AD Groups and VCS Authentication

Eli Kagan · ‎09-05-2014

I am thinking about setting up my VCS with direct AD authentication for MOVI users. I have a group in the AD containing all our MOVI users. The problem is I do not see how to restrict authentication to only that group. I do not see a setting on the VCS authentication config page. Am I missing something?

Patrick Sparkman · ‎09-05-2014

Hello Eli -

It's not possible to specify a base DN for users or groups when setting up Active Directory Services for device authentication on the VCS, as the VCS is just used to authenticate the user's password when they try to sign in. What determines if they can attempt to sign in using ADS is if they have an account within TMSPE, if they don't have an account, they won't authenticate to AD via the VCS. With that said, you can limit who gets imported into TMSPE by specifying AD groups. Starting on bottom of pg 26 of the Cisco-TMSPE-with-VCS-Deployment-Guide-1-2, covers how to setup importing users into TMSPE using AD.

Eli Kagan · ‎09-08-2014

Thanks Patrick.

What about using H.350 directory for authentication? It has a base DN parameter...

However, it looks like it stores the password as clear text along with the entry. Meaning that users will not be able to authenticate using their AD username and password and that defeats the purpose of this exercise.

Is there a way to configure authentication in such a way that it would be limited to a certain group only, check against AD username and password and work withour relying on the provisioning server? I want users with other than MOVI clients, any SIP client to be exact, to be able to authenticate using their own username and password stored in AD. Is that an option at all?

Thanks,

Eli