Cisco Cisco TelePresence Video Communication Server Expressway
Configuring VCS authentication policy
VCS Deployment Guide: Device authentication on Cisco VCS (VCS X7.2)
Page 7 of 50
Device provisioning and authentication policy
VCS X7.1 and X7.2 supports two provisioning modes:
TMS Provisioning Extension mode
TMS Agent legacy mode
The Provisioning Server (hosted on the VCS) has different device authentication requirements
depending on the provisioning mode.
depending on the provisioning mode.
TMS Provisioning Extension mode
The Provisioning Server requires that any provisioning or phone book requests it receives have
already been authenticated at the zone or subzone point of entry into the VCS. The Provisioning
Server does not do its own authentication challenge and will reject any unauthenticated messages.
already been authenticated at the zone or subzone point of entry into the VCS. The Provisioning
Server does not do its own authentication challenge and will reject any unauthenticated messages.
The following diagram shows the flow of provisioning messages from an endpoint to the Provisioning
Server, together with the credential checking processes:
Server, together with the credential checking processes:
The VCS must be configured with appropriate device authentication settings, otherwise provisioning-
related messages will be rejected:
related messages will be rejected:
Initial provisioning authentication (of a subscribe message) is controlled by the authentication
policy setting on the Default Zone. (The Default Zone is used as the device is not yet registered.)
•
policy setting on the Default Zone. (The Default Zone is used as the device is not yet registered.)
•
The Default Zone and any traversal client zone's authentication policy must be set to either
Check credentials or Treat as authenticated, otherwise provisioning requests will fail.
Check credentials or Treat as authenticated, otherwise provisioning requests will fail.
The authentication of subsequent messages, including registration requests, phone book requests
and call signaling messages is controlled by the authentication policy setting on the Default
Subzone (or relevant alternative subzone) if the endpoint is registered (which is the usual case),
or by the authentication policy setting on the Default Zone if the endpoint is not registered.
•
and call signaling messages is controlled by the authentication policy setting on the Default
Subzone (or relevant alternative subzone) if the endpoint is registered (which is the usual case),
or by the authentication policy setting on the Default Zone if the endpoint is not registered.
•
The relevant authentication policy must be set to either Check credentials or Treat as
authenticated, otherwise phone book requests will fail.
authenticated, otherwise phone book requests will fail.
Default
Zone
Default
Subzone
Provisioning
Server
Endpoint
VCS
Provisioning Server does not
challenge or check credentials
challenge or check credentials
(messages must have already been authenticated)
Cisco TMS
device
credentials
subscribe
message
register, phone
book requests and
call signaling
messages
phone book
requests
other
messages
subscribe
message
Def ault Zone and Def ault Subzone
(or relevant alternative subzone)
must be conf igured to challenge
and check credentials
Credential checking
(against local database / TMS
credentials, H.350 directory,
or Active Directory)