Cisco Cisco TelePresence Video Communication Server Expressway 관리 매뉴얼
55
D14049.08
November 2010
November 2010
Grey Headline (continued)
CISCO TELEPRESENCE
VIDEO COMMUNICATION SERVER
ADMINISTRATOR GUIDE
Registration control
Device authentication
The Device authentication configuration page controls whether systems attempting to
communicate with the VCS must authenticate with it first, and if so, the type of database used by
the VCS to store the authentication credentials used by these systems.
To go to the Device authentication configuration page:
communicate with the VCS must authenticate with it first, and if so, the type of database used by
the VCS to store the authentication credentials used by these systems.
To go to the Device authentication configuration page:
•
VCS configuration > Authentication > Devices > Configuration
To configure authentication using the CLI:
Authentication mode
The VCS can be configured to use a username and password-based challenge-response scheme
to determine whether it will permit communications from other systems. This process is known as
authentication, and is controlled using the Authentication mode setting.
The options are:
On: systems attempting to communicate with the VCS, including endpoints attempting to send
registration requests to the VCS, must first authenticate with it.
For H.323, any credentials in the message are checked against the authentication database. The
message is allowed if the credentials match, or if there are no credentials in the message. For SIP,
any messages originating from an endpoint in a local domain will be authenticated.
Off: incoming messages are not authenticated.
The default is Off.
to determine whether it will permit communications from other systems. This process is known as
authentication, and is controlled using the Authentication mode setting.
The options are:
On: systems attempting to communicate with the VCS, including endpoints attempting to send
registration requests to the VCS, must first authenticate with it.
For H.323, any credentials in the message are checked against the authentication database. The
message is allowed if the credentials match, or if there are no credentials in the message. For SIP,
any messages originating from an endpoint in a local domain will be authenticated.
Off: incoming messages are not authenticated.
The default is Off.
!
Accurate timestamps play an important part in authentication, helping to guard against
replay attacks. For this reason, if you are using authentication, both the VCS and the
endpoints must use an NTP server to synchronize their system time. See the
replay attacks. For this reason, if you are using authentication, both the VCS and the
endpoints must use an NTP server to synchronize their system time. See the
section for information on how to configure this for the VCS.
Authentication database
When Authentication mode is On, endpoints must authenticate with the VCS before they can
register. In order to authenticate successfully, the endpoint must supply the VCS with a username.
For Cisco endpoints using H.323, the username is the endpoint’s Authentication ID; for Cisco
endpoints using SIP it is the endpoint’s Authentication username.
register. In order to authenticate successfully, the endpoint must supply the VCS with a username.
For Cisco endpoints using H.323, the username is the endpoint’s Authentication ID; for Cisco
endpoints using SIP it is the endpoint’s Authentication username.
For details of how to configure endpoints with a username and password, please consult
the endpoint manual.
the endpoint manual.
To verify the identity of the device, the VCS needs access to a database on which all authentication
credential information (usernames, passwords, and other relevant information) is stored. This
database may be located either locally on the VCS, or on an LDAP Directory Server. The VCS looks
up the endpoint’s username in the database and retrieves the authentication credentials for
that entry. If the credentials match those supplied by the endpoint, the registration is allowed to
proceed.
The Database type setting determines which database the VCS will use during authentication:
Local database: the local authentication database is used. You must
credential information (usernames, passwords, and other relevant information) is stored. This
database may be located either locally on the VCS, or on an LDAP Directory Server. The VCS looks
up the endpoint’s username in the database and retrieves the authentication credentials for
that entry. If the credentials match those supplied by the endpoint, the registration is allowed to
proceed.
The Database type setting determines which database the VCS will use during authentication:
Local database: the local authentication database is used. You must
to use this option.
LDAP database: a remote LDAP database is used. You must
to use this
option.
The default is LocalDatabase.
The default is LocalDatabase.
!
If the VCS is a traversal server, you must ensure that each traversal client’s authentication
credentials are entered into the selected database.
credentials are entered into the selected database.
The VCS supports the
for authenticating the identity of H.323
network devices with which it communicates.