Authentication Using The Local Database - Cisco TelePresence Administrator's Manual

Note that accurate timestamps play an important part in authentication of H.323 devices, helping to guard
against replay attacks. For this reason, if you are using device authentication with H.323 devices, both the
VCS and the endpoints must use an NTP server to synchronize their system time.
Authentication mechanism
The authentication process uses a username and password-based challenge-response scheme to check a
device's credentials.
The actual mechanism used by the device to supply its credentials to the VCS depends on the protocol being
used:
H.323: any necessary credentials are contained within the incoming request. (The VCS supports the
n
H.235 specification for authenticating the identity of H.323 network devices with which it communicates.)
SIP: credentials are not contained within the initial request. Instead the VCS sends a challenge back to the
n
sender that asks for its credentials. However, if a SIP message has already been authenticated (for
example by another VCS on a previous hop), that system may insert information into the SIP message to
show that it has been authenticated. You can control whether the VCS chooses to trust any authentication
carried out at an earlier stage by configuring a zone's
Note that if the VCS is acting as a traversal server, you must ensure that each traversal client's
authentication credentials are entered into the selected database.
Endpoint credentials used for authentication
An endpoint must supply the VCS with a username and password if it is required to authenticate with the
VCS, for example when attempting to register and the relevant subzone's Authentication policy is set to
Check credentials.
For Cisco endpoints using H.323, the username is typically the endpoint's Authentication ID; for Cisco
endpoints using SIP it is typically the endpoint's Authentication username.
See the relevant endpoint manual for details about how to configure the endpoint's credentials.

Authentication using the local database

The local authentication database is included as part of your VCS system and does not require any specific
connectivity configuration. It is used to store user account authentication credentials. Each set of credentials
consists of a name and password.
The credentials in the local database can be used for device (SIP and H.323), traversal client and TURN
client authentication.
Adding credentials to the local database
The local database credentials are configured on the
device credentials:
1. Go to VCS configuration > Authentication > Devices > Local database
2. Enter the Name and Password that represent the device's credentials.
3. Click Create credential.
Cisco VCS Administrator Guide (X7.2)
SIP authentication trust
Local authentication database
Device authentication
ITU
setting.
page. To enter a set of
and click New.
Page 112 of 498