Cisco Cisco TelePresence Video Communication Server Expressway
Policy
Trust
In local domain
Outside local domain
On
Messages are not challenged for
authentication.
authentication.
All messages are classified as
authenticated.
authenticated.
Messages with an existing P-Asserted-
Identity header are passed on unchanged.
Messages without an existing P-Asserted-
Identity header have one inserted.
Identity header are passed on unchanged.
Messages without an existing P-Asserted-
Identity header have one inserted.
Messages are not challenged for
authentication.
authentication.
Messages with an existing P-Asserted-
Identity header are classified as
authenticated, and the header is passed
on unchanged.
Identity header are classified as
authenticated, and the header is passed
on unchanged.
Messages without an existing P-Asserted-
Identity header are classified as
unauthenticated.
Identity header are classified as
unauthenticated.
Subzone-level authentication policy
Authentication policy is configurable for the Default Subzone and any other configured subzone.
To configure a subzone's Authentication policy, go to
Configuration > Local Zone > Subzones
, then
click View/Edit or the name of the subzone. The policy is set to Do not check credentials by default when a
new subzone is created.
new subzone is created.
The behavior varies for H.323 and SIP messages as shown in the tables below:
H.323
Policy
Behavior
Check
credentials
credentials
Messages are classified as either authenticated or unauthenticated depending on whether any
credentials in the message can be verified against the authentication database. Messages that
pass authentication are classified as authenticated.
credentials in the message can be verified against the authentication database. Messages that
pass authentication are classified as authenticated.
If no credentials are supplied, the message is always classified as unauthenticated.
Note that unauthenticated registration requests are rejected.
Do not check
credentials
credentials
Message credentials are not checked and all messages are classified as unauthenticated.
Treat as
authenticated
authenticated
Message credentials are not checked and all messages are classified as authenticated.
SIP
The behavior for SIP messages depends upon whether the message was received from a local domain (a
domain for which the VCS is authoritative) or a non-local domain.
domain for which the VCS is authoritative) or a non-local domain.
Policy
In local domain
Outside local domain
Check
credentials
credentials
Messages are challenged for authentication and those that pass
are classified as authenticated.
are classified as authenticated.
Messages (including registration requests) that fail
authentication are rejected.
authentication are rejected.
SIP messages received from
non-local domains are all
treated in the same manner,
regardless of the subzone's
Authentication policy
setting:
non-local domains are all
treated in the same manner,
regardless of the subzone's
Authentication policy
setting:
Messages are not
challenged for
authentication.
challenged for
authentication.
All messages are classified
as unauthenticated.
as unauthenticated.
Do not check
credentials
credentials
Messages are not challenged for authentication.
All messages are classified as unauthenticated.
Treat as
authenticated
authenticated
Messages are not challenged for authentication.
All messages are classified as authenticated.
Cisco TelePresence Device Authentication on Cisco VCS Deployment Guide (X8.2)
Page 10 of 55
Authentication policy