Cisco TelePresence Administrator's Manual page 103

Authentication Trust
policy
On
Subzone-level authentication policy
Authentication policy is configurable for the Default Subzone and any other configured subzone.
To configure a subzone's Authentication policy, go to the
Local Zone > Subzones, then click View/Edit or the name of the subzone). The policy is set to Do not
check credentials by default when a new subzone is created.
The behavior varies for H.323 and SIP messages as shown in the tables below:
H.323
Authentication Behavior
policy
Check Messages are classified as either authenticated or unauthenticated depending on whether any
credentials credentials in the message can be verified against the authentication database. Messages that
pass authentication are classified as authenticated.
If no credentials are supplied, the message is always classified as unauthenticated.
Note that unauthenticated registration requests are rejected.
Do not check Message credentials are not checked and all messages are classified as unauthenticated.
credentials
Treat as Message credentials are not checked and all messages are classified as authenticated.
authenticated
SIP
The behavior for SIP messages depends upon whether the message was received from a local domain (a
domain for which the VCS is authoritative) or a non-local domain.
Cisco VCS Administrator Guide (X7.2)
In local domain
Messages are not challenged for
authentication.
All messages are classified as
authenticated.
Messages with an existing P-Asserted-
Identity header are passed on
unchanged. Messages without an
existing P-Asserted-Identity header
have one inserted.
Outside local domain
Messages are not challenged for
authentication.
Messages with an existing P-Asserted-
Identity header are classified as
authenticated, and the header is passed
on unchanged.
Messages without an existing P-
Asserted-Identity header are classified as
unauthenticated.
Edit subzone page (VCS configuration >
Device authentication
Page 103 of 498