cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
1626
Views
0
Helpful
8
Replies
startryst
Beginner

Provisioning to EX60 from TMSPE through vcs-c/vcs-e

Hi, Experts

The architecture is as below:

Movi or EX60 -> VCS Expressway -> VCS Control (Authentication through AD) -> TMSPE

The movi user can login by their username and password, also get phonebook correctly, but using the same user credentials, the EX60 could't been provisioned, TMSPE already imported the EX60 template with a few settings, and that is shown in VCS control already.

When using the touch pannel of the EX60, there are four areas for configurations: username, password, domain, external manager; in my fillings, the username, password and domain are the same between Movi and EX60, and for the external manager, I've put the VCS expressway's public IP into that field.

After did some diagnostic logging, I found the below info, but acutally the username/password I used for EX60 is exactly the same on Movi which can login successful.

BTW, both Movi and EX60 are connecting from Internet

2013-01-10T20:08:25+08:00 vcsc tvcs: UTCTime="2013-01-10 12:08:25,457" Module="network.sip" Level="INFO":  Src-ip="123.123.123.123"  Src-port="7001"   Detail="Receive Request Method=SUBSCRIBE, Request-URI=sip:xxx@yyy.com, Call-ID=a48804eca92f0a40@192.168.1.4"

2013-01-10T20:08:25+08:00 vcsc tvcs: UTCTime="2013-01-10 12:08:25,457" Module="network.sip" Level="DEBUG":  Src-ip="123.123.123.123"  Src-port="7001"

SIPMSG:

|SUBSCRIBE sip:xxx@yyy.com SIP/2.0

Via: SIP/2.0/TLS 123.123.123.123:7001;egress-zone=TraversalZone;branch=z9hG4bKbcf198976b49c549757cfa4ffaa63ca711816.0478002c4a97d56809160bce80ec1272;proxy-call-id=6f9d8e7a-5b1e-11e2-aad7-000c29bc93c9;received=123.123.123.123;rport=7001

Via: SIP/2.0/TLS 192.168.1.4:5061;branch=z9hG4bKe25f645f5a082db642b18eafbf077f14.1;received=61.165.188.154;rport=54629;ingress-zone=DefaultSubZone

Call-ID: a48804eca92f0a40@192.168.1.4

CSeq: 101 SUBSCRIBE

Contact: <sip:xxx@yyy.com;gr=urn:uuid:142a3221-0817-57f2-b7f6-54aac220c42a>

From: <sip:xxx@yyy.com>;tag=7efeafa2a40ee175

To: <sip:provisioning@yyy.com>

Max-Forwards: 15

Record-Route: <sip:123.123.123.123:7001;transport=tls;lr;apparent=replace;proxy-call-id=6f9d8e7a-5b1e-11e2-aad7-000c29bc93c9>

Record-Route: <sip:123.123.123.123:7001;transport=tls;lr>

Record-Route: <sip:123.123.123.123:5061;transport=tls;lr>

Record-Route: <sip:61.165.188.154:54629;transport=tls;apparent=remove;ds;lr;proxy-call-id=6f9d8e7a-5b1e-11e2-aad7-000c29bc93c9>

User-Agent: TANDBERG/516 (TC5.1.4.295090)

Expires: 3600

Event: ua-profile;model=ex60;vendor=tandberg.com;serial="A1AZ43E00090";profile-type=user;version="TC5.1.4.295090";clientid="id-00:50:60:08:03:DB-";mac-address="00:50:60:08:03:DB"

Accept: application/pidf+xml

X-TAATag: 6f9d9168-5b1e-11e2-a2f4-000c29bc93c9

Content-Length: 0

|

2013-01-10T20:08:25+08:00 vcsc tvcs: UTCTime="2013-01-10 12:08:25,458" Module="network.sip" Level="INFO":  Dst-ip="123.123.123.123"  Dst-port="7001"   Detail="Sending Response Code=407, Method=SUBSCRIBE, To=sip:provisioning@yyy.com, Call-ID=a48804eca92f0a40@192.168.1.4"

2013-01-10T20:08:25+08:00 vcsc tvcs: UTCTime="2013-01-10 12:08:25,458" Module="network.sip" Level="DEBUG":  Dst-ip="123.123.123.123"  Dst-port="7001"

SIPMSG:

|SIP/2.0 407 Proxy Authentication Required

Via: SIP/2.0/TLS 123.123.123.123:7001;egress-zone=TraversalZone;branch=z9hG4bKbcf198976b49c549757cfa4ffaa63ca711816.0478002c4a97d56809160bce80ec1272;proxy-call-id=6f9d8e7a-5b1e-11e2-aad7-000c29bc93c9;received=123.123.123.123;rport=7001

Via: SIP/2.0/TLS 192.168.1.4:5061;branch=z9hG4bKe25f645f5a082db642b18eafbf077f14.1;received=61.165.188.154;rport=54629;ingress-zone=DefaultSubZone

