Cisco Cisco TelePresence Video Communication Server Expressway
Introduction
VCS Deployment Guide: Authenticating Devices (VCS X7.0)
Page 5 of 44
Introduction
Device authentication is used to control whether devices or external systems that want to
communicate with the Cisco TelePresence Video Communication Server (Cisco VCS) must provide
verifiable authentication credentials before that communication is allowed.
communicate with the Cisco TelePresence Video Communication Server (Cisco VCS) must provide
verifiable authentication credentials before that communication is allowed.
When device authentication is enabled on a VCS, any device that attempts to communicate with the
VCS will be challenged to present its credentials (typically based on a username and password). The
VCS will then verify those credentials, according to its authentication policy, and accept or reject the
message accordingly.
VCS will be challenged to present its credentials (typically based on a username and password). The
VCS will then verify those credentials, according to its authentication policy, and accept or reject the
message accordingly.
VCS authentication policy can be configured separately for each zone and subzone. This means that
both authenticated and unauthenticated devices could be allowed to register to, and communicate
with, the same VCS if required. Subsequent call routing decisions can then be configured with
different rules based upon whether a device is authenticated or not.
both authenticated and unauthenticated devices could be allowed to register to, and communicate
with, the same VCS if required. Subsequent call routing decisions can then be configured with
different rules based upon whether a device is authenticated or not.
The credential repository that the VCS uses to verify the credentials presented to it must be
configured. The options are:
configured. The options are:
an on-box local database of usernames and passwords (for VCS X7.0 and later this also includes
credentials stored within the TMS Agent database)
credentials stored within the TMS Agent database)
or
real time access via LDAP to an external H.350 directory service (which has an H.350 directory
schema for either a Microsoft Active Directory LDAP server or an OpenLDAP server)
schema for either a Microsoft Active Directory LDAP server or an OpenLDAP server)
In addition to one of the above methods, the VCS can also verify credentials via:
direct access to an Active Directory server using a Kerberos connection
(The direct Active Directory authentication via Kerberos method is only supported by a limited
range of endpoints – at the time of writing, Movi 4.2 or later only. If authentication of other devices
or endpoints is required, this AD direct mode would need to be combined with one of the other
two authentication methods – to authenticate pre-4.2 Movi and other endpoints and devices.)
range of endpoints – at the time of writing, Movi 4.2 or later only. If authentication of other devices
or endpoints is required, this AD direct mode would need to be combined with one of the other
two authentication methods – to authenticate pre-4.2 Movi and other endpoints and devices.)
The various VCS authentication entry points and credential checking methods are shown below:
Default
Zone
Default
Subzone
Other
Subzones
(if configured)
Neighbor
Zone
Traversal
Zone
registration requests and
messages from registered
endpoints
messages from
traversal neighbor
Neighbor
System
VCS
Traversal
Neighbor
Neighbor
messages from
non-registered endpoints
(unknown devices)
messages from
devices in known
zones
Endpoint
VCS
Local
database
(credential
store)
TMS
Agent
database
Active
Directory
database
Open
LDAP
database
H.350
directory
schema
Credential
checking
device
credentials
Cisco TMS
via Kerberos
via LDAP
local database
or
H.350
or
H.350