Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Authenticating Devices using LDAP/H350

I have set up a lab and tested the Authentication to be working fine as per logic of Deployment guide. I am giving a brief of what I have done and the queries I have on this.

  • •1. Downloaded the LDAP schemas from VCS to the LDAP.
  • •2. Created a OU specifically for endpoints. Eg) h.350
  • •3. Created H.350 object as below under the OU=h.350

# MeetingRoom1 endpoint

dn: commUniqueId=test,ou=h350,dc=X

objectClass: commObject

objectClass: h323Identity

objectClass: h235Identity

objectClass: SIPIdentity

commUniqueId: test

h323Identityh323-ID: ddlab

h323IdentitydialedDigits: 123456

h235IdentityEndpointID: ddlab

h235IdentityPassword: password

SIPIdentityUserName: ddlab

SIPIdentityPassword: password

SIPIdentitySIPURI: sip:ddlab@example.com

  • •4. Upload this Object to LDAP
  • •5. Configure LDAP in VCS.
  • •6. Change the Default Subzone authentication type to “Check for Credentials”

Now a system with the below settings can register to the VCS successfully.

H323 id = ddlab

E164 = 123456

H323 authentication username = ddlab

H323 authentication password = password

SIP URI = ddlab@example.com

SIP authentication username = ddlab

SIP authentication password = password

So, I understand that we have to create a h.350 object for each and every endpoint. I also see that authentication credentials used here is defined manually and user cannot use his AD credentials.

How can i make H350 directory use the User AD credentials.

If not, then this LDAP integration will only yield the below.

  • •1. Instead of creating a local database on VCS, we create a database on AD.
  • •2. Users cannot use their Windows login credentials here. (Is there a way to do this..?)
  • •3. Password management will become a task of administrator.

Is this the way LDAP auth for VCS works. Kindly suggest.

2 REPLIES
New Member

Authenticating Devices using LDAP/H350

I am running VCS X7.1

New Member

Authenticating Devices using LDAP/H350

Hi Rameez,

you could authenticate your Movi/Jabber Users against AD with Kerberos and NTLM. Therefore the VCS must join the AD Domain as a Computer. You can do this under VCS Configuration -> Authentication -> Devices -> Active Directory Service. After joining the Jabber Users can be authenticated with AD.

Have you got TMS? With TMS you can sync your AD Users to the TMS and from the TMS to the VCS. You could also filter for a special AD group.

NTLM Auth works only for Jabber Clients, so you have to maintain a separeate database for all your other endpoints. You can maintain this database directly on the VCS.

A H.350 LDAP database could also be used to maintain the credentials, but you have to build a seperate directory. I like the TMS because it's easy to manage. On the other hand, if you have multiple VCS or the VCS clustered, a single database would be better.

I'm not quite sure, but I think with TMSPE you could also use the Provisioning database to maintain the credentials for all your endpoints. TMSPE syncs the accounts to the VCS database, so authentication should work fine with them too.

Regards, Paul

Regards, Paul
1133
Views
0
Helpful
2
Replies
CreatePlease to create content