Cisco Cisco TelePresence Video Communication Server Expressway
Introduction
VCS Deployment Guide: Device authentication on Cisco VCS (VCS X7.1)
Page 5 of 47
Introduction
Device authentication is the verification of the credentials of an incoming request to the Cisco
TelePresence Video Communication Server (Cisco VCS) from a device or external system. It is used
so that certain functionality may be reserved for known and trusted users, for example the publishing
of presence status, collection of provisioning data, or the ability to use resources that cost money like
ISDN gateway calling.
TelePresence Video Communication Server (Cisco VCS) from a device or external system. It is used
so that certain functionality may be reserved for known and trusted users, for example the publishing
of presence status, collection of provisioning data, or the ability to use resources that cost money like
ISDN gateway calling.
When device authentication is enabled on a VCS, any device that attempts to communicate with the
VCS will be challenged to present its credentials (typically based on a username and password). The
VCS will then verify those credentials, or have them verified, according to its authentication policy, and
then accept or reject the message accordingly.
VCS will be challenged to present its credentials (typically based on a username and password). The
VCS will then verify those credentials, or have them verified, according to its authentication policy, and
then accept or reject the message accordingly.
VCS authentication policy can be configured separately for each zone and subzone. This means that
both authenticated and unauthenticated devices could be allowed to register to, and communicate
with, the same VCS if required. Subsequent call routing decisions can then be configured with
different rules based upon whether a device is authenticated or not.
both authenticated and unauthenticated devices could be allowed to register to, and communicate
with, the same VCS if required. Subsequent call routing decisions can then be configured with
different rules based upon whether a device is authenticated or not.
The credential repository that the VCS uses to verify the credentials presented to it must be
configured. The options are:
configured. The options are:
an on-box local database of usernames and passwords (which also includes checking against
credentials supplied by Cisco TMS if your system is using device provisioning)
credentials supplied by Cisco TMS if your system is using device provisioning)
or
real time access via LDAP to an external H.350 directory service (which has an H.350 directory
schema for either a Microsoft Active Directory LDAP server or an OpenLDAP server)
schema for either a Microsoft Active Directory LDAP server or an OpenLDAP server)
Along with one of the above methods, for those devices that support NTLM challenges the VCS can
alternatively verify credentials via:
alternatively verify credentials via:
direct access to an Active Directory server using a Kerberos connection
(The direct Active Directory authentication via Kerberos method is only supported by a limited
range of endpoints – at the time of writing, Movi 4.2 or later only. If authentication of other devices
or endpoints is required, AD direct mode would need to be used in combination with one of the
other two authentication methods – to authenticate pre-4.2 Movi and other endpoints.)
range of endpoints – at the time of writing, Movi 4.2 or later only. If authentication of other devices
or endpoints is required, AD direct mode would need to be used in combination with one of the
other two authentication methods – to authenticate pre-4.2 Movi and other endpoints.)
The various VCS authentication entry points and credential checking methods are shown below:
Default
Zone
Default
Subzone
Other
Subzones
(if configured)
Neighbor
Zone
Traversal
Zone
registration requests and
messages from registered
endpoints
messages from
traversal neighbor
Neighbor
System
VCS
Traversal
Neighbor
Neighbor
messages from
non-registered endpoints
(unknown devices)
messages from
devices in known
zones
Endpoint
VCS
Local
database
(credential
store)
Active
Directory
database
Open
LDAP
database
H.350
directory
schema
Credential
checking
device
credentials
Cisco TMS
via Kerberos
via LDAP
local database
or
H.350
or
H.350