VCS Expressway - Jabber auth via AD, local auth for Endpoints

raju.varsani · ‎08-23-2012

Hi,

We have a VCS Control cluster which is AD Integrated and accounts are managed by TMS through Provisioning Extension syncing with an AD group. Both peer with a single Expressway.

From previous posts I have read that that the zone authentication policies should be as follows:

VCSc

TZ: Check

DSZ: Treat as auth

VCSe:

DSZ: Do not check

TZ: Do not check

The flaw here is that any non-provisioned devices would be allowed to register to the Expressway. I would be looking to utilise the Local Database on the Expressway so externally registered devices atleast must provide a valid user-name and password.

Are there any options that would allow this? Without trying to do direct AD Integration on the Expressway.

Much appreciated.

Raj

Alok Jaiswal · ‎08-23-2012

Hi Raju,

I would say there are lots of ways thorugh which provisioning can be done...first lets talk only on VCS control..for TMSPEkeep the following settings on control..

Default zone == check credentials

default subzone == check credentials or treat as authenticated (both possible)

traversal zone == check credentials.

now we come to expressway..

here keep the

default zone & traversal zone == "do not check credentials"

default subzone == "check credentials"

i hope you must be doing a proxy authentication and i am also considering that you have configured a SIP domain on the expressway!!

now here you should first put a Registration allow list and define the Regex or patterns or ip's which are going to register..

after that create multiple subzones..and subzone member ship rule...

for e.g. for Movi/Jabber windows/jabber tablet create a separate subzone and keep the sub zone as "treat as authenticated"..this way the MOVI/Jabber will be registering to specific subzone..

for rest all registration you can have another subzone and keep it as "check credentials"..configure a user in local database on the expressway..this users can be used multiple times for registration. this way any registration apart from the Jabber will be challenged by expressway and would be checked under its local database..for Jabber the challenge would be done through the VCS control...

i hope it clarifies..check the device authentication document and VCS admin guide for more details..

Thanks

Alok

Alok Jaiswal · ‎08-23-2012

here is the link for admin guide.check page 218..

http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/admin_guide/Cisco_VCS_Administrator_Guide_X7-2.pdf

you can have subzone member ship rule as a regex..so for jabber it would be based on the device uri you have configure under provisioning directory..

for challenging everything apart from jabber..for e.g. if your domain is abc.com

subzone membership rule regex can be

(.*)@abc.com

traget subzone

priority would be higher than the subzone membership rule for jabber clients..any registration going in this subzone would be challenged for authentication.

Thanks

Alok

raju.varsani · ‎08-23-2012

Thanks Alok,

So if I create a SZ for 'MoviUsers' (excuse the legacy name), set this to 'treat as authenticated' and create a SZ Membership rule based on .*\.movi@video.company.com...wouldn't this mean I could register any endpoint to the expressway providing the H323/SIP alias had .movi@video.company.com in it? All without providing credentials.

Any more granunarly defined membership rules/allow list and I would need to define every user explicitely :-s

(We also have provisioned Ex90 devices so would need to uniquely differentiate these too)

Raj

Alok Jaiswal · ‎08-23-2012

That's right Raju..But if you do not want this then proxy all the registration request to control...

this way the registration will also be challenged using the traversal zone and every registration would be on control..expressway won't be having any registration..

Thanks

Alok