VCS Express Authentication against different Controls

John Faltys · ‎07-30-2013

I would like a cluster of Expresses to use the dial plan search rules to determine which VCS Control dictates the authentication for Jabber users.

Based on naming scheme, the Jabber client will authenticate against TMS-1/AD Acct via VCSC-1 or against TMS-2/local Acct via VCS C-2.

I have setup a dialplan search rule that directs the request, and although the VCSC-1/TMS-1/AD auth is working, the local account does not authenticate via VCSC-2/TMS-2/local.

VCS Versions 7.2.2

TMS Versions 14.2.1

Jabber 4.6.3

The VCS-E is setup as Proxy to known only.

The VCS-E has NTLM auto.

Martin Koch · ‎07-30-2013

Do you do any authentication on the vcs and do you have the sip domains added to the vcs?

By today the vcs-e will now authenticate towards different VCS-C but a proxy registration and

provisioining based on different domains matching on different traversal zones should work

Please remember to rate helpful responses and identify

John Faltys · ‎07-30-2013

Martin,

Thank you for always responding to my questions. You are awesome.

Although we do have multiple domains defined, we would like to differentiate based on username.

So for example: jsmith.dept@domain.com where everything except one specific department dictates that it authenticates to the VCSC-1/TMS-1/AD authentication. The one single dept would authenticate towards VCSC-2/TMS-2/locally provisioned.

Do we do any authentication on the VCS? - We authenticate traversal zones. We have a user/pwd for all endpoints.

Thank you,

Martin Koch · ‎07-30-2013

You might be able to handle the provisioning with a cpl, but the registration is just to the domain itself, not sure if it would even be possible to handle the contact header in the cpl.

In short you need to have some seperation to say which request goes where, using a seperation

based on the domain would be the best what I could recomend to you. And as I have not tested it

I can not even garantee that it works, but I would say it should.

Thank you for your kind words. If you like what I post, use the rating functionality using the stars below my messages.

(more info: https://supportforums.cisco.com/docs/DOC-8052 )

Please remember to rate helpful responses and identify

John Faltys · ‎07-30-2013

Martin,

I just tested.

Account Provisioned TMS2 Local

jsmith
Pattern: {username}@domain1.com

Jabber from outside network

User: jsmith

Internal VCS: {blank}

External VCS: VCSE.domain1.com

Domain: domain2.com

This scenario registers Jabber to VCSE.domain.com.

Jabber from inside VCSC-2 network.

User: jsmith

Internal VCS: VCSC-2

External blank

Domain: domain2.com

Returns Did not receive provisioning in time.

I believe the problem with this scenario is that their SRV records for domain2.com are point to VCSE. Sound right?

Martin Koch · ‎07-30-2013

First of all the provisioning on the internal network should work, if that does not work locally you have some generic issue.

Are you sure that the provisioning is done by the right vcs?

The provisioning option key shall only present on the VCS-C1 and VCS-C2 not on the VCS-E

As I do not know your search rule and the rest of the setup/deployment its not easy to say where it breaks.

Do you have a cisco partner or external consultant who can look at it?

Hands on is way more easy.

Please remember to rate helpful responses and identify