Cisco Cisco TelePresence Video Communication Server Expressway 관리 매뉴얼
Device authentication
SIP
The behavior for SIP messages depends upon whether the message was received from a local
domain (a domain for which the VCS is authoritative) or a non-local domain.
domain (a domain for which the VCS is authoritative) or a non-local domain.
Authentication
policy
policy
In local domain
Outside local domain
Check
credentials
credentials
Messages are challenged for
authentication and those that
pass are classified as
authenticated.
authentication and those that
pass are classified as
authenticated.
Messages (including
registration requests) that fail
authentication are rejected.
registration requests) that fail
authentication are rejected.
SIP messages received from non-local
domains are all treated in the same manner,
regardless of the subzone's Authentication
policy setting:
domains are all treated in the same manner,
regardless of the subzone's Authentication
policy setting:
Messages are not challenged for
authentication.
authentication.
All messages are classified as
unauthenticated.
unauthenticated.
Do not check
credentials
credentials
Messages are not challenged
for authentication.
for authentication.
All messages are classified as
unauthenticated.
unauthenticated.
Treat as
authenticated
authenticated
Messages are not challenged
for authentication.
for authentication.
All messages are classified as
authenticated.
authenticated.
SIP authentication trust
If a VCS is configured to use
it will authenticate incoming SIP registration and
INVITE requests. If the VCS then forwards the request on to a neighbor zone such as another VCS,
that receiving system will also authenticate the request. In this scenario the message has to be
authenticated at every hop.
that receiving system will also authenticate the request. In this scenario the message has to be
authenticated at every hop.
To simplify this so that a device’s credentials only have to be authenticated once (at the first hop), and
to reduce the number of SIP messages in your network, you can configure neighbor zones to use the
Authentication trust mode setting.
to reduce the number of SIP messages in your network, you can configure neighbor zones to use the
Authentication trust mode setting.
This is then used in conjunction with the zone's Authentication Policy to control whether pre-
authenticated SIP messages received from that zone are trusted and are subsequently treated as
authenticated or unauthenticated within the VCS. Pre-authenticated SIP requests are identified by the
presence of a P-Asserted-Identity field in the SIP message header as defined by RFC 3325 [
authenticated SIP messages received from that zone are trusted and are subsequently treated as
authenticated or unauthenticated within the VCS. Pre-authenticated SIP requests are identified by the
presence of a P-Asserted-Identity field in the SIP message header as defined by RFC 3325 [
The Authentication trust mode settings are:
n
On: pre-authenticated messages are trusted without further challenge and subsequently treated as
authenticated within the VCS. Unauthenticated messages are challenged if the Authentication
Policy is set to Check credentials.
authenticated within the VCS. Unauthenticated messages are challenged if the Authentication
Policy is set to Check credentials.
n
Off: any existing authenticated indicators (the P-Asserted-Identity header) are removed from the
message. Messages from a local domain are challenged if the Authentication Policy is set to
Check credentials.
message. Messages from a local domain are challenged if the Authentication Policy is set to
Check credentials.
Note: you are recommended to enable authentication trust only if the neighbor zone is part of a
network of trusted SIP servers.
network of trusted SIP servers.
Cisco VCS Administrator Guide (X6.1)
Page 74 of 401