Cisco Cisco TelePresence Video Communication Server Expressway
Controlling System Behavior for Authenticated and Non-authenticated Devices
How calls and other messaging from authenticated and non-authenticated devices are handled depends on how
search rules, external policy services and CPL are configured.
search rules, external policy services and CPL are configured.
Search Rules
When configuring a search rule, use the Request must be authenticated attribute to specify whether the search rule
applies only to authenticated search requests or to all requests.
applies only to authenticated search requests or to all requests.
External Policy Services
External policy services are typically used in deployments where policy decisions are managed through an external,
centralized service rather than by configuring policy rules on the VCS itself. You can configure the VCS to use policy
services in the following areas:
centralized service rather than by configuring policy rules on the VCS itself. You can configure the VCS to use policy
services in the following areas:
■
Registration Policy
■
Search rules (dial plan)
■
Call Policy
■
User Policy (FindMe)
When the VCS uses a policy service it sends information about the call or registration request to the service in a POST
message using a set of name-value pair parameters. Those parameters include information about whether the
request has come from an authenticated source or not.
message using a set of name-value pair parameters. Those parameters include information about whether the
request has come from an authenticated source or not.
More information about policy services, including example CPL, can be found in External Policy on VCS Deployment
Guide.
Guide.
CPL
If you are using the Call Policy rules generator on the VCS, source matches are carried out against authenticated
sources. To specify a match against an unauthenticated source, just use a blank field. (If a source is not
authenticated, its value cannot be trusted).
sources. To specify a match against an unauthenticated source, just use a blank field. (If a source is not
authenticated, its value cannot be trusted).
If you use uploaded, handcrafted local CPL to manage your Call Policy, you are recommended to make your CPL
explicit as to whether it is looking at the authenticated or unauthenticated origin.
explicit as to whether it is looking at the authenticated or unauthenticated origin.
■
If CPL is required to look at the unauthenticated origin (for example, when checking non-authenticated
callers) the CPL must use
callers) the CPL must use
unauthenticated-origin
. (However, if the user is unauthenticated, they can call
themselves whatever they like; this field does not verify the caller.)
■
To check the authenticated origin (only available for authenticated or “treat as authenticated” devices) the
CPL should use
CPL should use
authenticated-origin
.
Note that due to the complexity of writing CPL scripts, you are recommended to use an external policy service
instead.
instead.
Authentication Policy Configuration Options
Authentication policy behavior varies for H.323 messages, SIP messages received from local domains and SIP
messages from non-local domains.
messages from non-local domains.
The primary authentication policy configuration options and their associated behavior are as follows:
■
Check credentials: verify the credentials using the relevant authentication method. Note that in some
scenarios, messages are not challenged, see below.
scenarios, messages are not challenged, see below.
■
Do not check credentials: do not verify the credentials and allow the message to be processed.
■
Treat as authenticated: do not verify the credentials and allow the message to be processed as if it is has
been authenticated. This option can be used to cater for endpoints from third-party suppliers that do not
support authentication within their registration mechanism. Note that in some scenarios, messages are
allowed but will still be treated as though they are unauthenticated, see below.
been authenticated. This option can be used to cater for endpoints from third-party suppliers that do not
support authentication within their registration mechanism. Note that in some scenarios, messages are
allowed but will still be treated as though they are unauthenticated, see below.
6
Cisco VCS Authenticating Devices Deployment Guide