Cisco Cisco TelePresence Video Communication Server Expressway
Configuring VCS authentication policy
VCS Deployment Guide: Authenticating Devices (VCS X7.0)
Page 6 of 44
Configuring VCS authentication policy
Authentication Policy is applied by the VCS at the zone and subzone levels. It controls how the VCS
challenges incoming messages (for provisioning, registration, presence, phonebooks and calls) from
that zone or subzone and whether those messages are rejected, treated as authenticated, or treated
as unauthenticated within the VCS.
challenges incoming messages (for provisioning, registration, presence, phonebooks and calls) from
that zone or subzone and whether those messages are rejected, treated as authenticated, or treated
as unauthenticated within the VCS.
Accurate timestamps play an important part in authentication of H.323 devices, helping to guard
against replay attacks. For this reason, if you are using device authentication with H.323 devices, both
the VCS and the endpoints must use an NTP server to synchronize their system time.
against replay attacks. For this reason, if you are using device authentication with H.323 devices, both
the VCS and the endpoints must use an NTP server to synchronize their system time.
Each zone and subzone can set its Authentication policy to either Check credentials, Do not check
credentials, or Treat as authenticated.
credentials, or Treat as authenticated.
Registration authentication is controlled by the Default Subzone (or relevant alternative subzone)
configuration.
configuration.
Initial provisioning subscription request authentication is controlled by the Default Zone
configuration.
configuration.
Call, presence, and phonebook request authentication is controlled by the Default Subzone (or
relevant alternative subzone) if the endpoint is registered, or by the Default Zone if the endpoint is
not registered.
relevant alternative subzone) if the endpoint is registered, or by the Default Zone if the endpoint is
not registered.
Note that the authentication policy behavior depends on whether the messages are H.323 messages,
SIP messages received from local domains, or SIP messages received from non-local domains. A full
description of the various authentication policy settings is contained in the VCS Administrator Guide
(and is also available in the VCS online help).
SIP messages received from local domains, or SIP messages received from non-local domains. A full
description of the various authentication policy settings is contained in the VCS Administrator Guide
(and is also available in the VCS online help).
Zone-level Authentication Policy
Authentication policy is configurable for the Default Zone, neighbor zones, traversal client and
traversal server zones, but does not apply to DNS and ENUM zones.
traversal server zones, but does not apply to DNS and ENUM zones.
To configure a zone's Authentication policy, go to the
Edit zone
page (
VCS configuration > Zones
,
then click View/Edit or the name of the zone). The policy is set to Do not check credentials by default.
Subzone-level Authentication Policy
Authentication policy is configurable for the Default Subzone and any other configured subzone.
To configure a subzone's Authentication policy, go to the
Edit subzone
page (
VCS configuration >
Local Zone > Subzones
, then click View/Edit or the name of the subzone). The policy is set to Do not
check credentials by default.
Controlling system behavior for authenticated and non-
authenticated devices
authenticated devices
How calls and other messaging from authenticated and non-authenticated devices are subsequently
handled depends on how search rules, external policy services and CPL are configured.
handled depends on how search rules, external policy services and CPL are configured.
Search rules
When configuring a search rule, use the Request must be authenticated attribute to specify whether
the search rule applies only to authenticated search requests or to all requests.
the search rule applies only to authenticated search requests or to all requests.
External policy services
External policy services are typically used in deployments where policy decisions are managed
through an external, centralized service rather than by configuring policy rules on the VCS itself.
through an external, centralized service rather than by configuring policy rules on the VCS itself.
You can configure the VCS to use policy services in the following areas: