Authentication Policy Configuration Options; Zone-Level Authentication Policy - Cisco TelePresence Video Communication Server Administrator's Manual
Hide thumbs
Also See for TelePresence Video Communication Server:
- Command reference manual (95 pages)
Table of Contents
Advertisement
The VCS can check the credentials supplied within the message against either a local database or a
remote LDAP repository. See
Note: accurate timestamps play an important part in authentication, helping to guard against replay
attacks. For this reason, if you are using device authentication, both the VCS and the endpoints must
use an
NTP server
to synchronize their system time.
Authentication Policy configuration options
The Authentication Policy behavior varies for H.323 messages, SIP messages received from local
domains and SIP messages from non-local domains. The following tables summarize the policy
behavior when applied at the zone and subzone level, and how it varies depending on the message
protocol.
Zone-level Authentication Policy
The VCS's Authentication Policy at the zone level controls how the VCS authenticates incoming
messages from that zone. Note that the Authentication Policy is configurable for the Default Zone but
does not apply to DNS and ENUM zones.
To configure a zone's Authentication policy, go to the Edit zone page
Zones, then click View/Edit or the name of the zone). The policy is set to Do not check credentials by
default.
The behavior varies for H.323 and SIP messages as shown in the tables below:
H.323
Authentication
Behavior
policy
Check
Messages are classified as either authenticated or unauthenticated depending on
credentials
whether any credentials in the message can be verified against the authentication
database.
If no credentials are supplied, the message is always classified as
unauthenticated.
Do not check
Message credentials are not checked and all messages are classified as
credentials
unauthenticated.
Treat as
Message credentials are not checked and all messages are classified as
authenticated
authenticated.
SIP
The behavior for SIP messages at the zone level depends upon the
setting (meaning whether the VCS trusts any pre-existing authenticated indicators - known as P-
Asserted-Identity headers - within the received message) and whether the message was received
from a local domain (a domain for which the VCS is authoritative) or a non-local domain.
Cisco VCS Administrator Guide (X6.1)
Device authentication configuration
Device authentication
for more information.
(VCS configuration >
SIP authentication trust mode
Page 71 of 401
Advertisement
Table of Contents