Call-ID: a48804eca92f0a40@192.168.1.4

CSeq: 101 SUBSCRIBE

From: <sip:xxx@yyy.com>;tag=7efeafa2a40ee175

To: <sip:provisioning@yyy.com>;tag=af407bd2061beffe

Server: TANDBERG/4120 (X7.2.1)

Proxy-Authenticate: Digest realm="vcsc.yyy.com", nonce="c9a4cb9445b5d96625d5fd7c2f26c460216f35aa2b15d162c79f9ff7ab03", opaque="AQAAAPliFrzUQV7Kj9A4DJ5mkH350LV2", stale=FALSE, algorithm=MD5, qop="auth"

Content-Length: 0

|

2013-01-10T20:08:25+08:00 vcsc tvcs: UTCTime="2013-01-10 12:08:25,516" Module="network.sip" Level="INFO":  Src-ip="123.123.123.123"  Src-port="7001"   Detail="Receive Request Method=SUBSCRIBE, Request-URI=sip:xxx@yyy.com, Call-ID=a48804eca92f0a40@192.168.1.4"

2013-01-10T20:08:25+08:00 vcsc tvcs: UTCTime="2013-01-10 12:08:25,516" Module="network.sip" Level="DEBUG":  Src-ip="123.123.123.123"  Src-port="7001"

SIPMSG:

|SUBSCRIBE sip:xxx@yyy.com SIP/2.0

Via: SIP/2.0/TLS 123.123.123.123:7001;egress-zone=TraversalZone;branch=z9hG4bK88c6c1ab68ac29a2baad79f373c5780c11818.58b5841c155f6ed8d36de38281aa7aa8;proxy-call-id=6fa6852a-5b1e-11e2-9e00-000c29bc93c9;received=123.123.123.123;rport=7001

Via: SIP/2.0/TLS 192.168.1.4:5061;branch=z9hG4bK86991f63e040efdaa5376ccdcd541dc0.1;received=61.165.188.154;rport=54629;ingress-zone=DefaultSubZone

Call-ID: a48804eca92f0a40@192.168.1.4

CSeq: 102 SUBSCRIBE

Contact: <sip:xxx@yyy.com;gr=urn:uuid:142a3221-0817-57f2-b7f6-54aac220c42a>

From: <sip:xxx@yyy.com>;tag=7efeafa2a40ee175

To: <sip:provisioning@yyy.com>

Max-Forwards: 15

Record-Route: <sip:123.123.123.123:7001;transport=tls;lr;apparent=replace;proxy-call-id=6fa6852a-5b1e-11e2-9e00-000c29bc93c9>

Record-Route: <sip:123.123.123.123:7001;transport=tls;lr>

Record-Route: <sip:123.123.123.123:5061;transport=tls;lr>

Record-Route: <sip:61.165.188.154:54629;transport=tls;apparent=remove;ds;lr;proxy-call-id=6fa6852a-5b1e-11e2-9e00-000c29bc93c9>

User-Agent: TANDBERG/516 (TC5.1.4.295090)

Expires: 3600

Proxy-Authorization: Digest nonce="c9a4cb9445b5d96625d5fd7c2f26c460216f35aa2b15d162c79f9ff7ab03", realm="vcsc.yyy.com", qop=auth, opaque="AQAAAPliFrzUQV7Kj9A4DJ5mkH350LV2", username="xxx", uri="sip:yyy.com", response="eb3cc75731f7e48c6f6af4adb7e5bba0", algorithm=MD5, nc=00000001, cnonce="07b93f430f7036a871699aa1558bfa5f"

Event: ua-profile;model=ex60;vendor=tandberg.com;serial="A1AZ43E00090";profile-type=user;version="TC5.1.4.295090";clientid="id-00:50:60:08:03:DB-";mac-address="00:50:60:08:03:DB"

Accept: application/pidf+xml

X-TAATag: 6fa68962-5b1e-11e2-b72b-000c29bc93c9

Content-Length: 0

|

2013-01-10T20:08:25+08:00 vcsc tvcs: UTCTime="2013-01-10 12:08:25,517" Module="network.http" Level="DEBUG":  Message="Request" Method="POST" URL="http://127.0.0.1:9998/credential/name/xxx" Ref="0x7f3e8400f0f0"

2013-01-10T20:08:25+08:00 vcsc tvcs: UTCTime="2013-01-10 12:08:25,522" Module="network.http" Level="DEBUG":  Message="Response" Src-ip="127.0.0.1" Src-port="9998" Dst-ip="127.0.0.1" Dst-port="43650" Response="200 OK" ResponseTime="0.004748" Ref="0x7f3e8400f0f0"

2013-01-10T20:08:25+08:00 vcsc tvcs: UTCTime="2013-01-10 12:08:25,522" Module="network.ldap" Level="INFO":   Detail="Authentication credential found in directory for identity: xxx"

