Cisco Cisco TelePresence Video Communication Server Expressway
Note that accurate timestamps play an important part in authentication of H.323 devices, helping to guard
against replay attacks. For this reason, if you are using device authentication with H.323 devices, both the
VCS and the endpoints must use an NTP server to synchronize their system time.
against replay attacks. For this reason, if you are using device authentication with H.323 devices, both the
VCS and the endpoints must use an NTP server to synchronize their system time.
Authentication mechanism
The authentication process uses a username and password-based challenge-response scheme to check a
device's credentials.
device's credentials.
The actual mechanism used by the device to supply its credentials to the VCS depends on the protocol being
used:
used:
n
n
SIP: credentials are not contained within the initial request. Instead the VCS sends a challenge back to the
sender that asks for its credentials. However, if a SIP message has already been authenticated (for
example by another VCS on a previous hop), that system may insert information into the SIP message to
show that it has been authenticated. You can control whether the VCS chooses to trust any authentication
carried out at an earlier stage by configuring a zone's
sender that asks for its credentials. However, if a SIP message has already been authenticated (for
example by another VCS on a previous hop), that system may insert information into the SIP message to
show that it has been authenticated. You can control whether the VCS chooses to trust any authentication
carried out at an earlier stage by configuring a zone's
setting.
Note that if the VCS is acting as a traversal server, you must ensure that each traversal client’s
authentication credentials are entered into the selected database.
authentication credentials are entered into the selected database.
Endpoint credentials used for authentication
An endpoint must supply the VCS with a username and password if it is required to authenticate with the
VCS, for example when attempting to register and the relevant subzone's Authentication policy is set to
Check credentials.
VCS, for example when attempting to register and the relevant subzone's Authentication policy is set to
Check credentials.
For Cisco endpoints using H.323, the username is typically the endpoint’s Authentication ID; for Cisco
endpoints using SIP it is typically the endpoint’s Authentication username.
endpoints using SIP it is typically the endpoint’s Authentication username.
See the relevant endpoint manual for details about how to configure the endpoint's credentials.
Device Authentication on Cisco VCS Deployment Guide (VCS X8.1)
Page 21 of 55
Authentication methods