Cisco Cisco TelePresence Video Communication Server Expressway 관리 매뉴얼
Subzone-level authentication policy
Authentication policy is configurable for the Default Subzone and any other configured subzone.
To configure a subzone's Authentication policy, go to Configuration > Local Zone > Subzones, then click View/Edit
or the name of the subzone. The policy is set to Do not check credentials by default when a new subzone is created.
or the name of the subzone. The policy is set to Do not check credentials by default when a new subzone is created.
Provisioning and device authentication
The Provisioning Server requires that any provisioning or phone book requests it receives have already been
authenticated at the zone or subzone point of entry into the VCS. The Provisioning Server does not do its own
authentication challenge and will reject any unauthenticated messages.
authenticated at the zone or subzone point of entry into the VCS. The Provisioning Server does not do its own
authentication challenge and will reject any unauthenticated messages.
for more information.
Presence and device authentication
The Presence Server accepts presence PUBLISH messages only if they have already been authenticated:
■
The authentication of presence messages by the VCS is controlled by the authentication policy setting on the
Default Subzone (or relevant alternative subzone) if the endpoint is registered (which is the usual case), or by
the authentication policy setting on the Default Zone if the endpoint is not registered.
Default Subzone (or relevant alternative subzone) if the endpoint is registered (which is the usual case), or by
the authentication policy setting on the Default Zone if the endpoint is not registered.
■
The relevant Authentication policy must be set to either Check credentials or Treat as authenticated,
otherwise PUBLISH messages will fail, meaning that endpoints will not be able to publish their presence
status.
otherwise PUBLISH messages will fail, meaning that endpoints will not be able to publish their presence
status.
Controlling System Behavior for Authenticated and Non-authenticated Devices
How calls and other messaging from authenticated and non-authenticated devices are handled depends on how
search rules, external policy services and CPL are configured.
search rules, external policy services and CPL are configured.
Search rules
When configuring a search rule, use the Request must be authenticated attribute to specify whether the search rule
applies only to authenticated search requests or to all requests.
applies only to authenticated search requests or to all requests.
External policy services
External policy services are typically used in deployments where policy decisions are managed through an external,
centralized service rather than by configuring policy rules on the VCS itself. You can configure the VCS to use policy
services in the following areas:
centralized service rather than by configuring policy rules on the VCS itself. You can configure the VCS to use policy
services in the following areas:
■
■
■
■
When the VCS uses a policy service it sends information about the call or registration request to the service in a
POST message using a set of name-value pair parameters. Those parameters include information about whether the
request has come from an authenticated source or not.
POST message using a set of name-value pair parameters. Those parameters include information about whether the
request has come from an authenticated source or not.
More information about policy services, including example CPL, can be found in External Policy on VCS Deployment
Guide.
Guide.
CPL
If you are using the Call Policy rules generator on the VCS, source matches are carried out against authenticated
sources. To specify a match against an unauthenticated source, just use a blank field. (If a source is not
authenticated, its value cannot be trusted).
sources. To specify a match against an unauthenticated source, just use a blank field. (If a source is not
authenticated, its value cannot be trusted).
If you use uploaded, handcrafted local CPL to manage your Call Policy, you are recommended to make your CPL
explicit as to whether it is looking at the authenticated or unauthenticated origin.
explicit as to whether it is looking at the authenticated or unauthenticated origin.
123
Cisco TelePresence Video Communication Server Administrator Guide
Device Authentication