Cisco Cisco TelePresence Video Communication Server Expressway
Authentication methods
Configuring VCS authentication methods
The VCS supports 3 different methods of verifying authentication credentials:
n
n
via an LDAP connection to an external H.350 directory service
n
The VCS attempts to verify the credentials presented to it by first checking against its on-box local database
of usernames and passwords. The local database also includes checking against credentials supplied by
Cisco TMS if your system is using device provisioning. If the username is not found in the local database, the
VCS may then attempt to verify the credentials via a real-time LDAP connection to an external H.350
directory service. The directory service, if configured, must have an H.350 directory schema for either a
Microsoft Active Directory LDAP server or an OpenLDAP server.
of usernames and passwords. The local database also includes checking against credentials supplied by
Cisco TMS if your system is using device provisioning. If the username is not found in the local database, the
VCS may then attempt to verify the credentials via a real-time LDAP connection to an external H.350
directory service. The directory service, if configured, must have an H.350 directory schema for either a
Microsoft Active Directory LDAP server or an OpenLDAP server.
Along with one of the above methods, for those devices that support NTLM challenges, the VCS can
alternatively verify credentials via direct access to an Active Directory server using a Kerberos connection.
The direct Active Directory authentication via Kerberos method is only supported by a limited range of
endpoints – at the time of writing, only Cisco Jabber for iPad and Jabber Video. If used, other non-supported
endpoint devices will continue to authenticate using one of the other two authentication methods.
alternatively verify credentials via direct access to an Active Directory server using a Kerberos connection.
The direct Active Directory authentication via Kerberos method is only supported by a limited range of
endpoints – at the time of writing, only Cisco Jabber for iPad and Jabber Video. If used, other non-supported
endpoint devices will continue to authenticate using one of the other two authentication methods.
Note that the VCS always challenges an endpoint with a standard Digest challenge. The VCS will
additionally send an NTLM challenge if the VCS has NTLM protocol challenges enabled and it recognizes
that the endpoint supports NTLM.
additionally send an NTLM challenge if the VCS has NTLM protocol challenges enabled and it recognizes
that the endpoint supports NTLM.
If the endpoint receives both challenges, it is the endpoint's decision as to whether to respond to the Digest
challenge or to the NTLM challenge. At the time of writing, all supported endpoints respond to an NTLM
challenge in preference to a Digest challenge.
challenge or to the NTLM challenge. At the time of writing, all supported endpoints respond to an NTLM
challenge in preference to a Digest challenge.
The following diagram shows the process followed by the VCS when authenticating credentials:
Cisco TelePresence Device Authentication on Cisco VCS Deployment Guide (X8.2)
Page 20 of 55
Authentication methods