Cisco Cisco TelePresence Video Communication Server Expressway
Configuring VCS authentication policy
VCS Deployment Guide: Device authentication on Cisco VCS (VCS X7.2)
Page 8 of 50
In each case, the VCS performs its authentication checking against the appropriate credential store,
according to whichever authentication methods are configured. Note that if the VCS is using the local
database, this will include all credentials supplied by TMS.
according to whichever authentication methods are configured. Note that if the VCS is using the local
database, this will include all credentials supplied by TMS.
For more information about provisioning configuration in general, see Cisco TMS Provisioning
Extension Deployment Guide.
Extension Deployment Guide.
Legacy TMS Agent mode
The Provisioning Server will only service authenticated provisioning requests, but it can perform its
own authentication challenge:
own authentication challenge:
If the VCS has already authenticated the device (at the zone or subzone entry point), then the
Provisioning Server accepts the VCS’s authentication check and does not perform any additional
authentication challenge.
Provisioning Server accepts the VCS’s authentication check and does not perform any additional
authentication challenge.
If the VCS has not authenticated the device, then the Provisioning Server will authenticate the
request (i.e. challenge for and check credentials) before providing provisioning data.
•
request (i.e. challenge for and check credentials) before providing provisioning data.
•
The Provisioning Server checks device account credentials against the TMS Agent database
only. It does not check against any other credential store.
only. It does not check against any other credential store.
The following diagram shows the flow of provisioning messages from an endpoint to the Provisioning
Server, together with the credential checking processes:
Server, together with the credential checking processes:
Note that:
Initial provisioning authentication (of a subscribe message) is controlled by the authentication
policy setting on the Default Zone. (The Default Zone is used as the device is not yet registered).
policy setting on the Default Zone. (The Default Zone is used as the device is not yet registered).
Subsequent messages, including registration requests, phone book requests and call signaling
messages go through the Default Subzone (or relevant alternate subzone).
messages go through the Default Subzone (or relevant alternate subzone).
Default
Zone
Default
Subzone
Provisioning
Server
Endpoint
VCS
Provisioning Server
challenges and checks
credentials against
TMS Agent database
(if message is not already
authenticated)
Cisco TMS
device
credentials
subscribe
message
register, phone
book requests and
call signaling
messages
Def ault Zone and Def ault Subzone
(or relevant alternative subzone)
may be conf igured to challenge
and check credentials
phone book
requests
other
messages
subscribe
message
Credential checking
(against local database / TMS
Agent database, H.350 directory,
or Active Directory)
TMS
Agent
database