Cisco Cisco TelePresence Video Communication Server Expressway
Subzone-level Authentication Policy
Authentication policy is configurable for the Default Subzone and any other configured subzone.
To configure a subzone's Authentication policy, go to Configuration > Local Zone > Subzones, then click View/Edit
or the name of the subzone. The policy is set to Do not check credentials by default when a new subzone is created.
or the name of the subzone. The policy is set to Do not check credentials by default when a new subzone is created.
The behavior varies for H.323 and SIP messages as shown in the tables below:
H.323
Policy
Behavior
Check
credentials
credentials
Messages are classified as either authenticated or unauthenticated depending on whether any
credentials in the message can be verified against the authentication database. Messages that
pass authentication are classified as authenticated.
credentials in the message can be verified against the authentication database. Messages that
pass authentication are classified as authenticated.
If no credentials are supplied, the message is always classified as unauthenticated.
Note that unauthenticated registration requests are rejected.
Do not check
credentials
credentials
Message credentials are not checked and all messages are classified as unauthenticated.
Treat as
authenticated
authenticated
Message credentials are not checked and all messages are classified as authenticated.
SIP
The behavior for SIP messages depends upon whether the message was received from a local domain (a domain for
which the VCS is authoritative) or a non-local domain.
which the VCS is authoritative) or a non-local domain.
Policy
In local domain
Outside local domain
Check
credentials
credentials
Messages are challenged for authentication and those that pass
are classified as authenticated.
are classified as authenticated.
Messages (including registration requests) that fail authentication
are rejected.
are rejected.
SIP messages received from
non-local domains are all
treated in the same manner,
regardless of the subzone's
Authentication policy setting:
non-local domains are all
treated in the same manner,
regardless of the subzone's
Authentication policy setting:
Messages are not challenged
for authentication.
for authentication.
All messages are classified as
unauthenticated.
unauthenticated.
Do not check
credentials
credentials
Messages are not challenged for authentication.
All messages are classified as unauthenticated.
Treat as
authenticated
authenticated
Messages are not challenged for authentication.
All messages are classified as authenticated.
SIP Authentication Trust
requests. If the VCS then forwards the request on to a neighbor zone such as another VCS, that receiving system will
also authenticate the request. In this scenario the message has to be authenticated at every hop.
also authenticate the request. In this scenario the message has to be authenticated at every hop.
To simplify this so that a device’s credentials only have to be authenticated once (at the first hop), and to reduce the
number of SIP messages in your network, you can configure neighbor zones to use the Authentication trust mode
setting.
number of SIP messages in your network, you can configure neighbor zones to use the Authentication trust mode
setting.
This is then used in conjunction with the zone's authentication policy to control whether pre-authenticated SIP
messages received from that zone are trusted and are subsequently treated as authenticated or unauthenticated
within the VCS. Pre-authenticated SIP requests are identified by the presence of a P-Asserted-Identity field in the
SIP message header as defined by
messages received from that zone are trusted and are subsequently treated as authenticated or unauthenticated
within the VCS. Pre-authenticated SIP requests are identified by the presence of a P-Asserted-Identity field in the
SIP message header as defined by
9
Cisco VCS Authenticating Devices Deployment Guide