Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3423
Views
0
Helpful
7
Replies

AD Authentication in VCSe, VCSc and TMS environment

Go to solution
martin1.plank
Level 4
Level 4

‎02-24-2012 01:16 PM - edited ‎03-17-2019 10:51 PM

Hi,

We have VCSe, VCSc and TMS working with provisioning on VCSc via TMS.

VCS Version 6.1, TMS 13.1

The external Movi Clients (4.3) have registration with VCSc. VCSe does proxy for registration.

The Users have been configured on the TMS. There's still no AD authentication configured.

Everything works fine.

Now we want to configure AD autentication.

There are several deployments to do so, but for me some of them are no so secure as some others.

I need a high secure deployment.

I need some ideas to do the deployment.

thanks

Martin

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Paulo Souza
VIP Alumni
VIP Alumni
In response to martin1.plank

‎02-25-2012 06:57 AM

Hi Martin,

I understand perfectly what you want, but I don't understand the why. When you set a provisioning directory in TMS to be integrated to AD, the users are imported automatically according to the "search string" you configure. But the passwords are not imported from AD, only basic informations of the users are imported. When any user attempt to login, TMS challenge for authentication in real time.

For me it's not a problem, because TMS don't save the passwords into its own database. Is it a problem for you? Why?

If you're trying to do this only because you want to limit which users are to be allowed to use Movi client, if your problem is this, so you can solve it by using a "search filter" in configuration of the provisioning directory, so that you will be able to import only users that are part of a especific group, for exemple.

Please, explain me why you want to do this.

Paulo Souza

Paulo Souza Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

View solution in original post

0 Helpful

Go to solution
Paulo Souza
VIP Alumni
VIP Alumni
In response to martin1.plank

‎02-25-2012 04:26 PM

Friend,

It's impossible create the users in TMS manually and then challenge for authentication by using LDAP, it is not possible.

So, I think that, the easy and secure way to do what you want is this: You have to import the users from AD from a especific group or especific directory into LDAP database.

If the users into LDAP are not in a especific group or directory, there is no problem, because it's a easy task to create a group into LDAP and put the users on it. Request it to the AD's administrators and certainly they will do that.

Regards

Paulo Souza

Paulo Souza Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Paulo Souza
VIP Alumni
VIP Alumni

‎02-24-2012 02:49 PM

Hi Friend,

I suggest you to integrate TMS with AD directly, you can especify a single group in AD to be imported by TMS, so you're gonna have control of which user will be able to use Movi client in your environment. Also do this: Create in AD a user who has just "read access" to users directory, then you may configure this user to be used by TMS to import users database. This will bring more security to your integration. 

For me, it's a good deployment.

But let me know, which security problems did you see in deployment you have read?

Regards,

Paulo Souza

Paulo Souza Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".
0 Helpful

Go to solution
martin1.plank
Level 4
Level 4
In response to Paulo Souza

‎02-25-2012 02:06 AM

Hi Paulo,

Thanks for your input.

For me the best solution seems to be the following:

I create the users manually in TMS.

The username created manually are the same as the AD users.

Only for authentication we connect to AD. So users uses their AD password to authenticated within the registration progress.

Is this a possible deployment?

Regards,

Martin Plank

0 Helpful

Go to solution
Alok Jaiswal
Cisco Employee
Cisco Employee
In response to martin1.plank

‎02-25-2012 02:19 AM

Hi Martin,

You can use the TMS agent replication on VCS-control as normal procedure. Then configure the provisioning directory on TMS and import the users from AD into it. This way it will take care of provisioning.

Then on VCS-control set the necessary zones to challenge for authentication. If you can wan't to challenge the endpoints registrations as well, configure the username and password for them under AD.

Do not configure the SIP domain on VCS-Expressway, and configure the VCS-E to proxy all the authentication and registrations request to VCS-C. Set the traversal client to "check credentials".

Conffigure a ALLOW list on VCS-expressway to allow the registrations and set the CPL on expressway to filter the calls.

I thinks this could be one of a safe design.

Thanks

Alok

0 Helpful

Go to solution
Paulo Souza
VIP Alumni
VIP Alumni
In response to martin1.plank

‎02-25-2012 06:57 AM

Hi Martin,

I understand perfectly what you want, but I don't understand the why. When you set a provisioning directory in TMS to be integrated to AD, the users are imported automatically according to the "search string" you configure. But the passwords are not imported from AD, only basic informations of the users are imported. When any user attempt to login, TMS challenge for authentication in real time.

For me it's not a problem, because TMS don't save the passwords into its own database. Is it a problem for you? Why?

If you're trying to do this only because you want to limit which users are to be allowed to use Movi client, if your problem is this, so you can solve it by using a "search filter" in configuration of the provisioning directory, so that you will be able to import only users that are part of a especific group, for exemple.

Please, explain me why you want to do this.

Paulo Souza

Paulo Souza Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".
0 Helpful

Go to solution
martin1.plank
Level 4
Level 4
In response to Paulo Souza

‎02-25-2012 10:47 AM

Hi Paulo,

I don't want to integrate the whole AD because only few user should use movi.

I can't collect them into groups.

Therefore I think it is the easier way for me to create the users manually at TMS and for password verification we go to AD.

For starting, I think this can be the right way to do so.

By ingreasing movi users you discribed the way I should go.

Can I use LDAPs also?

Thanks Paolo

Best regards

Martin Plank

0 Helpful

Go to solution
Paulo Souza
VIP Alumni
VIP Alumni
In response to martin1.plank

‎02-25-2012 04:26 PM

Friend,

It's impossible create the users in TMS manually and then challenge for authentication by using LDAP, it is not possible.

So, I think that, the easy and secure way to do what you want is this: You have to import the users from AD from a especific group or especific directory into LDAP database.

If the users into LDAP are not in a especific group or directory, there is no problem, because it's a easy task to create a group into LDAP and put the users on it. Request it to the AD's administrators and certainly they will do that.

Regards

Paulo Souza

Paulo Souza Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".
0 Helpful

Go to solution
martin1.plank
Level 4
Level 4
In response to Paulo Souza

‎02-26-2012 08:38 AM

Hi Paulo,

Thank for all your input! So now I know the way to makemovi working with "single password".

I'll talk to my AD administrators to get the groups for LDAP user import.

Regards

Martin Plank

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents