This topic describes the user authentication options in the Cisco TelePresence Video Communication Server (VCS).
Cisco VCS user authentication support:
- Locally defined users
- LDAP users
- Only Microsoft Active Directory supported
- Used for web access (administration and FindMe)
Cisco VCS supports user authentication either by locally defined users or by using an LDAP server. Only Microsoft Active Directory is supported as the LDAP server.
When no LDAP configuration exists on Cisco VCS, local users are used for administrator (Admin web page) and end user (FindMe) authentication. When an LDAP configuration exists, the local users are ignored and only the LDAP server is responsible for administrator and user authentication. Another option is to use the local database and the LDAP server to authenticate administrators and users.
When only LDAP authentication is configured, no users are allowed to access the administrator or user pages when there is an LDAP failure. Other logins, including serial and SSH login, continue to use the administrator account that is locally configured on Cisco VCS.
User web login is only applicable when FindMe is used without the Cisco TelePresence Management Suite (TMS).
LDAP Authentication Configuration Example
The figure shows the LDAP Configuration page of Cisco VCS.
To access the LDAP Configuration page of Cisco VCS, choose Users > LDAP Configuration.
In the figure, the Administrator Authentication Source setting is set to Both, which allows Cisco VCS to use locally defined accounts and LDAP accounts for user authentication.
You cannot log in to the administration GUI with a locally configured administrator account (including the default admin account), if the Remote Only authentication setting is configured.
The FQDN Address Resolution setting is set to IP address; therefore, the Server Address field contains the IP address (10.1.5.14). By default, the Port setting for a nonsecure connection is 389 and 636 for a secure connection.
The Authentication Configuration section includes the distinguished name (Bind DN), the username (Bind Username), and the password (Bind Password) of the LDAP account that is used to search the Active Directory.
The LDAP account must have at least read access to the relevant parts of the Microsoft Active Directory.
The Base DN for Accounts parameter specifies the distinguished name of the search base within the Active Directory for user searches. The Base DN for Groups parameter specifies the distinguished name of the search base within the Active Directory for group searches.
If the Base DN for Groups parameter is not configured, the Base DN for Accounts location is used for group searches.