Scribd
Upload
64 views

CUCM Admin

This document discusses configuring authentication trust settings between Expressway zones to simplify authentication so that a device's credentials only need to be authenticated once at the first hop. Setting neighbor zones to use authentication trust means pre-authenticated SIP messages from that zone will be trusted without further challenge and treated as authenticated within the receiving Expressway.

Uploaded by

Aqeel Ahmad
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
64 views

CUCM Admin

This document discusses configuring authentication trust settings between Expressway zones to simplify authentication so that a device's credentials only need to be authenticated once at the first hop. Setting neighbor zones to use authentication trust means pre-authenticated SIP messages from that zone will be trusted without further challenge and treated as authenticated within the receiving Expressway.

Uploaded by

Aqeel Ahmad
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 3

SIP Authentication Trust

If the Expressway is configured to use


device authentication
it will authenticate incoming SIP INVITE requests. If the Expressway then forwards the request on to a neighbor zone
such as another Expressway, that receiving system will also authenticate the request. In this scenario the message
has to be authenticated at every hop.
To simplify this so that a device’s credentials only have to be authenticated once (at the first hop), and to reduce the
number of SIP messages in your network, you can configure neighbor zones to use the
Authentication trust mode
setting.
This is then used in conjunction with the zone's authentication policy to control whether pre-authenticated SIP
messages received from that zone are trusted and are subsequently treated as authenticated or unauthenticated
within the Expressway. Pre-authenticated SIP requests are identified by the presence of a P-Asserted-Identity field in
the SIP message header as defined by
RFC 3325
.
The
Authentication trust mode
settings are:

On
: pre-authenticated messages are trusted without further challenge and subsequently treated as authenticated within
the Expressway. Unauthenticated messages are challenged if the
Authentication policy
is set to
Check credentials
.

Off
: any existing authenticated indicators (the P-Asserted-Identity header) are removed from the message. Messages
from a local domain are challenged if the
Authentication policy
is set to
Check credentials
.
150
Cisco
Expressway
Administrator
Guide
Device
Authentication
Note:

We recommend that you enable authentication trust only if the neighbor zone is part of a network of trusted SIP
servers.

Authentication trust is automatically implied between traversal server and traversal client zones.
151
Cisco
Expressway
Administrator
Guide
Device
Authentication
Device Provisioning and Authentication Policy
The Provisioning Server requires that any provisioning or phone book requests it receives have already been
authenticated at the zone or subzone point of entry into the Expressway. The Provisioning Server does not do its own
authentication challenge and will reject any unauthenticated messages.
The Expressway must be configured with appropriate device authentication settings, otherwise provisioning-related
messages will be rejected:

Initial provisioning authentication (of a subscribe message) is controlled by the authentication policy setting on the
Default Zone. (The Default Zone is used as the device is not yet registered.)
The Default Zone and any traversal client zone's authentication policy must be set to either
Check credentials
or
Treat as authenticated
, otherwise provisioning requests will fail.
In each case, the Expressway performs its authentication checking against the local database. This includes all
credentials supplied by Cisco TMS.
For more information about provisioning configuration in general, see
Cisco TMS Provisioning Extension Deployment Guide
.
152
Cisco
Expressway
Administrator
Guide
Device
Authentication
Configuring Authentication to Use the Local Database
The local authentication database is included as part of your Expressway system and does not require any specific
connectivity configuration. It is used to store user account authentication credentials. Each set of credentials consists
of a
name
and
password
.
The credentials in the local database can be used for device (SIP), traversal client, and TURN client authentication.
Adding credentials to the local database
To enter a set of device credentials:
1.
Go to
Configuration > Authentication >
Devices >
Local database
and click
New
.
2.
Enter the
Name
and
Password
that represent the device’s credentials.
3.
Click
Create credential
.
Note that the same credentials can be used by more than one device.
Credentials managed within Cisco TMS (for device provisioning)
When the Expressway is using TMS Provisioning Extension services, the credentials supplied by the Users service
are stored in the local authentication database, along with any manually configured entries. The
Source
column identifies whether the user account name is provided by
TMS
, or is a
Local
entry. Only
Local
entries can be edited.
Incorporating Cisco TMS credentials within the local database means that Expressway can authenticate all messages
(i.e. not just provisioning requests) against the same set of credentials used within Cisco TMS.
Local database authentication in combination with H.350 directory authentication
You can configure the Expressway to use both the local database and an H.350 directory.
If an H.350 directory is configured, the Expressway will always attempt to verify any Digest credentials presented to it
by first checking against the local database before checking against the H.350 directory.
Local database authentication in combination with Active Directory (direct) authentication
If Active Directory (direct) authentication has been configured and NTLM protocol challenges is set to Auto, then
NTLM authentication challenges are offered to those devices that support NTLM.

NTLM challenges are offered in addition to the standard Digest challenge.

Endpoints that support NTLM will respond to the NTLM challenge in preference to the Digest challenge, and the
Expressway will attempt to authenticate that NTLM response.
Authenticating with External Systems
The
Outbound connection credentials
page (
Configuration > Authentication > Outbound connection credentials
) is used to configure a username and password that the Expressway will use whenever it is required to authenticate
with external systems.
For example, when the Expressway is forwarding an invite from an endpoint to another Expressway, that other
system may have authentication enabled and will therefore require your local Expressway to provide it with a
username and password.
Note that these settings are not used by traversal client zones. Traversal clients, which must always authenticate with
traversal servers before they can connect, configure their connection credentials per traversal client zone.
153
Cisco
Expressway
Administrator
Guide
Device
Authentication
154
Cisco
Expressway
Administrator
Guide

You might also like