Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Authenticate an Endpoint via AD

Hello together,

We had implement an Win 2k8 AD Server. The Schema of X7 is implemented and the VCS has joined the Domain.

I followed the instructions of Cisco_VCS_Authenticating_Devices_Deployment_Guide_X7-1.pdf

VCSConfiguration --> Registration --> Configuration --> Restriction Policy = Directory

VCSConfiguration --> Authentication --> Devices --> Configuration --> Database Type = LDAP

VCSConfiguration --> Authentication --> Devices --> Configuration --> NTLM = Auto

What I doing wrong?

Thanks to all.

1 ACCEPTED SOLUTION

Accepted Solutions
Gold

Re: Authenticate an Endpoint via AD

Jens,

please set the restriction policy to 'None', 'AllowList' or 'DenyList', depending on your needs, I believe that the 'Directory' setting is intended for future use for deployments using the internal Directory Services functionality of the VCS.

If you want to authenticate registration requests from regular endpoints, set the Default Subzone (and other relevant subzones) to 'Check credentials', as this means that endpoints attempting to register to this VCS would get challenged for credentials.

Once you have done this, you would have to configure your endpoint with credentials matching those in AD.

Now if you have any problems registering endpoints, you should be able to find relevant log entries for these failed registration attempts in the eventlog on the VCS, via Status > Logs > Event log.

If you need more verbose logs for troubleshooting this, you can go to Maintenance > Diagnostics > Diagnostics Logging, set the Network log level to DEBUG and start the log.

When the log is running, attempt to register an endpoint, and when this fails, stop the log and download it. The log will show you the registration attempt and also the VCS communications with the LDAP server, and this should tell you in more detail why the registration/authentication fails.

If you are not able to resolve the issue using these logs, I recommend you get a TAC case opened for further troubleshooting.

Regards

Andreas

10 REPLIES
Gold

Authenticate an Endpoint via AD

Hi Jens,

can you clarify what type of endpoints you are trying to authenticate using this?

I don't think you want to set the restriction policy to Directory, can you clarify why this is set as it is?

NTLM authentication is only supported in Movi 4.2 and higher, and this requires joining the VCS to the AD domain. Configuration for NTLM authentication for Movi/Jabber Video is done via the VCS Configuration > Authentication > Devices > Active Directory Services page.

LDAP authentication via a schema-patched AD is supported for all types of endpoints, and does not require the VCS to be joined to the domain. Configuration for LDAP authentication is done via the VCS Configuration > Authentication > Devices > LDAP Configuration page.

For NTLM authentication, it is important that VCS Configuration > Authentication > Devices > Configuration > NTLM Protocol Challenges is set to Auto.

For LDAP authentication, it is important that VCS Configuration > Authentication > Devices > Configuration > Database type is set to LDAP.

If you could describe in more detail what you are trying to achieve, how you have configured NTLM/LDAP and how your zones are configured with regards to authentication, it would be easier to assist

Regards

Andreas

New Member

Re: Authenticate an Endpoint via AD

Hi Andreas,

We are using here Movi (Jabber) ; E20 ; EX90; Polycom; Lifesize.

We try to use just authorized endpoints. But If set

VCS Configuration > Authentication > Devices > Configuration > Database type to LDAP

VCS Configuration > Authentication > Devices > Configuration > NTLM Protocol Challenges is set to Auto

The endpoint "E20" normally registers without any username or password.

We are using the following attributes at the AD for authentication.

- h235IdentityEndpointID

- h235IdentityPassword

- SIPIdentityUserName

- SIPIdentityPassword

Because of these problem I enabled the following setting

- VCSConfiguration --> Registration --> Configuration --> Restriction Policy = Directory

Our default Zone (we have an test vcs) is set to "check credentials"

Any Idea?

Gold

Re: Authenticate an Endpoint via AD

Jens,

please set the restriction policy to 'None', 'AllowList' or 'DenyList', depending on your needs, I believe that the 'Directory' setting is intended for future use for deployments using the internal Directory Services functionality of the VCS.

If you want to authenticate registration requests from regular endpoints, set the Default Subzone (and other relevant subzones) to 'Check credentials', as this means that endpoints attempting to register to this VCS would get challenged for credentials.

Once you have done this, you would have to configure your endpoint with credentials matching those in AD.

Now if you have any problems registering endpoints, you should be able to find relevant log entries for these failed registration attempts in the eventlog on the VCS, via Status > Logs > Event log.

If you need more verbose logs for troubleshooting this, you can go to Maintenance > Diagnostics > Diagnostics Logging, set the Network log level to DEBUG and start the log.

When the log is running, attempt to register an endpoint, and when this fails, stop the log and download it. The log will show you the registration attempt and also the VCS communications with the LDAP server, and this should tell you in more detail why the registration/authentication fails.

If you are not able to resolve the issue using these logs, I recommend you get a TAC case opened for further troubleshooting.

Regards

Andreas

Authenticate an Endpoint via AD

please set the restriction policy to 'None', 'AllowList' or 'DenyList',  depending on your needs, I believe that the 'Directory' setting is  intended for future use for deployments using the internal Directory  Services functionality of the VCS.

Yes, thats the answer I also got some time ago.

The "Restriction Policy" does not seem to have an impact on the authentication,

Directory service != LDAP/AD Auth.

And like Andreas said, the authentication is based on the zone setting, so you want to see that your zones where

you expect the registrations from are set to check credentials.

Andreas:

is there a way to set the internal services like the presence server or the phonebook to not

to ask for sip authentication?

I remember for the provisioning (before it could be configured in TMS) that for the provisioning agent

a config file had to be manualy changed, does something similar exist for the presence server?

Please remember to rate helpful responses and identify

Gold

Authenticate an Endpoint via AD

Martin,

no, the presence server and phone book server are hard coded to only accept authenticated request.

Regards

Andreas

Authenticate an Endpoint via AD

Thx for the quick answer +5 for that even if I do not like the answer, ...

is there a way to flag a sip/h323 message by CPL to check credentials / treat as authenticated?

Please remember to rate helpful responses and identify

Gold

Authenticate an Endpoint via AD

No Martin,

as far as I know, that's not possible, the way to do that would be via the zone authentication configuration.

- Andreas

New Member

Authenticate an Endpoint via AD

Hello together,

I have done everything right. But I set only the Default Zone to Check Credentials, not the Default SubZone.

Now the most endpoints can register via Authentication. The problems I have actually are

- Livesize via SIP

- Polycom is not tested until now.

Does anybody know what the following error means? Maybe it is the reason of the Lifesize Sip problem.

- httpd[17823]: Module="nss_ldap" Level="ERROR" UTCTime="2012-03-15 07:42:33,908" Detail="Could not search LDAP server" Reason="Server is unavailable"

Thanks to your super support until now. :-D

- Jens

Gold

Authenticate an Endpoint via AD

Jens,

the error message which is shown here indicates a connectivity problem the VCS and the LDAP server, and I wouldn't expect that this would be a problem specific with a Lifesize endpoint.

What does the 'Status' show for your configured LDAP server in VCS Configuration > Authentication > Devices > LDAP Configuration?

- Andreas

New Member

Authenticate an Endpoint via AD

After a reboot of the vcs, the problem occurs no more.

- Jens

485
Views
5
Helpful
10
Replies
CreatePlease login to create content