Cisco Cisco TelePresence Video Communication Server Expressway
Authentication policy
Configuring VCS authentication policy
Authentication policy is applied by the VCS at the zone and subzone levels. It controls how the VCS
challenges incoming messages (for provisioning, registration, presence, phone books and calls) from that
zone or subzone and whether those messages are rejected, treated as authenticated, or treated as
unauthenticated within the VCS.
challenges incoming messages (for provisioning, registration, presence, phone books and calls) from that
zone or subzone and whether those messages are rejected, treated as authenticated, or treated as
unauthenticated within the VCS.
Each zone and subzone can set its Authentication policy to either Check credentials, Do not check
credentials, or Treat as authenticated.
credentials, or Treat as authenticated.
n
Registration authentication is controlled by the Default Subzone (or relevant alternative subzone)
configuration.
configuration.
n
Initial provisioning subscription request authentication is controlled by the Default Zone configuration.
n
Call, presence, and phone book request authentication is controlled by the Default Subzone (or relevant
alternative subzone) if the endpoint is registered, or by the Default Zone if the endpoint is not registered.
alternative subzone) if the endpoint is registered, or by the Default Zone if the endpoint is not registered.
Note that the exact authentication policy behavior depends on whether the messages are H.323 messages,
SIP messages received from local domains, or SIP messages received from non-local domains. See
SIP messages received from local domains, or SIP messages received from non-local domains. See
for a full description of the various authentication policy
behaviors.
Zone-level authentication policy
Authentication policy is configurable for zones that receive messaging; the Default Zone, neighbor zones,
traversal client and traversal server zones all allow configuration of authentication policy; DNS and ENUM
zones do not receive messaging and so have no configuration.
traversal client and traversal server zones all allow configuration of authentication policy; DNS and ENUM
zones do not receive messaging and so have no configuration.
To configure a zone's Authentication policy, go to
Configuration > Zones > Zones
, then click View/Edit
or the name of the zone. The policy is set to Do not check credentials by default when a new zone is created.
Subzone-level authentication policy
Authentication policy is configurable for the Default Subzone and any other configured subzone.
To configure a subzone's Authentication policy, go to
Configuration > Local Zone > Subzones
, then
click View/Edit or the name of the subzone. The policy is set to Do not check credentials by default when a
new subzone is created.
new subzone is created.
Provisioning and device authentication
The Provisioning Server requires that any provisioning or phone book requests it receives have already been
authenticated at the zone or subzone point of entry into the VCS. The Provisioning Server does not do its
own authentication challenge and will reject any unauthenticated messages.
authenticated at the zone or subzone point of entry into the VCS. The Provisioning Server does not do its
own authentication challenge and will reject any unauthenticated messages.
for more information.
Presence and device authentication
The Presence Server accepts presence PUBLISH messages only if they have already been authenticated:
n
The authentication of presence messages by the VCS is controlled by the authentication policy setting on
the Default Subzone (or relevant alternative subzone) if the endpoint is registered (which is the usual case),
or by the authentication policy setting on the Default Zone if the endpoint is not registered.
the Default Subzone (or relevant alternative subzone) if the endpoint is registered (which is the usual case),
or by the authentication policy setting on the Default Zone if the endpoint is not registered.
Device Authentication on Cisco VCS Deployment Guide (VCS X8.1)
Page 6 of 55
Authentication policy