Cisco Cisco TelePresence Video Communication Server Expressway
The following tables summarize the policy behavior when applied at the zone and subzone level, and how it varies
depending on the message protocol.
depending on the message protocol.
Zone-level Authentication Policy
Authentication policy is selectively configurable for different zone types, based on whether they receive messaging:
■
The Default Zone, Neighbor zones, traversal client zones, traversal server zones and Unified Communications
traversal zones all allow configuration of authentication policy
traversal zones all allow configuration of authentication policy
■
DNS and ENUM zones do not receive messaging and so have no authentication policy configuration.
To edit a zone's Authentication policy, go to Configuration > Zones > Zones and click the name of the zone. The
policy is set to Do not check credentials by default when you create a new zone.
policy is set to Do not check credentials by default when you create a new zone.
The behavior varies for H.323 and SIP messages as shown in the tables below:
H.323
Policy
Behavior
Check
credentials
credentials
Messages are classified as either authenticated or unauthenticated depending on whether any
credentials in the message can be verified against the authentication database.
credentials in the message can be verified against the authentication database.
If no credentials are supplied, the message is always classified as unauthenticated.
Do not check
credentials
credentials
Message credentials are not checked and all messages are classified as unauthenticated.
Treat as
authenticated
authenticated
Message credentials are not checked and all messages are classified as authenticated.
SIP
whether the VCS trusts any pre-existing authenticated indicators - known as P-Asserted-Identity headers - within
the received message) and whether the message was received from a local domain (a domain for which the VCS is
authoritative) or a non-local domain.
the received message) and whether the message was received from a local domain (a domain for which the VCS is
authoritative) or a non-local domain.
Policy
Trust
In local domain
Outside local domain
Check
credentials
credentials
Off
Messages are challenged for
authentication.
authentication.
Messages that fail authentication are
rejected.
rejected.
Messages that pass authentication are
classified as authenticated and a P-
Asserted-Identity header is inserted into the
message.
classified as authenticated and a P-
Asserted-Identity header is inserted into the
message.
Messages are not challenged for
authentication.
authentication.
All messages are classified as
unauthenticated.
unauthenticated.
Any existing P-Asserted-Identity headers
are removed.
are removed.
7
Cisco VCS Authenticating Devices Deployment Guide