Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1985
Views
0
Helpful
8
Replies

Provisioning to EX60 from TMSPE through vcs-c/vcs-e

Go to solution
startryst
Level 1
Level 1

‎01-10-2013 04:34 AM - edited ‎03-18-2019 12:25 AM

Hi, Experts

The architecture is as below:

Movi or EX60 -> VCS Expressway -> VCS Control (Authentication through AD) -> TMSPE

The movi user can login by their username and password, also get phonebook correctly, but using the same user credentials, the EX60 could't been provisioned, TMSPE already imported the EX60 template with a few settings, and that is shown in VCS control already.

When using the touch pannel of the EX60, there are four areas for configurations: username, password, domain, external manager; in my fillings, the username, password and domain are the same between Movi and EX60, and for the external manager, I've put the VCS expressway's public IP into that field.

After did some diagnostic logging, I found the below info, but acutally the username/password I used for EX60 is exactly the same on Movi which can login successful.

BTW, both Movi and EX60 are connecting from Internet

2013-01-10T20:08:25+08:00 vcsc tvcs: UTCTime="2013-01-10 12:08:25,457" Module="network.sip" Level="INFO":  Src-ip="123.123.123.123"  Src-port="7001"   Detail="Receive Request Method=SUBSCRIBE, Request-URI=sip:xxx@yyy.com, Call-ID=a48804eca92f0a40@192.168.1.4"

2013-01-10T20:08:25+08:00 vcsc tvcs: UTCTime="2013-01-10 12:08:25,457" Module="network.sip" Level="DEBUG":  Src-ip="123.123.123.123"  Src-port="7001"

SIPMSG:

|SUBSCRIBE sip:xxx@yyy.com SIP/2.0

Via: SIP/2.0/TLS 123.123.123.123:7001;egress-zone=TraversalZone;branch=z9hG4bKbcf198976b49c549757cfa4ffaa63ca711816.0478002c4a97d56809160bce80ec1272;proxy-call-id=6f9d8e7a-5b1e-11e2-aad7-000c29bc93c9;received=123.123.123.123;rport=7001

Via: SIP/2.0/TLS 192.168.1.4:5061;branch=z9hG4bKe25f645f5a082db642b18eafbf077f14.1;received=61.165.188.154;rport=54629;ingress-zone=DefaultSubZone

Call-ID: a48804eca92f0a40@192.168.1.4

CSeq: 101 SUBSCRIBE

Contact: <sip:xxx@yyy.com;gr=urn:uuid:142a3221-0817-57f2-b7f6-54aac220c42a>

From: <sip:xxx@yyy.com>;tag=7efeafa2a40ee175

To: <sip:provisioning@yyy.com>

Max-Forwards: 15

Record-Route: <sip:123.123.123.123:7001;transport=tls;lr;apparent=replace;proxy-call-id=6f9d8e7a-5b1e-11e2-aad7-000c29bc93c9>

Record-Route: <sip:123.123.123.123:7001;transport=tls;lr>

Record-Route: <sip:123.123.123.123:5061;transport=tls;lr>

Record-Route: <sip:61.165.188.154:54629;transport=tls;apparent=remove;ds;lr;proxy-call-id=6f9d8e7a-5b1e-11e2-aad7-000c29bc93c9>

User-Agent: TANDBERG/516 (TC5.1.4.295090)

Expires: 3600

Event: ua-profile;model=ex60;vendor=tandberg.com;serial="A1AZ43E00090";profile-type=user;version="TC5.1.4.295090";clientid="id-00:50:60:08:03:DB-";mac-address="00:50:60:08:03:DB"

Accept: application/pidf+xml

X-TAATag: 6f9d9168-5b1e-11e2-a2f4-000c29bc93c9

Content-Length: 0

|

2013-01-10T20:08:25+08:00 vcsc tvcs: UTCTime="2013-01-10 12:08:25,458" Module="network.sip" Level="INFO":  Dst-ip="123.123.123.123"  Dst-port="7001"   Detail="Sending Response Code=407, Method=SUBSCRIBE, To=sip:provisioning@yyy.com, Call-ID=a48804eca92f0a40@192.168.1.4"

2013-01-10T20:08:25+08:00 vcsc tvcs: UTCTime="2013-01-10 12:08:25,458" Module="network.sip" Level="DEBUG":  Dst-ip="123.123.123.123"  Dst-port="7001"

SIPMSG:

|SIP/2.0 407 Proxy Authentication Required

Via: SIP/2.0/TLS 123.123.123.123:7001;egress-zone=TraversalZone;branch=z9hG4bKbcf198976b49c549757cfa4ffaa63ca711816.0478002c4a97d56809160bce80ec1272;proxy-call-id=6f9d8e7a-5b1e-11e2-aad7-000c29bc93c9;received=123.123.123.123;rport=7001

