Cisco Cisco TelePresence Video Communication Server Expressway 관리 매뉴얼
Device authentication
The Cisco VCS can check the credentials supplied within the message against either a local database
or a remote LDAP repository. See
or a remote LDAP repository. See
for more information.
Note: accurate timestamps play an important part in authentication, helping to guard against replay
attacks. For this reason, if you are using device authentication, both the Cisco VCS and the endpoints
must use an
attacks. For this reason, if you are using device authentication, both the Cisco VCS and the endpoints
must use an
to synchronize their system time.
Authentication Policy configuration options
The Authentication Policy behavior varies for H.323 messages, SIP messages received from local
domains and SIP messages from non-local domains. The following tables summarize the policy
behavior when applied at the zone and subzone level, and how it varies depending on the message
protocol.
domains and SIP messages from non-local domains. The following tables summarize the policy
behavior when applied at the zone and subzone level, and how it varies depending on the message
protocol.
Zone-level Authentication Policy
The Cisco VCS's Authentication Policy at the zone level controls how the Cisco VCS authenticates
incoming messages from that zone. Note that the Authentication Policy is configurable for the Default
Zone but does not apply to DNS and ENUM zones.
incoming messages from that zone. Note that the Authentication Policy is configurable for the Default
Zone but does not apply to DNS and ENUM zones.
To configure a zone's Authentication policy, go to the Edit zone page (
VCS configuration >
Zones
, then click View/Edit or the name of the zone). The policy is set to Do not check credentials by
default.
The behavior varies for H.323 and SIP messages as shown in the tables below:
H.323
Authentication
policy
policy
Behavior
Check
credentials
credentials
Messages are classified as either authenticated or unauthenticated depending on
whether any credentials in the message can be verified against the authentication
database.
whether any credentials in the message can be verified against the authentication
database.
If no credentials are supplied, the message is always classified as
unauthenticated.
unauthenticated.
Do not check
credentials
credentials
Message credentials are not checked and all messages are classified as
unauthenticated.
unauthenticated.
Treat as
authenticated
authenticated
Message credentials are not checked and all messages are classified as
authenticated.
authenticated.
SIP
The behavior for SIP messages at the zone level depends upon the
setting (meaning whether the Cisco VCS trusts any pre-existing authenticated indicators - known as
P-Asserted-Identity headers - within the received message) and whether the message was received
from a local domain (a domain for which the Cisco VCS is authoritative) or a non-local domain.
P-Asserted-Identity headers - within the received message) and whether the message was received
from a local domain (a domain for which the Cisco VCS is authoritative) or a non-local domain.
Cisco VCS Administrator Guide (X6)
Page 71 of 295