Multi login MOVI ???

Unanswered Question
Sep 18th, 2011

Hi all especially TAC person,

is MOVI can't prevent  can multilogin ? because MOVI user can login with same user account in same time. even in my corporate one user account can be use for 5 persons.

i develop MOVI follow the document guide, consist of one TMS, one VCS control, and one VCS expressway.

is there any solution to stop this ?

Regards,

Ahmad

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 3 (1 ratings)
a.khurshid Mon, 09/19/2011 - 05:55

I am also interested in seeing the official Cisco response to this. Although I would not say it is a problem within our environment, it would be good information to know.

paulywood63 Mon, 09/19/2011 - 09:17

I would also ;love to hear an answer on this. I am asked for every Movi install how to control this. I assume direct Registration contro can work. I assume using AD lookups for accounts can somehow be engaged? maybe not?...although it is common to be able to login to multiple machines with one credential in a domain, so....

a.khurshid Tue, 09/20/2011 - 09:01

I guess that's what I am interested in seeing: if there is a way to prevent duplicate SIP aliases.

Martin Koch Tue, 09/20/2011 - 14:27

I do not agree that it is a requirement.

First of all, if you have multiple systems with one account (I would anyhow prefer one account per registration,

but that's a personal preference, you could use something like: {username}.{device.model}@domain as the

device uri. Then you have a proper mapping, one registration per device.

You can combine that incely with findme.

In addition there is a risk that you have the same alias on different vcs's (like on the expressway and the control),

which (depending on your search rules), can cause different

There is the possibility to do some magic with server based cpls, but this depends a backend server

and development, which is way to much for most deployments.

I lack both, limit the provisioning and better/easy control / limit of the sip registrations.

paulywood63 Tue, 09/20/2011 - 22:05

I think it all falls back on the SIP protocol allowing this function….good motivator for FindMe feature…..which makes sense…

Paul E. Thomas, BSEE

Director of Zpro Installations & Advanced Services

Cell: 267-885-8622 | Fax: 215-348-7790 | Video: paul@kbz.com

Need Zcare Tech Support?

US Tel, 8-8 EST: 215-348-9481 x 206 (after hours, select option 3)

US Toll Free: 1-888-4-ZCARE-4 (1-888-492-2734) | International: 1-215-348-9481

Video Test #: IP zcare@kbz.comString.fromCharCode(122,99,97,114,101,64,107,98,122,46,99,111,109)'?subject=KBZ%20IP%20Video%20test%20%23'> | Email: zcare@kbz.comString.fromCharCode(122,99,97,114,101,64,107,98,122,46,99,111,109)'?subject=KBZ%20IP%20Video%20test%20%23'>

This e-mail transmission (and attachments, if any) contains information exclusively for the intended recipient(s). If you are not an intended recipient you are hereby notified that any forwarding, disclosure, copying, distribution, unauthorized interception of this transmission, or actions based upon the content of this e-mail are prohibited and may be unlawful. If you have received this e-mail transmission in error, promptly notify the sender and destroy all copies. KBZ Communications, Inc. reserves the right to retain, monitor, and intercept emails to and from our system. © 2010 KBZ Communications, Inc., ESD_V1.1

Attachment: 
Martin Koch Wed, 09/21/2011 - 02:17

This is not a limitation of the protocol, its dependent on how the sip registrar handles it.

On a registration the location will be saved at the sip registrar, it up to him to decide how many

simultaneous locations for the same URI he supports. I have a registrar running which is limited to one.

btw, Paul. you have plenty of spam below your message.

justinferello Wed, 09/21/2011 - 05:52

Martin,

Your statement does not make any sense.  I was strictly talking about logins, not registrations.  The OP's question was about how to limit a user from logging in multiple times.  The Device URI has nothing to do with the username/password that you provide the user to log into the VCS via the Provisioning system.

Also, using that Device URI pattern does not stop duplicate SIP entries either.  If I log into MOVI on (2) seperate computers using the same credentials I will still have (2) 'user.movi@example.com' entries on the VCS, since the 'Device Model' is MOVI in both logins.

Thanks,

Justin

justinferello Tue, 09/20/2011 - 07:49

All,

There is a reason for the multiple logins.  Remember that MOVI is one piece to a growing puzzle called 'Provisioning'.  It is possible for an individual to have multiple endpoints that they need provisioned. 

For example; I have an E60 in the office, an E20 at home and MOVI when I am on the road.  I need all my endpoints to be online at the same time.  My company does not allow direct registrations. 

In this example my company would provide me with (1) username & password that would allow me to log into MOVI and provision my EX60 & E20 without needing to know any other technical information.

In summary, they must allow multiple logins for the Provisioning system to function properly.  However I am not sure why they allow duplicate SIP aliases.

Thanks,

Justin

Oleksandr Yurchenko Wed, 09/21/2011 - 02:49

Hi kabiru

You can prevent Movi multilogin.

Don’t use Device URI Pattern.

In this case, you will need to manually write the Device URI, for each new device for Movi.

In this usage, you can control a one device with movi = a one login movi.

It is not convenient, it's not good, this is not applicable for large installation - but it works

Br. Oleksandr

Martin Koch Wed, 09/21/2011 - 02:58

interesting thought, though I would be a bit afraid that the empty device uri has some other

strange side symptoms.

I would also guess that the provisioning itself would even succeed, but it just gets an empty aor

back, ...

