Cisco Cisco TelePresence Video Communication Server Expressway
Configuring VCS authentication policy
VCS Deployment Guide: Device authentication on Cisco VCS (VCS X7.2)
Page 5 of 50
Configuring VCS authentication policy
Authentication Policy is applied by the VCS at the zone and subzone levels. It controls how the VCS
challenges incoming messages (for provisioning, registration, presence, phonebooks and calls) from
that zone or subzone and whether those messages are rejected, treated as authenticated, or treated
as unauthenticated within the VCS.
challenges incoming messages (for provisioning, registration, presence, phonebooks and calls) from
that zone or subzone and whether those messages are rejected, treated as authenticated, or treated
as unauthenticated within the VCS.
Accurate timestamps play an important part in authentication of H.323 devices, helping to guard
against replay attacks. For this reason, if you are using device authentication with H.323 devices, both
the VCS and the endpoints must use an NTP server to synchronize their system time.
against replay attacks. For this reason, if you are using device authentication with H.323 devices, both
the VCS and the endpoints must use an NTP server to synchronize their system time.
Each zone and subzone can set its Authentication policy to either Check credentials, Do not check
credentials, or Treat as authenticated.
credentials, or Treat as authenticated.
Registration authentication is controlled by the Default Subzone (or relevant alternative subzone)
configuration.
configuration.
Initial provisioning subscription request authentication is controlled by the Default Zone
configuration.
configuration.
Call, presence, and phonebook request authentication is controlled by the Default Subzone (or
relevant alternative subzone) if the endpoint is registered, or by the Default Zone if the endpoint is
not registered.
relevant alternative subzone) if the endpoint is registered, or by the Default Zone if the endpoint is
not registered.
Note that the exact authentication policy behavior depends on whether the messages are H.323
messages, SIP messages received from local domains, or SIP messages received from non-local
domains. A full description of the various authentication policy behaviors is contained in the VCS
Administrator Guide (and is also available in the VCS online help).
messages, SIP messages received from local domains, or SIP messages received from non-local
domains. A full description of the various authentication policy behaviors is contained in the VCS
Administrator Guide (and is also available in the VCS online help).
Zone-level authentication policy
Authentication policy is configurable for zones that receive messaging; the Default Zone, neighbor
zones, traversal client and traversal server zones all allow configuration of authentication policy; DNS
and ENUM zones do not receive messaging and so have no configuration.
zones, traversal client and traversal server zones all allow configuration of authentication policy; DNS
and ENUM zones do not receive messaging and so have no configuration.
To configure a zone's Authentication policy, go to the
Edit zone
page (
VCS configuration > Zones
> Zones
, then click View/Edit or the name of the zone). The policy is set to Do not check credentials
by default when a new zone is created.
Subzone-level authentication policy
Authentication policy is configurable for the Default Subzone and any other configured subzone.
To configure a subzone's Authentication policy, go to the
Edit subzone
page (
VCS configuration >
Local Zone > Subzones
, then click View/Edit or the name of the subzone). The policy is set to Do not
check credentials by default when a new subzone is created.
Controlling system behavior for authenticated and non-
authenticated devices
authenticated devices
How calls and other messaging from authenticated and non-authenticated devices are handled
depends on how search rules, external policy services and CPL are configured.
depends on how search rules, external policy services and CPL are configured.
Search rules
When configuring a search rule, use the Request must be authenticated attribute to specify whether
the search rule applies only to authenticated search requests or to all requests.
the search rule applies only to authenticated search requests or to all requests.
External policy services
External policy services are typically used in deployments where policy decisions are managed
through an external, centralized service rather than by configuring policy rules on the VCS itself.
through an external, centralized service rather than by configuring policy rules on the VCS itself.