2013-01-10T20:08:25+08:00 vcsc tvcs: UTCTime="2013-01-10 12:08:25,522" Module="developer.nomodule" Level="WARN" CodeLocation="ppcmains/sip/sipproxy/SipProxyAuthentication.cpp(453)" Method="SipProxyAuthentication::validateDigestAuthorisationCredentials" Thread="0x7f3e9c7cc700": calculated response does not match supplied response, calculatedResponse=2800d2e046695a6c6fea48825c745a09, response=eb3cc75731f7e48c6f6af4adb7e5bba0

2013-01-10T20:08:25+08:00 vcsc tvcs: UTCTime="2013-01-10 12:08:25,523" Module="network.sip" Level="INFO":  Dst-ip="123.123.123.123"  Dst-port="7001"   Detail="Sending Response Code=407, Method=SUBSCRIBE, To=sip:provisioning@yyy.com, Call-ID=a48804eca92f0a40@192.168.1.4"

2013-01-10T20:08:25+08:00 vcsc tvcs: UTCTime="2013-01-10 12:08:25,523" Module="network.sip" Level="DEBUG":  Dst-ip="123.123.123.123"  Dst-port="7001"

SIPMSG:

|SIP/2.0 407 Proxy Authentication Required

Via: SIP/2.0/TLS 123.123.123.123:7001;egress-zone=TraversalZone;branch=z9hG4bK88c6c1ab68ac29a2baad79f373c5780c11818.58b5841c155f6ed8d36de38281aa7aa8;proxy-call-id=6fa6852a-5b1e-11e2-9e00-000c29bc93c9;received=123.123.123.123;rport=7001

Via: SIP/2.0/TLS 192.168.1.4:5061;branch=z9hG4bK86991f63e040efdaa5376ccdcd541dc0.1;received=61.165.188.154;rport=54629;ingress-zone=DefaultSubZone

Call-ID: a48804eca92f0a40@192.168.1.4

CSeq: 102 SUBSCRIBE

From: <sip:xxx@yyy.com>;tag=7efeafa2a40ee175

To: <sip:provisioning@yyy.com>;tag=33343865b3d116b6

Server: TANDBERG/4120 (X7.2.1)

Proxy-Authenticate: Digest realm="vcsc.yyy.com", nonce="b7946bc861c08c79a59deef4833c77b89d10ac00965129a64be2615e968d", opaque="AgAAAGyk74ifNAv2n6OcfqGJmURSv/ZT", stale=FALSE, algorithm=MD5, qop="auth"

Content-Length: 0

|

1 ACCEPTED SOLUTION

Accepted Solutions

Not exactly, the user is created by AD group import into TMS(PE). And I assume your VCS is set up to check AD credentials from the web page VCS configuration > Authentication > Devices > Active Directory Service. You do not need to create a new users.

However the AD password checking only works for Movi and Jabber for iPad, other devices don't support it, they use digest authentication. This uses the password for the user that is in TMS. And although the user is imported to TMS from AD, their password will never be imported. TMS creates a password automatically for imported users - it is what comes from the {password} token when you send the provisoning account information email in TMS - I believe TMS generates 8 digit numeric passwords for the imported users by default, though these could then be changed. This password should be used for the EX60.

View solution in original post

8 REPLIES 8
gubadman
Participant

Hi,

While Movi can do AD authentication, EX60 can only do digest authentication. So in this case you need to use the password that is datafilled in TMS for the user, which may be different to their AD password.

Thanks,

Guy

Hi, Guy

Are you talking about create the user directly under TMSPE, instead of going through AD?

Sent from Cisco Technical Support iPhone App

Not exactly, the user is created by AD group import into TMS(PE). And I assume your VCS is set up to check AD credentials from the web page VCS configuration > Authentication > Devices > Active Directory Service. You do not need to create a new users.

However the AD password checking only works for Movi and Jabber for iPad, other devices don't support it, they use digest authentication. This uses the password for the user that is in TMS. And although the user is imported to TMS from AD, their password will never be imported. TMS creates a password automatically for imported users - it is what comes from the {password} token when you send the provisoning account information email in TMS - I believe TMS generates 8 digit numeric passwords for the imported users by default, though these could then be changed. This password should be used for the EX60.

Hi, Guy

Got your point, and I've tried with your suggestion, but the problem is I haven't setup an SMTP server in my TMSPE, so when I clieck the System -> Provisioning -> Users -> Certain User -> Send Account Information, it only prompt as an messsage at the right below corner of the screen, I couldn't know the digit password you metioned above.

In addition, I've tried to click Edit User to change the password to something contain alphanumeric, but the EX60 still failed to get the provisioning from VCS Expressway.

Thanks, Guy, you helped me solve my problem. I fixed the issue of EX60 authenticating to TMS/VCS by manually setting a user password in TMSPE. For my Jabber clients I can leave the password blank since hashes are passed to and from AD.

Darin Walker
Beginner

You were able to setup a jabber account using no password? Interesting.

Sent from Cisco Technical Support iPhone App

We are using Jabber Movi with the legacy setting to allow Windows credential passthrough.

How did you get the credentials to pass through. I have the same version "Movi"

Sent from Cisco Technical Support iPhone App

Create
Recognize Your Peers
Content for Community-Ad