Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3852
Views
0
Helpful
4
Replies

Cisco VCS with Polycom RMX as MCU

J_Vansen_S
Level 3
Level 3

‎06-05-2012 07:08 PM - edited ‎03-17-2019 11:16 PM

Product: VCS Starter Pack Express

Software Version: X7.0.2

Software options: 0 Non Traversal Calls, 5 Traversal Calls, 50 Registrations, 900 TURN Relays, Expressway, Encryption, FindMe, Dual Network Interfaces, Starter Pack.

Objective:

  • To assign Polycom RMX to act as MCU to the VCS.

Problem Statement

  • I have created a Sip user account on the VCS for the RMX MCU. 2005@xxx.com
  • It registers to the VCS as SIP:_dummy_tester1@xxx.com, no matter what sip credentails I insert on the RMX.

Please advise

Labels:
0 Helpful
4 Replies 4

Tomonori Taniguchi
Cisco Employee
Cisco Employee

‎06-05-2012 07:33 PM

Assume you are trying to register RMX with authentication.

Have you change Authentication policy to “Check credentials” on DefaultSubZone?

-Authentication policy configuration options-

Authentication policy is applied by the VCS at the zone and subzone levels. It controls how the VCS challenges incoming messages (for provisioning, registration, presence, phonebooks and calls) from that zone or subzone and whether those messages are rejected, treated as authenticated, or treated as unauthenticated within the VCS.

The primary authentication policy configuration options and their associated behavior are as follows:

• Check credentials: verify the credentials using the relevant authentication method. Note that in some scenarios, messages are not challenged..

• Do not check credentials: do not verify the credentials and allow the message to be processed.

• Treat as authenticated: do not verify the credentials and allow the message to be processed as if it is has been authenticated. This option can be used to cater

More detail, please refer to on-line help on VCS available from

"https:///inc/help/en_US.utf8/VCS_help_Left.htm#CSHID=authpolicy|StartTopic=Content%2FVCS_configuration%2FAuthentication%2Fauthentication_policy.htm|SkinName=webhelp"(replace with actual IP address of your VCS).

0 Helpful

Patrick Pettit
Cisco Employee
Cisco Employee
In response to Tomonori Taniguchi

‎06-22-2012 08:24 AM

Hi.  I'm not well versed on the RMX.  I go to IP Services and click on security and check SIP credentials and include username and password I put on VCS. 

Username I used is rmx200

VCS X7.1

RMX 200 7.6.0172

Replaced IP's with "X"

REMOVED some other information as well, but you see the transaction at least.

RMX sends REGISTER with this Dummy user account:

Jun 22 10:38:40 vcsvm11 tvcs: UTCTime="2012-06-22 14:38:40,024" Module="network.sip" Level="INFO":  Src-ip="x.x.x.x"  Src-port="60000"   Detail="Receive Request Method=REGISTER, To=sip:_dummy_tester1@tac.lab, Call-ID=2433222135-2086-RMX-0138219740-0000065536"

Jun 22 10:38:40 vcsvm11 tvcs: UTCTime="2012-06-22 14:38:40,025" Module="network.sip" Level="DEBUG":  Src-ip="x.x.x.x"  Src-port="60000"

SIPMSG:

|REGISTER sip:tac.lab SIP/2.0

Via: SIP/2.0/TLS x.x.x.x:5061;branch=z9hG4bK2433222206-2086;received=x.x.x.x

Call-ID: 2433222135-2086-RMX-0138219740-0000065536

CSeq: 1 REGISTER

Contact: <_DUMMY_TESTER1>;isfocus

From: "_dummy_tester1" <_DUMMY_TESTER1>;tag=rmx2k_2433222234-2086;epid=0x6c14530a

To: "_dummy_tester1" <_DUMMY_TESTER1>

Max-Forwards: 70

Allow: INFO,MESSAGE,SUBSCRIBE,NOTIFY,UPDATE,REFER,INVITE,ACK,OPTIONS,CANCEL,BYE

User-Agent: Polycom/Polycom RMX 2000/V7.6.0

Expires: 3600

Allow-Events: refer,conference

Content-Length: 0

---------------------

Challenge for Authentication by VCS

Jun 22 10:38:40 vcsvm11 tvcs: UTCTime="2012-06-22 14:38:40,025" Module="network.sip" Level="INFO":  Dst-ip="x.x.x.x"  Dst-port="60000"   Detail="Sending Response Code=401, Method=REGISTER, To=sip:_dummy_tester1@tac.lab, Call-ID=2433222135-2086-RMX-0138219740-0000065536"

Jun 22 10:38:40 vcsvm11 tvcs: UTCTime="2012-06-22 14:38:40,025" Module="network.sip" Level="DEBUG":  Dst-ip="x.x.x.x"  Dst-port="60000"

SIPMSG:

|SIP/2.0 401 Unauthorised

Via: SIP/2.0/TLS x.x.x.x:5061;branch=z9hG4bK2433222206-2086;received=x.x.x.x

Call-ID: 2433222135-2086-RMX-0138219740-0000065536

CSeq: 1 REGISTER

From: "_dummy_tester1" <_DUMMY_TESTER1>;tag=rmx2k_2433222234-2086;epid=0x6c14530a

To: "_dummy_tester1" <_DUMMY_TESTER1>;tag=7fa9c20610acb274

Server: TANDBERG/4103 (X7.1)

