Cisco Cisco TelePresence Video Communication Server Expressway
Configuring VCS authentication policy
VCS Deployment Guide: Authenticating Devices (VCS X7.0)
Page 8 of 44
Device provisioning and authentication policy
The Provisioning Server (hosted on the VCS) will only service authenticated provisioning requests:
If the VCS has already authenticated the device (at the zone or subzone entry point), then the
Provisioning Server accepts the VCS’s authentication check and does not perform any additional
authentication challenge.
Provisioning Server accepts the VCS’s authentication check and does not perform any additional
authentication challenge.
If the VCS has not authenticated the device, then the Provisioning Server will authenticate the
request (i.e. challenge for and check credentials) before providing provisioning data.
•
request (i.e. challenge for and check credentials) before providing provisioning data.
•
The Provisioning Server checks device account credentials against the TMS Agent database
only. It does not check against any other credential store.
only. It does not check against any other credential store.
Provisioning messages include subscribes for provisioning and phone book requests. The following
diagram shows the flow of provisioning messages from an endpoint to the Provisioning Server,
together with the credential checking processes:
diagram shows the flow of provisioning messages from an endpoint to the Provisioning Server,
together with the credential checking processes:
Note that:
Initial provisioning authentication (of a subscribe message) is controlled by the authentication
policy setting on the Default Zone. (The Default Zone is used as the device is not yet registered).
policy setting on the Default Zone. (The Default Zone is used as the device is not yet registered).
Subsequent messages, including registration requests, phone book requests and call signaling
messages will go through the Default Subzone (or relevant alternate subzone).
messages will go through the Default Subzone (or relevant alternate subzone).
For more information about configuring provisioning, see Cisco TMS Provisioning Deployment Guide.
Cisco VCS Starter Pack Express
The Provisioning Server on a Cisco VCS Starter Pack Express does not challenge provisioning
requests. It provisions devices only if the request has already been authenticated by the VCS (at the
zone or subzone entry point).
requests. It provisions devices only if the request has already been authenticated by the VCS (at the
zone or subzone entry point).
Default
Zone
Default
Subzone
Provisioning
Server
Endpoint
VCS
Provisioning Server
challenges and checks
credentials against
TMS Agent database
(if message is not already
authenticated)
Cisco TMS
device
credentials
subscribe
message
register, phone
book requests and
call signaling
messages
Def ault Zone and Def ault Subzone
(or relevant alternative subzone)
may be conf igured to challenge
and check credentials
phone book
requests
other
messages
subscribe
message
Credential checking
(against local database / TMS
Agent database, H.350 directory,
or Active Directory)
TMS
Agent
database