Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Multiple Controls and TMS using AD auth

Trying to get Jabber to authenticate against multiple controls.

Multiple controls, 1 express.

When Jabber attempts to register via express, it uses a search rule to determine where.

If the request gets passed to the Control 1, and the AD account does not exist in TMS, then the registration is denied.

If there is a second rule, to send it to Control 2, should it try to register a second time?  It does not seem to.

Both controls are managed by different TMS's and are integrated into AD.

So if the account is not in a group on TMS 1, then I would like it to check with TMS 2.

3 REPLIES

Re: Multiple Controls and TMS using AD auth

Hi John,

I understand your doubt. However, before trying to answer your question, tell me something. If you have two different TMS's and VCSs, I am assuming that you have different domains, right? If you have different domains, I think you should have different search rules in VCS Expressway point to the correct VCS, a search rule per domain pointing to the proper VCS, rather than having multiple equal search rules pointing to all the VCSs and then try one by one. So you won't have to try multiple VCS's, you will route the call to the right VCS based upon the domain.

Do you have multiple domains or one single domain? If multiple domains, can you follow my suggestion? If one single domain, why don't you raise a cluster of VCS and TMS?

Regards

Paulo Souza

Please rate replies and mark question as "answered" if applicable.

Paulo Souza Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".
New Member

Re: Multiple Controls and TMS using AD auth

Paulo,

Thank you for your response.

AD is a single domain, which all users from different groups are authenticated.

The controls and TMS are managed by different groups under the same domain.

Yes, my recommendation was to cluster, but the groups owning the equipment wanted to maintain control over their equipment and subset of users.

Thank you

Re: Multiple Controls and TMS using AD auth

Hi John,

I got your point. If you cannot use cluster, no problem. Now let me try to answer your question. =)

Yes, you can authenticate jabber from internet through one single VCSe to multiple VCS Control's. I will try to explain how it works. Lets consider the following example:

- One VCS-E, name VCSE

- Three VCS Control, names VCSC-01, VCSC-02 and VCSC-03

- There are three search rules configured in VCSE, each rule pointing to each VCS Control, with different priorities and with the parameter "On sucessfull match" set to "Continue". Rules: RULE-01, RULE-02 and RULE-03.

- We are going to authenticate thrying thir order, from VCSC-01 to VCSC-03.

- In this example, the correct credential will be found in VCSC-03

- External Jabber client is using the URI paulo@domain.com

- External Jabber will receive provisioning informations from VCS Control, but it will register to VCS Expressway. I am assuming that there is not device authentication enable in VCS Expressway.

This is a short resume of how this example should work:

1- Jabber client sends a SUBSCRIBE message with the URI paulo@domain.com to VCSE

2- VCSE considers all possible search rules which match paulo@domain.com, in this case, there will be three search rules

3- VCSE forwards the SUBSCRIBE message to VCSC-01 using the search rule RULE-01. VCSC-01 answers with a "407: Proxied authentication required" message.

4- VCSE forwards the SUBSCRIBE message to VCSC-02 using the search rule RULE-02. VCSC-02 answers with a "407: Proxied authentication required" message.

5- VCSE forwards the SUBSCRIBE message to VCSC-03 using the search rule RULE-03. VCSC-03 answers with a "407: Proxied authentication required" message.

6- VCSE then sends a "407: Proxied authentication required" message to Jabber client

7- Jabber client then sends again a SUBCRIBE message to VCSE, this time, including the credentials

8- VCSE forwards again the SUBSCRIBE message to VCSC-01 using the search rule RULE-01. VCSC-01 answers with a "407: Proxied authentication required" message, because the credential is wrong.

9- VCSE forwards again the SUBSCRIBE message to VCSC-02 using the search rule RULE-02. VCSC-02 answers with a "407: Proxied authentication required" message, because the credential is wrong.

10- VCSE forwards again the SUBSCRIBE message to VCSC-03 using the search rule RULE-03. VCSC-03 answers with a "200 Ok" message, as the credentials is correct

11- Then VCSC-03 sends provisioning information to the client using a SIP NOTIFY message

12- Now Jabber uses the provisioning information received and try to register to VCS Expressway sending a REGISTER message. Then VCSE accepts the registration with a "200 OK" message.

Well, if your environment is not working as expected, I suggest you to consider the above explanation and then try to find where is the blind point in your setup. You can trace all the process described above in VCS Expressway and then figure out where is the problem. Just raise the log levels "Network.sip" and "Network.search" and set them to "debug", then go to the Network Log page, there you can trace the whole process.

Please, dont post the logs here in the Community, here it is not the proper place for that. If you are not able to find a solution, just post a resume of the messages, showing what is going on, just like I did above.

I hope this help.

Paulo Souza

Please rate replies and mark question as "answered" if applicable.

Paulo Souza Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".
335
Views
0
Helpful
3
Replies
CreatePlease to create content