Via: SIP/2.0/TLS 192.168.1.4:5061;branch=z9hG4bKe25f645f5a082db642b18eafbf077f14.1;received=61.165.188.154;rport=54629;ingress-zone=DefaultSubZone

Call-ID: a48804eca92f0a40@192.168.1.4

CSeq: 101 SUBSCRIBE

From: <sip:xxx@yyy.com>;tag=7efeafa2a40ee175

To: <sip:provisioning@yyy.com>;tag=af407bd2061beffe

Server: TANDBERG/4120 (X7.2.1)

Proxy-Authenticate: Digest realm="vcsc.yyy.com", nonce="c9a4cb9445b5d96625d5fd7c2f26c460216f35aa2b15d162c79f9ff7ab03", opaque="AQAAAPliFrzUQV7Kj9A4DJ5mkH350LV2", stale=FALSE, algorithm=MD5, qop="auth"

Content-Length: 0

|

2013-01-10T20:08:25+08:00 vcsc tvcs: UTCTime="2013-01-10 12:08:25,516" Module="network.sip" Level="INFO":  Src-ip="123.123.123.123"  Src-port="7001"   Detail="Receive Request Method=SUBSCRIBE, Request-URI=sip:xxx@yyy.com, Call-ID=a48804eca92f0a40@192.168.1.4"

2013-01-10T20:08:25+08:00 vcsc tvcs: UTCTime="2013-01-10 12:08:25,516" Module="network.sip" Level="DEBUG":  Src-ip="123.123.123.123"  Src-port="7001"

SIPMSG:

|SUBSCRIBE sip:xxx@yyy.com SIP/2.0

Via: SIP/2.0/TLS 123.123.123.123:7001;egress-zone=TraversalZone;branch=z9hG4bK88c6c1ab68ac29a2baad79f373c5780c11818.58b5841c155f6ed8d36de38281aa7aa8;proxy-call-id=6fa6852a-5b1e-11e2-9e00-000c29bc93c9;received=123.123.123.123;rport=7001

Via: SIP/2.0/TLS 192.168.1.4:5061;branch=z9hG4bK86991f63e040efdaa5376ccdcd541dc0.1;received=61.165.188.154;rport=54629;ingress-zone=DefaultSubZone

Call-ID: a48804eca92f0a40@192.168.1.4

CSeq: 102 SUBSCRIBE

Contact: <sip:xxx@yyy.com;gr=urn:uuid:142a3221-0817-57f2-b7f6-54aac220c42a>

From: <sip:xxx@yyy.com>;tag=7efeafa2a40ee175

To: <sip:provisioning@yyy.com>

Max-Forwards: 15

Record-Route: <sip:123.123.123.123:7001;transport=tls;lr;apparent=replace;proxy-call-id=6fa6852a-5b1e-11e2-9e00-000c29bc93c9>

Record-Route: <sip:123.123.123.123:7001;transport=tls;lr>

Record-Route: <sip:123.123.123.123:5061;transport=tls;lr>

Record-Route: <sip:61.165.188.154:54629;transport=tls;apparent=remove;ds;lr;proxy-call-id=6fa6852a-5b1e-11e2-9e00-000c29bc93c9>

User-Agent: TANDBERG/516 (TC5.1.4.295090)

Expires: 3600

Proxy-Authorization: Digest nonce="c9a4cb9445b5d96625d5fd7c2f26c460216f35aa2b15d162c79f9ff7ab03", realm="vcsc.yyy.com", qop=auth, opaque="AQAAAPliFrzUQV7Kj9A4DJ5mkH350LV2", username="xxx", uri="sip:yyy.com", response="eb3cc75731f7e48c6f6af4adb7e5bba0", algorithm=MD5, nc=00000001, cnonce="07b93f430f7036a871699aa1558bfa5f"

Event: ua-profile;model=ex60;vendor=tandberg.com;serial="A1AZ43E00090";profile-type=user;version="TC5.1.4.295090";clientid="id-00:50:60:08:03:DB-";mac-address="00:50:60:08:03:DB"

Accept: application/pidf+xml

X-TAATag: 6fa68962-5b1e-11e2-b72b-000c29bc93c9

Content-Length: 0

|

2013-01-10T20:08:25+08:00 vcsc tvcs: UTCTime="2013-01-10 12:08:25,517" Module="network.http" Level="DEBUG":  Message="Request" Method="POST" URL="http://127.0.0.1:9998/credential/name/xxx" Ref="0x7f3e8400f0f0"

2013-01-10T20:08:25+08:00 vcsc tvcs: UTCTime="2013-01-10 12:08:25,522" Module="network.http" Level="DEBUG":  Message="Response" Src-ip="127.0.0.1" Src-port="9998" Dst-ip="127.0.0.1" Dst-port="43650" Response="200 OK" ResponseTime="0.004748" Ref="0x7f3e8400f0f0"

