Authentication Mechanism - Cisco TelePresence Administrator's Manual

The design of your system must be considered when using device authentication in video networks which
have a hierarchical dial plan with a directory VCS. Authentication problems can occur, if:
any VCS in the network uses a different authentication database from any other VCS in the network, and
n
credential checking is enabled on the Default Zone of each node VCS (as is needed, for example, when
n
using TMS Provisioning Extension mode), and
the directory VCS or any other VCS in a signaling path can optimize itself out of the call routing path
n
In such deployments, each VCS must be configured with a neighbor zone between itself and every other
VCS in the network. Each zone must be configured with an Authentication policy of Do not check
credentials. (No search rules are required for these neighbor zones.)
This is required because, otherwise, some messages such as SIP RE-INVITES, which are sent directly
between VCSs (due to optimal call routing), will be categorized as coming from the Default Zone. The VCS
will then attempt to authenticate the message and this may fail as it may not have the necessary credentials
in its authentication database. This means that the message will be rejected and the call may be dropped.
However, if the node VCSs have a neighbor zone relationship then the message will be identified as coming
through that neighbor zone, the VCS will not perform any credential checking and the message will be
accepted.

Authentication mechanism

The authentication process uses a username and password-based challenge-response scheme to check a
device's credentials.
The actual mechanism used by the device to supply its credentials to the VCS depends on the protocol being
used:
H.323: any necessary credentials are contained within the incoming request.
n
SIP: credentials are not contained within the initial request. Instead the VCS sends a challenge back to the
n
sender that asks for its credentials. However, if a SIP message has already been authenticated (for
example by another VCS on a previous hop), that system may insert information into the SIP message to
show that it has been authenticated. You can control whether the VCS chooses to trust any authentication
carried out at an earlier stage by configuring a zone's
The VCS can check the credentials supplied within the message against either:
an on-box local database of usernames and passwords
n
real time access via LDAP to an external database which has an H.350 schema
n
real time access to an Active Directory Service
n
Cisco VCS Administrator Guide (X7.1)
SIP authentication trust setting.
Device authentication
Page 97 of 479