Cisco Cisco TelePresence Video Communication Server Expressway
Configuring VCS authentication methods
VCS Deployment Guide: Device authentication on Cisco VCS (VCS X7.1)
Page 14 of 47
Configuring VCS authentication methods
The VCS can be configured to use different types of credentials stores to check credentials presented
to it. The options are:
to it. The options are:
an on-box local database of usernames and passwords; use of the local database also includes
checking against credentials supplied by Cisco TMS if your system is using device provisioning (in
both TMS Provisioning Extension and legacy TMS Agent modes)
checking against credentials supplied by Cisco TMS if your system is using device provisioning (in
both TMS Provisioning Extension and legacy TMS Agent modes)
or
real time access via LDAP to an external H.350 directory service (which has an H.350 directory
schema for either a Microsoft Active Directory LDAP server or an OpenLDAP server)
schema for either a Microsoft Active Directory LDAP server or an OpenLDAP server)
Along with one of the above methods, for endpoints supporting NTLM authentication (at the time of
writing only Movi 4.2 or later) the VCS can alternatively verify credentials via:
writing only Movi 4.2 or later) the VCS can alternatively verify credentials via:
direct access to an Active Directory server using a Kerberos connection
(The direct Active Directory authentication via Kerberos method is only supported by a limited
range of endpoints. If used, other non-supported endpoint devices will continue to authenticate
using one of the other two authentication methods.)
range of endpoints. If used, other non-supported endpoint devices will continue to authenticate
using one of the other two authentication methods.)
Using the local database
The Local database can be used for authenticating any endpoint, SIP and H.323.
from X7.0, the local database includes credentials stored within the TMS Agent database (which
is provided by Cisco TMS if TMS provisioning is enabled)
•
is provided by Cisco TMS if TMS provisioning is enabled)
•
checking against the TMS Agent database aids migration from a provisioning-only
authenticated system to a configuration where all messages are authenticated – it means that
VCS can authenticate all messages against the credentials generated by TMS which were
previously used by the Provisioning Server just to authenticate provisioning requests (i.e. no
change of password is required for provisioned devices)
authenticated system to a configuration where all messages are authenticated – it means that
VCS can authenticate all messages against the credentials generated by TMS which were
previously used by the Provisioning Server just to authenticate provisioning requests (i.e. no
change of password is required for provisioned devices)
prior to X7.0, the VCS did not check against the TMS Agent database, it only checked the
manually configured credentials in the local database
manually configured credentials in the local database
Configuring the VCS to use the local database
The local database is hosted on the VCS unit and does not require any specific connectivity
configuration. To use the local database:
configuration. To use the local database:
1. Go to
VCS configuration > Authentication > Devices > Configuration
.
2. Select Local database as the Database type.
3. Click Save.
Adding credentials to the local database
The local database credentials are configured on the Local authentication database page. To enter
a set of device credentials:
a set of device credentials:
1. Go to
VCS configuration > Authentication > Devices > Local database
and click New.
2. Enter the Name and Password that represent the device’s credentials
3. Click Create credential.
Local database authentication in combination with Active Directory (direct) authentication
If Active Directory (direct) authentication has been configured and NTLM protocol challenges is set
to Auto, then NTLM authentication challenges are offered to those devices that support NTLM.
to Auto, then NTLM authentication challenges are offered to those devices that support NTLM.
NTLM challenges are offered in addition to the standard digest challenge.
Endpoints that support NTLM will respond to the NTLM challenge and VCS will use that in
preference to the digest challenge.
preference to the digest challenge.