Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1236
Views
5
Helpful
10
Replies

Configure VCS Control for AD Authentication

Chuck Reid
Level 1
Level 1

‎03-24-2012 09:29 AM - edited ‎03-17-2019 10:57 PM

Hello, I am attempting to figure out how to configure AD authentication for the VCS Control. We are using latest software versions available today on all equipment, new install. Client is using MOVI 4.3 and several C 20 codecs and one 4515 MCU along with TMS and TMSXE 3.0

We are using subnet rules to register C20's and MOVI to appropriate subzones. Client wants to use AD login and password for MOVI users, that is the only purpose of wanting to authenticate with AD.

I have read through the latest VCS Authentication guide ver 7.x and I do not understand any of it, almost none of it makes any sense to me.

Can someone spoon feed the concept to me so I can understand it please?

What is the bare minimum that I need to do to provide AD authentication for MOVI and hopefully not affect anything else?

Also, client will be registering MOVI to Expressway as well, can this support AD authentication as well?

Thanks in advance!

Chuck

Sent from Cisco Technical Support iPad App

Labels:
0 Helpful
10 Replies 10

Alok Jaiswal
Cisco Employee
Cisco Employee

‎03-25-2012 01:50 AM

Hi Charles,

we would like to know what part under document you are not able to understand?

I hope you must have gone thorugh this guide.

http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/Cisco_VCS_Authenticating_Devices_Deployment_Guide_X7-1.pdf

Now for the MOVI authentication via AD the first requirement is to make your VCS to join to your domain controller so that it can talk to domain controller for which the process is given in above documentation. ADS services would be required to set ON, on the VCS for that.

Second you need to set the database type to be used to ldap.

third you need to set the default zone to "check credentials" for VCS to check the credentials supplied by MOVI client to domain controller. you said you have specific subzone for MOVI that needs to be set as "treat as authenticated" or "check credentials".

plus in addition you need to ensure that the AD users should be present in provisioning directory on TMS and your VCS has successful replication with TMS.

Yes, MOVI authentication is possible using AD from expressway as well and in the expressway scenario you need to have proxy authentication enabled on VCS-Expressway and set the traversal zone on traversal client to "check credentials".

From expressway you can actually authenticate MOVI users at multiple locations depending on your deployment scenario of expressway, but proxy authentication is normally used and ensure that communication between DMZ and inside network is secure.

Thanks

Alok

0 Helpful

Chuck Reid
Level 1
Level 1
In response to Alok Jaiswal

‎03-25-2012 06:57 AM

Hello, The document that you referenced is what I am trying to use, the problem is that it is written at too high a level. It is not written clearly enough or simple enough for me to understand. It is very vague. If I have MOVI that register to the same subzones as C 20's is there a way to only authenticate MOVI?

I do not have a MOVI only subzone, who would do something like that? In order to control bandwidth you must register endpoints by subnet and that includes all endpoints, MOVI and C 20's.

So, if I have MOVI and C 20's registered to same subzone, can I authenticate only MOVI, or do I have to authenticate C 20's as well?

Thanks,

Chuck

Sent from Cisco Technical Support iPad App

0 Helpful

Jens Didriksen
Level 9
Level 9
In response to Chuck Reid

‎03-25-2012 02:49 PM

I think you'll find most users will have JabberVideo (was Movi) registering to one or more specific "JabberVideo zones", this could be for example based on geographical locations etc.

Bandwitdh call control can be done in different ways, with JabberVideo the natural thing would be to do this through provisioning; i.e. max in bw, max out bw, default call bw etc. By using AD you can set up groups and specify different bw for each group or even specific users within that group if you so desire - and lots, lots more.

The admin guides for both VCS and JabberVideo are both essential reading:

http://www.cisco.com/en/US/partner/products/ps11337/prod_maintenance_guides_list.html

http://www.cisco.com/en/US/partner/products/ps11328/prod_maintenance_guides_list.html

/jens

Please rate replies and mark question(s) as "answered" if applicable.
0 Helpful

Chuck Reid
Level 1
Level 1
In response to Jens Didriksen

‎03-25-2012 04:02 PM

Hello, I don't see though how you are going to differentiate MOVI endpoints from other endpoints when they share a common subnet. I just don't see a way to make that work.

Sent from Cisco Technical Support iPad App

0 Helpful

Alok Jaiswal
Cisco Employee
Cisco Employee
In response to Chuck Reid

‎03-25-2012 08:44 PM

Hi Charles,

As Jens mentioned normally people use specific subzones to register MOVI users so that they have better control on bandwidth.

hwever in your case you have same subzone for the MOVI and C-20 endpoints. In my opinion you can do following things to authenticate MOVI and not the C-20.

Set the Default zone to "check credentials" and speficic suzone where MOVI and C-20 are registering to "treat as authenticated".  This will acvieve what you are looking for.

Thanks

Alok 

Chuck Reid
Level 1
Level 1
In response to Alok Jaiswal

‎03-26-2012 07:17 AM

Hi Alok, Yes you understand my situation perfectly. Since I am only going to authenticate MOVI, should I use AD (Direct) instead of H.350? It looks like AD (Direct) is far simpler to set up, H.350 requires downlaoding and installing schemas.

Thanks,

Chuck

0 Helpful

Alok Jaiswal
Cisco Employee
Cisco Employee
In response to Chuck Reid

‎03-26-2012 08:02 AM

Hi Charles,

I have seen lot of customers use only Ad (direct) mechanism for the authentication.

Thanks

Alok

0 Helpful

Chuck Reid
Level 1
Level 1
In response to Alok Jaiswal

‎03-27-2012 11:00 AM

Hello, i am not following what is or where to set proxy authentication on expressway. I have AD direct working on VCS control, but can not register MOVI to expressway now. I should be able to register MOVI to expressway using AD direct credentials but is failing.

Sent from Cisco Technical Support iPad App

0 Helpful

Alok Jaiswal
Cisco Employee
Cisco Employee
In response to Chuck Reid

‎03-27-2012 11:15 AM

Hi Charles,

under the VCSconfiguration-->SIP configuration on expressway you will find the proxy registration field. Set it to proxy to known only.

This way VCS-Expressway proxies the registration to VCS control. I am assuming that search rules are properly set on expressway to allow communication between expressway and control.

Ensure that you do not have device-provisioning key on expressway.

third i am assuming that whatever request coming for MOVI registrations are all need to passed to control and then VCS control will check the credentials for MOVI and not the expressway which is talking directly to AD??correct me here if i am wrong.

Fourth If you have any SIP domain configured on expressway?

Fifth set the traversal zone on vcs control to check credential.

After this checks we can go further on the troubleshooting part

Thanks

Alok

0 Helpful

vivsing2
Level 1
Level 1

‎03-25-2012 09:57 PM

Hi Charles,

What i understood from your scenario is that you are registering C20 and Movi on different subzone on basis of subnet rule.

So I think you can easly enable C20 subzone as "treat as authenticated" and for MOVI subzone you can select "check credentials".

After integration for C20, it will not check any authentication, in case of movi, it will verify authentication based on AD user.

Regards,

Vivek

0 Helpful
Customers Also Viewed These Support Documents