It also does not prevent somebody using a 3rd party sip client to register with his movi uri.

justinferello Wed, 09/21/2011 - 05:46

Martin,

You are correct, having an empty device URI string would not work properly.

Thanks,

Justin

Oleksandr Yurchenko Wed, 09/21/2011 - 11:02

You always can test :-)

If you use blank Device URI Pattern, the Movi user can not login. You received:

"Due to registration failure. If the problem persists contact IT support."

You must manually write Device URI for each device for a successful login .

br.Oleksandr

kabiru_acer Tue, 01/03/2012 - 01:38

Hi Oleksandr,

thanks for your help, but maybe if we talk about this in the lab it can be approved, but unfortunately we are working in the real world, where MOVI always used for medium-large deployment for many users, is there any solutions beside

manually write the Device URI. you can imagine how big the effort if we use your solution

thanks

Regards,

Ahmad Kabiru

Oleksandr Yurchenko Tue, 01/03/2012 - 02:31

Hi Ahmad

I am agree with you about big effort for this solution.

I am agree Its not good decision.

But i dont know another way, to prevent multiple login.

br. oleksandr

twoods@vsgi.com Fri, 06/22/2012 - 00:24

While I understand the reasoning behind a single user's authentication allowing multiple logins (for example a Movi/Jabber, an EX90 and an E20), each device will get its own unique URI alias (for example: username.movi@domain, username.ex90@domain, username.e20@domain). However there should be a way to deny the same URI alias from regiatering. With H323, you have the ability to reject anyone trying to register with a alias that is already actively registered. But with Movi, you could have 3 people on a campus, they all use the same user/password to login into Movi/Jabber, and VCS Control allows all 3 duplicate URI aliases to be actively registered together. That is counter intuitive in my opinion. Does any of the new versions have this limiting ability? Has anyone found a workaround for this?

br. oleksandr, you mentioned using no Device URI template, then creating a specific URI alias for each user. I am missing something from your post. Device URIs are assigned to a directory, not to a user (or am I incorrect about that?). Are you saying each individual user needs to be in their own directory?

Jens Didriksen Fri, 06/22/2012 - 00:55

"But with Movi, you could have 3 people on a campus, they all use the same user/password to login into Movi/Jabber"

I find the above rather intriguing - if you have 3 people using same user/password to log into Movi/Jabber, then I suggest you might have bigger problems than just having duplicate or triplicate, URI aliases.

We do direct authentication to AD, which means if a user gives another person their username and password for Movi, then they have in effect given them access to not only their workstastion, but also to their e-mail account, payroll details etc etc. I guess someone might be stupid enough to do that, but it certainly hasn't been an issue as yet.

Yes, individual users can have more than one log-in active at the same time, I do this all the time myself; one on my Dell lap-top and one on my Macbook Pro, and so do others, but we have yet to encounter a problem with this.

/jens

twoods@vsgi.com Fri, 06/22/2012 - 01:29

Thanks for the response Jens. Fyi, there has been no problem (or eveentually no problem) with the 40 or so Movi installations/setups I have done . What I can tell you from the field is not all customers want the same thing. Some want X and some want Y. Some don't even want to sync with their AD. Many installations/deployments have some uniqueness to them. For customer Z, they may want to have one temporary account used for non employees.  They want that one account allowing only one login at a time (the current setup has a different need for a signle signon only). That is why it it would be nice to have the ability configure no duplicate URI alias logins. As stated before, on the VCS, H323 has the ability to reject a duplicate alias. It would be nice if SIP had that configuration field too. Now really, is that asking for a wildly outlandish feature???

Br. Oleksandr, thanks for the reminder! I've only done a couple using the TMSPE and forgot that it is a requirement. As a matter of fact my first install with TMSPE got me on that very point (must have the Device and User template). Thanks for pointing that out. Unless you or someone have a different suggestion, I am officially giving up on having a single sign on account.

awinter2 Fri, 06/22/2012 - 02:22

Timothy,

although you can't directly configure the VCS to reject SIP registrations for AOR's which are already registered, it would probably be possible to implement the behavior you are looking for via an external Policy Server.

Assuming that all of your VCS's are set up to use this Policy Server, you could implement some logic on the Policy Server to keep track of where and when a provisioning user has registered on SIP (Or any SIP device for that matter).

Since you can apply policy services for registration requests, you could implement functionality on the Policy Server to reject a SIP registration if the user/AOR in question is already registered somewhere else. You would probably also need to implement a function which purges the registration information on the Policy Server if the registration hasn't been refreshed in a certain period of time.

I'm not saying it's a straightforward/5-minute task to implement this, but external Policy Services do open up a wide range of new possibilities in terms of off-box logic to control the way your video environment works.

The Policy Service deployment guide is available in the 'Configuration guides' section of the VCS support page on cisco.com.

Regards

Andreas

twoods@vsgi.com Fri, 06/22/2012 - 02:35

Thanks Andreas!! I had read a brief something on that very solution and appreciate VERY much the additional information (including the mention of the configuration guide).

Yeah it is obviously not straight forward and will requires additional efforts and resources (and likely cost), However, just having a viable solution (even if it is not an easy one) is a huge first step. I know it may seem odd that a customer would want only single sign on for Movi but, as I mentioned before, customers can sometimes have very specific functionality goals. It is important to be able to present a working solution. Thanks again Andreas!

Actions

Login or Register to take actions

This Discussion

Posted September 18, 2011 at 8:03 PM
Stats:
Replies:20 Avg. Rating:3
Views:2008 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard