Cisco Support Community
Community Member

Execute Authentication for every device

Hi all,

As Execute authentication requires a Global User with device association, I know that one way to allow an app to Execute to any/every device would be to have it do authentication as a Global User that is associated with every device. However, in environments where the devices number 3000+, doing this can take a long while (and CM appears to lack the resources to do this number of associations in one 'update', anyway). Either way, the maintenance of such a user's associations is the part that gives me overhead-ache just thinking about it.

I know you could also hack c:\CiscoWebs\IPPhoneServices\CCMCIP\authenticate.asp to repsond affirm regardless of authenticator, but as this wouldn't work for 7920s (and surely is not Cisco-supported, anyway), I was wondering:

Any good suggestions to globally authenticate an app to any/all devices during an Execute? Is a redirect-authenticate and proxy like PushAuthenticate the best answer?

Thanks for any assistance!


Community Member

Re: Execute Authentication for every device

yes, you need an authentication proxy. create a web service that mirrors the function of authenticate.asp, and set its URL as the default authentication URL in enterprise parameters. now, when you build applications that require phones to authenticate you can use the authentication proxy instead of the callmanager.

the trick is to build an authentication proxy that also works with other applications that still need callmanager authentication. a good way to do this is to have your applications communicate with the authentication proxy before the phones authenticate. that way, the proxy knows phones are about to authenticate, and can provide the appropriate response. then, if a phone tries to authenticate for an unknown application, the proxy simply passes on the authentication request to the call manager.

there's a trick here: a simple http redirect would be great *except* it doesn't work with all loads of all phones. 7960/7940s have always been fine, but i've had problems with earlier loads on 7912s. don't know if this problem has been fixed yet.

Community Member

Re: Execute Authentication for every device

I suppose the proxy itself could make an HTTP request to the normal CallManager auth url,spoof the name=SEP bit, and return the response to the device making the request, so that you don't have to rely on redirect.

Community Member

Re: Execute Authentication for every device

yes, forwarding the request to the callmanager authentication URL on behalf of the requesting phone, and then returning the response, is the only reliable way i've found to do this.

am i the only person here who's irritated by all the extra code i have to write to work around cisco's bugs?

Community Member

Re: Execute Authentication for every device

You can set proxy user (use any existing user or create a new one).

In ccmadmin

Step 1 Choose User > Global Directory.

Step 2 Enter the name of the Cisco CallManager user and click Search.

A user information window that lists the Last Name, First Name, User ID, and Department of the user opens.

Step 3 Click any field that is listed in Step

A user configuration window displays for that user.

Step 4 Click the Extension Mobility link from the left panel.

The Extension Mobility window displays for that user.

Step 5 Click the Enable Authentication Proxy Rights check box.

Step 6 Click Update Selected.

Community Member

Re: Execute Authentication for every device


What you describe is only applicable for Extension Mobility. I'm pretty sure this user's issue is that they are using the Cisco IP Phone XML 'Execute' command and don't want to have to associate some sort of global user to every phone in the system.

Community Member

Re: Execute Authentication for every device

I like the sound of it, but my testing results agree with XmlEquals' assertion.

I used the user that I've been Executing with (who's also associated with a handful of devices - and execution to them is fine). I set the Enable Authentication Proxy Rights as you've described, but the Execute still returns "Protected Object" for un-associated devices. I've tried resetting the device(s).

Did I miss something?

Community Member

Re: Execute Authentication for every device

Gurus, any update on this?

I am trying to push to more than 1000 phones, and found CCM authentication to be unrelieable. So, I have decided to write my own authentication and use it as proxy - that is for my application use this authentication, and for all other applications, use CCM authentication.

CreatePlease to create content