Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Call Policy on a VCS

I'm trying to forbid some probing attacks on a VCS Expressway.

The calls come in from unknown@(various IP addresses), and go to either sip:(string of 12-17 numbers)@(ip address of VCS express), or the same thing without the SIP: prefix (as an H323 setup request), or the latter prefixed with a '+'.

I thought that putting in a Local CPL to reject calls from unknown@.* going to .* would work.  The Locate tool on the VCS indicates that it does; it comes back with a Forbidden response.  Yet, in practice, these call attempts are not Rejected.  They are passed to the Control and back, when the are stopped as a Loop.

Does anyone know why my CPL isn't working, and how to make it work?

  • TelePresence
4 REPLIES
Silver

Call Policy on a VCS

Anthony,

are you writing your own CPL or are you using the CPL rule generator page on the VCS?

Assuming that these probing calls are coming in on the DefaultZone on the VCS, and that the DefaultZone is set to 'Do not check credentials', these incoming calls will be non-authenticated.

In order to use CPL to match non-authenticated calls, you have to use the 'unauthenticated-origin' CPL parameter rather than 'origin', and this can not be achieved by using the CPL rule generator page (Which only creates 'origin'-based CPL statements.

For a non-authenticated call, 'origin' will be an empty string, while 'unauthenticated-origin' will be a string containing the source alias of the call. This is described in more detail in the CPL reference section of the VCS Admin guide.

If you could paste the CPL snippets which you are using and which you think should be matching these incoming calls, it would probably be easier to assist you.

Regards

Andreas

Call Policy on a VCS

I am using the CPL rule generator page on the VCS, and thus I now understand why it's not working.  The DefaultZone is set to 'Do not check credentials'.

So, it looks like I either manually write the CPL, or potentially I change the Authentication Policy on the Default Zone.

If I change it to 'Treat as authenticated', does that change it so that the origin string has the source alias?  What other ramifications of doing this would there be?  This VCS Express is currently used for registrations for Movi/Jabber and a few endpoints.  I expect that Movi would still work since it is already an authenticated endpoint, but that authentication credentials would have to be added to endpoints for them to continue working.

Here's a snippet of the code:

Call Policy on a VCS

Please use "treat as authenticated" only if you know what you are doing :-)

We had a thread about this before, see my posting at 19.07.2011 15:46:

https://supportforums.cisco.com/message/3394817#3394806

For unauthenticated calls you have to use: taa:rule unauthenticated-origin=

Please remember to rate helpful responses and identify

Silver

Call Policy on a VCS

Anthony,

I wouldn't recommend setting the DefaultZone to 'Treat as authenticated' as that would automatically authenticate all incoming provisioning requests (SUBSCRIBE messages) without validating the username and password.

A better approach would probably be to set the DefaultZone to 'Do not check credentials' or 'Check credentials', depending on how and where you authenticate your provisioning users, and use 'unauthenticated-origin' in your CPL instead or in addition to your existing CPL, to catch the incoming unauthenticated calls.

Regards

Andreas

694
Views
0
Helpful
4
Replies