WWW-Authenticate: Digest realm="vcsvm11.tac.lab", nonce="REMOVED", opaque="REMOVED", stale=FALSE, algorithm=MD5, qop="auth"

Content-Length: 0

---------------------

Re-Trying Registration with Credentials:

Jun 22 10:38:40 vcsvm11 tvcs: UTCTime="2012-06-22 14:38:40,029" Module="network.sip" Level="INFO":  Src-ip="x.x.x.x"  Src-port="60000"   Detail="Receive Request Method=REGISTER, To=sip:_dummy_tester1@tac.lab, Call-ID=2433222135-2086-RMX-0138219740-0000065536"

Jun 22 10:38:40 vcsvm11 tvcs: UTCTime="2012-06-22 14:38:40,029" Module="network.sip" Level="DEBUG":  Src-ip="x.x.x.x"  Src-port="60000"

SIPMSG:

|REGISTER sip:tac.lab SIP/2.0

Via: SIP/2.0/TLS x.x.x.x:5061;branch=z9hG4bK2433316544-2086;received=x.x.x.x

Call-ID: 2433222135-2086-RMX-0138219740-0000065536

CSeq: 2 REGISTER

Contact: <_DUMMY_TESTER1>;isfocus

From: "_dummy_tester1" <_DUMMY_TESTER1>;tag=rmx2k_2433222234-2086;epid=0x6c14530a

To: "_dummy_tester1" <_DUMMY_TESTER1>

Max-Forwards: 70

Route:

Allow: INFO,MESSAGE,SUBSCRIBE,NOTIFY,UPDATE,REFER,INVITE,ACK,OPTIONS,CANCEL,BYE

User-Agent: Polycom/Polycom RMX 2000/V7.6.0

Expires: 3600

Authorization: Digest username="rmx200", realm="vcsvm11.tac.lab", nonce="REMOVED", uri="sip:tac.lab", response="REMOVED", algorithm=MD5, opaque="REMOVED"

Allow-Events: refer,conference

Content-Length: 0

--------------------

After this, there is some other interesting information in the log I captured and need some verification on, but the RMX tends to send this "Dummy Tester 1" to the VCS for it to register. 

I'm not an RMX expert, but not sure why it does this to be honest.  May need to check with Polycom to confirm this behavior.  Are you not wanting to register this dummy tester?

Let us know the outcome?

Thanks.

VR

Patrick

0 Helpful

Patrick Pettit
Cisco Employee
Cisco Employee
In response to Patrick Pettit

‎06-22-2012 10:50 AM

After looking at this a bit more, the VCS fails the registration and authentication attempt from the RMX because the nonce counter is not included. 

Snipit from VCS Debug Log:

Method="SipProxyAuthentication::validateDigestAuthorisationCredentials" Thread="x": Could not find "nc" parameter in authentication header

Snipit from RFC 3261

"Use of the "qop" parameter is optional in RFC 2617 for the purposes of  backwards compatibility with RFC 2069; since RFC 2543 was based on RFC 2069, the "qop" parameter must unfortunately remain optional for clients and servers to receive.  However, servers MUST always send a "qop" parameter in  WWW-Authenticate and Proxy-Authenticate header field  values.  If a client receives a "qop" parameter in a challenge header field,  it MUST send the "qop" parameter in  any resulting authorization header field."

---------------------

So VCS sends 401 Unauthorized to RMX.  Authentication:

WWW-Authenticate: Digest realm="vcsvm11.tac.lab", nonce="REMOVED", opaque="REMOVED", stale=FALSE, algorithm=MD5, qop="auth"

Content-Length: 0

--------------------

RMX Sends another REGISTER with Authentication:

Authorization: Digest username="rmx200", realm="vcsvm11.tac.lab",  nonce="REMOVED", uri="sip:tac.lab", response="REMOVED", algorithm=MD5,  opaque="REMOVED"

But i do not see qop=auth in the authorization from the RMX. 

-------------------

Plus the nonce counter would need to be included as well if presented with qop.  So if the RMX would present qop="auth" in Authorization header, it would need to include nonce counter (nc=) in the same Authorization Header.  Reading in RFC 2617: 

nonce-count
     This MUST be specified if a qop directive is sent (see above), and
     MUST NOT be specified if the server did not send a qop directive in
     the WWW-Authenticate header field.  The nc-value is the hexadecimal
     count of the number of requests (including the current request)
     that the client has sent with the nonce value in this request.  For
     example, in the first request sent in response to a given nonce
     value, the client sends "nc=00000001".  The purpose of this
     directive is to allow the server to detect request replays by
     maintaining its own copy of this count - if the same nc-value is
     seen twice, then the request is a replay.   See the description
     below of the construction of the request-digest value.

VCS seems to retry it here and resend 401 Back to RMX, but keeping the log running for a bit, I didn't see it being resent by RMX, but will reconfirm. 

Anyhow, I think it would be wise for you to connect with Polycom to check on this issue. 

Hope this helps. 

VR

Patrick

0 Helpful

gubadman
Level 3
Level 3

‎06-24-2012 12:01 AM

Could you try creating a subzone, which is set to treat as authenticated. And a membership rule for the subzone which has the IP address of the MCU and a subnet mask of /32 in it. Then try registering the MCU.

Sent from Cisco Technical Support iPhone App

0 Helpful
Customers Also Viewed These Support Documents