Cisco Cisco TelePresence Video Communication Server Expressway
Introduction
VCS Deployment Guide: Device authentication on Cisco VCS (VCS X7.2)
Page 4 of 50
Introduction
Device authentication is the verification of the credentials of an incoming request to the Cisco
TelePresence Video Communication Server (Cisco VCS) from a device or external system. It is used
so that certain functionality may be reserved for known and trusted users, for example the publishing
of presence status, collection of provisioning data, or the ability to use resources that cost money like
ISDN gateway calling.
TelePresence Video Communication Server (Cisco VCS) from a device or external system. It is used
so that certain functionality may be reserved for known and trusted users, for example the publishing
of presence status, collection of provisioning data, or the ability to use resources that cost money like
ISDN gateway calling.
When device authentication is enabled on a VCS, any device that attempts to communicate with the
VCS will be challenged to present its credentials (typically based on a username and password). The
VCS will then verify those credentials, or have them verified, according to its authentication policy, and
then accept or reject the message accordingly.
VCS will be challenged to present its credentials (typically based on a username and password). The
VCS will then verify those credentials, or have them verified, according to its authentication policy, and
then accept or reject the message accordingly.
VCS authentication policy can be configured separately for each zone and subzone. This means that
both authenticated and unauthenticated devices could be allowed to register to, and communicate
with, the same VCS if required. Subsequent call routing decisions can then be configured with
different rules based upon whether a device is authenticated or not.
both authenticated and unauthenticated devices could be allowed to register to, and communicate
with, the same VCS if required. Subsequent call routing decisions can then be configured with
different rules based upon whether a device is authenticated or not.
As from version X7.2, the VCS attempts to verify the credentials presented to it by first checking
against its on-box local database of usernames and passwords. The local database also includes
checking against credentials supplied by Cisco TMS if your system is using device provisioning.
against its on-box local database of usernames and passwords. The local database also includes
checking against credentials supplied by Cisco TMS if your system is using device provisioning.
If the username is not found in the local database, the VCS may then attempt to verify the credentials
via a real-time LDAP connection to an external H.350 directory service. The directory service, if
configured, must have an H.350 directory schema for either a Microsoft Active Directory LDAP server
or an OpenLDAP server.
via a real-time LDAP connection to an external H.350 directory service. The directory service, if
configured, must have an H.350 directory schema for either a Microsoft Active Directory LDAP server
or an OpenLDAP server.
Along with one of the above methods, for those devices that support NTLM challenges, the VCS can
alternatively verify credentials via direct access to an Active Directory server using a Kerberos
connection. See Configuring VCS authentication methods for more information.
alternatively verify credentials via direct access to an Active Directory server using a Kerberos
connection. See Configuring VCS authentication methods for more information.
The various VCS authentication entry points and credential checking methods are shown below:
Default
Zone
Default
Subzone
Other
Subzones
(if configured)
Neighbor
Zone
Traversal
Zone
registration requests and
messages from registered
endpoints
messages from
traversal neighbor
Neighbor
System
VCS
Traversal
Neighbor
Neighbor
messages from
non-registered endpoints
(unknown devices)
messages from
devices in known
zones
Endpoint
VCS
Local
database
(credential
store)
Active
Directory
database
Open
LDAP
database
H.350
directory
schema
Credential
checking
device
credentials
Cisco TMS
via Kerberos
via LDAP
local database
or
H.350
or
H.350