLDAP server.
usernames and passwords. The local database also includes checking against credentials supplied by Cisco TMS if
your system is using device provisioning. If the username is not found in the local database, the VCS may then
attempt to verify the credentials via a real-time LDAP connection to an external H.350 directory service. The directory
service, if configured, must have an H.350 directory schema for either a Microsoft Active Directory LDAP server or an
OpenLDAP server.
Along with one of the above methods, for those devices that support NTLM challenges, the VCS can alternatively
verify credentials via direct access to an Active Directory server using a Kerberos connection. The direct Active
Directory authentication via Kerberos method is only supported by a limited range of endpoints – at the time of writing,
only Cisco Jabber for iPad and Jabber Video. If used, other non-supported endpoint devices will continue to
authenticate using one of the other two authentication methods.
verify credentials via direct access to an Active Directory server using a Kerberos connection. The direct Active
Directory authentication via Kerberos method is only supported by a limited range of endpoints – at the time of writing,
only Cisco Jabber for iPad and Jabber Video. If used, other non-supported endpoint devices will continue to
authenticate using one of the other two authentication methods.
Note that the VCS always challenges an endpoint with a standard Digest challenge. The VCS will additionally send
an NTLM challenge if the VCS has NTLM protocol challenges enabled and it recognizes that the endpoint supports
NTLM.
an NTLM challenge if the VCS has NTLM protocol challenges enabled and it recognizes that the endpoint supports
NTLM.
If the endpoint receives both challenges, it is the endpoint's decision as to whether to respond to the Digest
challenge or to the NTLM challenge. At the time of writing, all supported endpoints respond to an NTLM challenge in
preference to a Digest challenge.
challenge or to the NTLM challenge. At the time of writing, all supported endpoints respond to an NTLM challenge in
preference to a Digest challenge.
The following diagram shows the process followed by the VCS when authenticating credentials:
Note that accurate timestamps play an important part in authentication of H.323 devices, helping to guard against
replay attacks. For this reason, if you are using device authentication with H.323 devices, both the VCS and the
endpoints must use an NTP server to synchronize their system time.
replay attacks. For this reason, if you are using device authentication with H.323 devices, both the VCS and the
endpoints must use an NTP server to synchronize their system time.
19
Cisco VCS Authenticating Devices Deployment Guide