Cisco Cisco TelePresence Video Communication Server Expressway 관리 매뉴얼
56
D14049.08
November 2010
November 2010
Grey Headline (continued)
CISCO TELEPRESENCE
VIDEO COMMUNICATION SERVER
ADMINISTRATOR GUIDE
Registration control
Device authentication using LDAP
Overview
If the VCS is using an LDAP server for authentication, the process
is as follows:
1. The endpoint presents its username and authentication
is as follows:
1. The endpoint presents its username and authentication
credentials (these are generated using its password) to the
VCS, and the aliases with which it wants to register.
VCS, and the aliases with which it wants to register.
2. The VCS looks up the username in the LDAP database and
obtains the authentication and alias information for that entry.
3. If the authentication credentials match those supplied by the
endpoint, the registration will continue.
The VCS then determines which aliases the endpoint is allowed
to attempt to register with, based on the alias origin setting. For
H.323 endpoints, you can use this setting to override the aliases
presented by the endpoint with those in the H.350 directory, or
you can use them in addition to the endpoint’s aliases. For SIP
endpoints, you can use this setting to reject a registration if the
endpoint’s AOR does not match that in the LDAP database.
to attempt to register with, based on the alias origin setting. For
H.323 endpoints, you can use this setting to override the aliases
presented by the endpoint with those in the H.350 directory, or
you can use them in addition to the endpoint’s aliases. For SIP
endpoints, you can use this setting to reject a registration if the
endpoint’s AOR does not match that in the LDAP database.
Configuring the LDAP server directory
The directory on the LDAP server should be configured to
implement the
implement the
to store credentials for
devices with which the VCS communicates. The directory should
also be configured with the aliases of endpoints that will register
with the VCS.
also be configured with the aliases of endpoints that will register
with the VCS.
See the
Configuring LDAP server settings
The Device LDAP Configuration page is used to configure a
connection to the LDAP database for device authentication.
To go to the Device LDAP Configuration page:
connection to the LDAP database for device authentication.
To go to the Device LDAP Configuration page:
•
VCS configuration > Authentication > Devices > LDAP
configuration
configuration
To configure these settings using the CLI:
LDAP server
The IP address or FQDN (or server address, if a DNS Domain
Name has also been configured) of the LDAP server.
Name has also been configured) of the LDAP server.
Port
The IP port of the LDAP server.
The default is 389.
The default is 389.
Encryption
Determines whether the connection to the LDAP server is
encrypted using Transport Layer Security (TLS).
TLS: TLS encryption is used for the connection to the LDAP
server.
Off: no encryption is used.
The default is Off.
The link Upload a CA Certificate file for TLS takes you to the
Security certificates page, where you can upload a file containing
the trusted CA certificate for the LDAP server. This is required for
encrypted connections between the VCS and the LDAP server.
See the
encrypted using Transport Layer Security (TLS).
TLS: TLS encryption is used for the connection to the LDAP
server.
Off: no encryption is used.
The default is Off.
The link Upload a CA Certificate file for TLS takes you to the
Security certificates page, where you can upload a file containing
the trusted CA certificate for the LDAP server. This is required for
encrypted connections between the VCS and the LDAP server.
See the
section for more information.
User DN
The user distinguished name used by the VCS when binding to
the LDAP server.
the LDAP server.
Password
The password used by the VCS when binding to the LDAP server.
Base DN
The area of the directory on the LDAP server to search for
credential information. This should be specified as the
Distinguished Name (DN) in the LDAP directory under which the
H.350 objects reside.
credential information. This should be specified as the
Distinguished Name (DN) in the LDAP directory under which the
H.350 objects reside.
Alias origin
This setting determines the aliases with which the endpoint will
attempt to register. The options are:
LDAP: for SIP registrations the AOR presented by the endpoint
is registered providing it is listed in the LDAP database for the
endpoint's username.
For H.323 registrations:
attempt to register. The options are:
LDAP: for SIP registrations the AOR presented by the endpoint
is registered providing it is listed in the LDAP database for the
endpoint's username.
For H.323 registrations:
•
At least one of the aliases presented by the endpoint must
be listed in the LDAP database for that endpoint's username.
If none of the presented aliases are listed it is not allowed to
register.
be listed in the LDAP database for that endpoint's username.
If none of the presented aliases are listed it is not allowed to
register.
•
The endpoint will register with all of the aliases (up to
a maximum of 20) listed in the LDAP database. Aliases
presented by the endpoint that are not in the LDAP database
will not be registered.
a maximum of 20) listed in the LDAP database. Aliases
presented by the endpoint that are not in the LDAP database
will not be registered.
•
If no aliases are listed in the LDAP database, the endpoint will
register with all the aliases it presented.
register with all the aliases it presented.
•
If no aliases are presented by the endpoint, it will register with
all the aliases listed in the LDAP database for its username.
all the aliases listed in the LDAP database for its username.
MCUs are treated as a special case. They register with the
presented aliases and ignore any aliases in the LDAP database.
(This is to allow MCUs to additively register aliases for
conferences.)
Combined: the aliases presented by the endpoint are used in
addition to any listed in the LDAP database for the endpoint’s
username. In other words, this is the same as for LDAP, except
that if an endpoint presents an alias that is not in the LDAP
database, it will be allowed to register with that alias.
Endpoint: the aliases presented by the endpoint are used; any
in the LDAP database are ignored. If no aliases are presented by
the endpoint, it is not allowed to register.
The default is LDAP.
presented aliases and ignore any aliases in the LDAP database.
(This is to allow MCUs to additively register aliases for
conferences.)
Combined: the aliases presented by the endpoint are used in
addition to any listed in the LDAP database for the endpoint’s
username. In other words, this is the same as for LDAP, except
that if an endpoint presents an alias that is not in the LDAP
database, it will be allowed to register with that alias.
Endpoint: the aliases presented by the endpoint are used; any
in the LDAP database are ignored. If no aliases are presented by
the endpoint, it is not allowed to register.
The default is LDAP.
To use the LDAP database for device authentication, you
must also go to the Device authentication configuration
page and select a Database type of LDAP database.
must also go to the Device authentication configuration
page and select a Database type of LDAP database.