Re: Problem registering movi to VCSe (VCSc working)

Chris Swinney · ‎07-02-2013

We use a single VCS-E to support multiple VCS-C in siffeent organisations. We cannot have AD or LDAP intgration with anything. We have to have a local user account setup on the VCS-E to support multiple Traversal tunnels. Adding another Dummy user to the VCS-E local DB is no real different.

OK:

if you set up a SIP domain on the VCS-E and set Subzones to check for credentials you need to authenticate on the VCS-E.
Setup the same SIP domain on the VCS-C with all zone to check for credentials.
Set Dummy User account on VCS-E and the same user account in TMSPE - this also get pushed to the VCS-C
Set "SIP Authentication Username" and "SIP Authentication Password" in the TMSPE template
Jabber user uses their specific TMSPE user name to enter into the client, but the "SIP Authentication" details set in the template are passed out during provisioning. This is used to register, but TMSPE user details are also used.

Works well for us, although standard SIP client such as those on Linux, I cannot get to authenticate properly as you need both sets of authentication - TMSPE user AND Dummy user. True, local users are stored in the VCS-E, but we have some ther in any case.

I read a post on here a while back relating to this - I'll see if I can find it

Try - https://supportforums.cisco.com/message/3942778#3942778 although Adam talks about AD, the same can be achieved with just TMSPE.

Message was edited by: Chris Swinney Altered All Zone to Subzone in point 1

Paulo Souza · ‎07-02-2013

Hi Cris,

Now I understood this method, but I have never used it before. Tell me something, in this case, do you create one single fake account on VCSe to all the users or do you create one account to each user? I guess one single account, because TMSPE does not support configuration per user, only configuration per directory.

Thinking about security, I guess you are using TLS to register jabber clients, right? I think that is required to use TLS in this case, I would say, because the provisioning information received from TMS is a clear XML text that comes within a SIP NOTIFY message received after the client authenticates to VCS. So, I think this fake credentials is clear text, then anybody could open this SIP NOTIFY message and discover the fake password. That's why TLS would be required.

I am not sure, but it is something to test.

This is the XML text received in a SIP NOTIFY message when provisioning is happening:

http://www.tandberg.net/Provisioning/2/">200.200.200.200paulo@domain.com.br24Hostpresence@domain.com.bronphonebook@domain.com.brAutoPaulo Souza768High7682190021000

|

You can get this information using any sniffer on your machine (without TLS), or simply checking Network Log on VCS.

Could you verify if the fake password is really clear text?

Regards

Paulo Souza

Please rate replies and mark question as "answered" if applicable.

Paulo Souza Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

Paulo Souza · ‎07-02-2013

Cris,

You don't need to verify, I have done it right now. The password is really clear text. So TLS is required. Well, as this method only works to Jabber and not to any SIP clients, I think proxied registration to be the best option when implementing device authentication on VCSe, mainly when you have LDAP authentication.

However, proxied registration does not work to H323.

Paulo Souza

Please rate replies and mark question as "answered" if applicable.

Paulo Souza Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".