Device Authentication - Cisco TelePresence Administrator's Manual

Grey Headline (continued)
Registration control
The Device authentication configuration page controls whether systems attempting to
communicate with the VCS must authenticate with it first, and if so, the type of database used by
the VCS to store the authentication credentials used by these systems.
To go to the Device authentication configuration page:
•
VCS configuration > Authentication > Devices > Configuration
To configure authentication using the CLI:
xConfiguration Authentication
•
Authentication mode
The VCS can be configured to use a username and password-based challenge-response scheme
to determine whether it will permit communications from other systems. This process is known as
authentication, and is controlled using the Authentication mode setting.
The options are:
On: systems attempting to communicate with the VCS, including endpoints attempting to send
registration requests to the VCS, must first authenticate with it.
For H.323, any credentials in the message are checked against the authentication database. The
message is allowed if the credentials match, or if there are no credentials in the message. For SIP,
any messages originating from an endpoint in a local domain will be authenticated.
Off: incoming messages are not authenticated.
The default is Off.
Accurate timestamps play an important part in authentication, helping to guard against
!
replay attacks. For this reason, if you are using authentication, both the VCS and the
endpoints must use an NTP server to synchronize their system time. See the
NTP server section for information on how to configure this for the VCS.
Overview and System
Introduction
status configuration
D14049.08
November 2010

Device authentication

About the
Cisco VCS Zones and Clustering and
configuration neighbors peers
Authentication database
When Authentication mode is On, endpoints must authenticate with the VCS before they can
register. In order to authenticate successfully, the endpoint must supply the VCS with a username.
For Cisco endpoints using H.323, the username is the endpoint's Authentication ID; for Cisco
endpoints using SIP it is the endpoint's Authentication username.
For details of how to configure endpoints with a username and password, please consult
the endpoint manual.
To verify the identity of the device, the VCS needs access to a database on which all authentication
credential information (usernames, passwords, and other relevant information) is stored. This
database may be located either locally on the VCS, or on an LDAP Directory Server. The VCS looks
up the endpoint's username in the database and retrieves the authentication credentials for
that entry. If the credentials match those supplied by the endpoint, the registration is allowed to
proceed.
The Database type setting determines which database the VCS will use during authentication:
Local database: the local authentication database is used. You must
authentication database to use this option.
LDAP database: a remote LDAP database is used. You must
option.
The default is LocalDatabase.
If the VCS is a traversal server, you must ensure that each traversal client's authentication
!
credentials are entered into the selected database.
The VCS supports the ITU H.235 specification [1]
network devices with which it communicates.
Call Bandwidth
processing control
55
CISCO TELEPRESENCE VIDEO COMMUNICATION SERVER
configure the local
configure the LDAP server
for authenticating the identity of H.323
Firewall
Applications Maintenance
traversal
ADMINISTRATOR GUIDE
to use this
Appendices