12.4 Endpoint Authentication

This topic describes the endpoint authentication options for the Cisco TelePresence Video Communication Server (VCS).

  • Controls which endpoints are allowed to register
  • Endpoint authentication is based on usernames and passwords
  • Endpoint authentication options:
    1. Local database
    2. External authentication
  • Registration permission is based on registration restriction policy:
    1. Allow list: Unlisted endpoints are denied
    2. Deny list: Unlisted endpoints are allowed

Cisco VCS can control which H.323 or SIP endpoints are allowed or not allowed to register by using a registration policy (allow list or deny list). Cisco VCS can also require endpoints to authenticate by username and password.

Cisco VCS attempts to verify the credentials that are presented by the endpoint by first checking them against its local database of usernames and passwords. The local database also includes checking against credentials that are supplied by the Cisco TelePresence Management Suite (TMS) if the system uses device provisioning by Cisco TMS.

If the username is not found in the local database, Cisco VCS may check the credentials over a real-time LDAPconnection to an external H.350 directory service. The directory service, if configured, must have an H.350 directory schema for either a Microsoft Active Directory LDAP server or an OpenLDAP server.

Along with one of these methods, for those devices that support NTLM challenges (for example, Cisco Jabber Video for TelePresence software clients), Cisco VCS can alternatively check credentials directly against an Active Directory server that uses a Kerberos connection.

Cisco VCS Authentication Methods

This section describes the Cisco VCS authentication methods.

  • Local database
  • H.350 LDAP access to Active Directory or OpenLDAP database
  • Kerberos (NTLM) access to Active Directory

When device authentication is enabled on Cisco VCS, any endpoint that attempts to communicate with Cisco VCS is challenged to present its credentials (typically based on a username and password). Cisco VCS will then verify those credentials, according to its authentication policy, and accept or reject the message accordingly.

Cisco VCS supports the following authentication methods:

  • Local database: The local database can be used for SIP and H.323 device authentication. Usernames and passwords are stored in the local database.
  • H.350 directory service lookup via LDAP: This method can be used for authenticating any SIP or H.323 endpoint. For H.350 authentication, the H.350 schema must be downloaded from Cisco VCS and installed on the LDAP server. Microsoft Active Directory and OpenLDAP are supported.
  • Active Directory database: This method can be used for devices that support NTLM (for example, Cisco Jabber Video for TelePresence). The credentials are authenticated via direct access to an Active Directory server that uses a Kerberos connection. Active Directory database authentication can be enabled at the same time as either the local database or H.350 directory service authentication, because NTLM authentication is supported by certain endpoints only.
Note

When an endpoint that supports NTLM responds to the NTLM challenge, then Cisco VCS will use NTLM in preference to the other authentication methods.

Registration Restriction Policy

This section describes how to use the registration Restriction Policy setting to allow or deny endpoint registrations.

The Restriction Policy setting can control which endpoints are allowed or denied to register to Cisco VCS.Configuration > Registration Configuration

Configuration > Registration Allow List

Configuration > Registration Deny List

Cisco VCS can control which devices are allowed or denied to register based on the Restriction Policy setting.

The Restriction Policy setting can be configured with one of the following options:

  • Allow List: This option requires you to configure one or more allow lists. Endpoints that match an entry in one of the allow lists are allowed to register with Cisco VCS. Endpoints that do not match any entry are not allowed to register with Cisco VCS.
  • Deny List: This option requires you to configure one or more deny lists. Endpoints that match an entry in one of the deny lists are not allowed to register with Cisco VCS. Endpoints that do not match any entry are allowed to register with Cisco VCS.
  • Policy Service: This option can be used when an external policy server should be used to allow or deny endpoint registrations.

Allow or deny lists can contain patterns that use the Exact, Prefix, Suffix, and Regex pattern types.

Note

Cisco VCS supports the configuration of only one registration policy at the same time.