2013-01-10T20:08:25+08:00 vcsc tvcs: UTCTime="2013-01-10 12:08:25,522" Module="network.ldap" Level="INFO":   Detail="Authentication credential found in directory for identity: xxx"

2013-01-10T20:08:25+08:00 vcsc tvcs: UTCTime="2013-01-10 12:08:25,522" Module="developer.nomodule" Level="WARN" CodeLocation="ppcmains/sip/sipproxy/SipProxyAuthentication.cpp(453)" Method="SipProxyAuthentication::validateDigestAuthorisationCredentials" Thread="0x7f3e9c7cc700": calculated response does not match supplied response, calculatedResponse=2800d2e046695a6c6fea48825c745a09, response=eb3cc75731f7e48c6f6af4adb7e5bba0

2013-01-10T20:08:25+08:00 vcsc tvcs: UTCTime="2013-01-10 12:08:25,523" Module="network.sip" Level="INFO":  Dst-ip="123.123.123.123"  Dst-port="7001"   Detail="Sending Response Code=407, Method=SUBSCRIBE, To=sip:provisioning@yyy.com, Call-ID=a48804eca92f0a40@192.168.1.4"

2013-01-10T20:08:25+08:00 vcsc tvcs: UTCTime="2013-01-10 12:08:25,523" Module="network.sip" Level="DEBUG":  Dst-ip="123.123.123.123"  Dst-port="7001"

SIPMSG:

|SIP/2.0 407 Proxy Authentication Required

Via: SIP/2.0/TLS 123.123.123.123:7001;egress-zone=TraversalZone;branch=z9hG4bK88c6c1ab68ac29a2baad79f373c5780c11818.58b5841c155f6ed8d36de38281aa7aa8;proxy-call-id=6fa6852a-5b1e-11e2-9e00-000c29bc93c9;received=123.123.123.123;rport=7001

Via: SIP/2.0/TLS 192.168.1.4:5061;branch=z9hG4bK86991f63e040efdaa5376ccdcd541dc0.1;received=61.165.188.154;rport=54629;ingress-zone=DefaultSubZone

Call-ID: a48804eca92f0a40@192.168.1.4

CSeq: 102 SUBSCRIBE

From: <sip:xxx@yyy.com>;tag=7efeafa2a40ee175

To: <sip:provisioning@yyy.com>;tag=33343865b3d116b6

Server: TANDBERG/4120 (X7.2.1)

Proxy-Authenticate: Digest realm="vcsc.yyy.com", nonce="b7946bc861c08c79a59deef4833c77b89d10ac00965129a64be2615e968d", opaque="AgAAAGyk74ifNAv2n6OcfqGJmURSv/ZT", stale=FALSE, algorithm=MD5, qop="auth"

Content-Length: 0

|

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
gubadman
Level 3
Level 3
In response to startryst

‎01-10-2013 08:11 AM

Not exactly, the user is created by AD group import into TMS(PE). And I assume your VCS is set up to check AD credentials from the web page VCS configuration > Authentication > Devices > Active Directory Service. You do not need to create a new users.

However the AD password checking only works for Movi and Jabber for iPad, other devices don't support it, they use digest authentication. This uses the password for the user that is in TMS. And although the user is imported to TMS from AD, their password will never be imported. TMS creates a password automatically for imported users - it is what comes from the {password} token when you send the provisoning account information email in TMS - I believe TMS generates 8 digit numeric passwords for the imported users by default, though these could then be changed. This password should be used for the EX60.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
gubadman
Level 3
Level 3

‎01-10-2013 05:09 AM

Hi,

While Movi can do AD authentication, EX60 can only do digest authentication. So in this case you need to use the password that is datafilled in TMS for the user, which may be different to their AD password.

Thanks,

Guy

0 Helpful

Go to solution
startryst
Level 1
Level 1
In response to gubadman

‎01-10-2013 06:08 AM

Hi, Guy

Are you talking about create the user directly under TMSPE, instead of going through AD?

Sent from Cisco Technical Support iPhone App

0 Helpful

Go to solution
gubadman
Level 3
Level 3
In response to startryst

‎01-10-2013 08:11 AM

Not exactly, the user is created by AD group import into TMS(PE). And I assume your VCS is set up to check AD credentials from the web page VCS configuration > Authentication > Devices > Active Directory Service. You do not need to create a new users.

However the AD password checking only works for Movi and Jabber for iPad, other devices don't support it, they use digest authentication. This uses the password for the user that is in TMS. And although the user is imported to TMS from AD, their password will never be imported. TMS creates a password automatically for imported users - it is what comes from the {password} token when you send the provisoning account information email in TMS - I believe TMS generates 8 digit numeric passwords for the imported users by default, though these could then be changed. This password should be used for the EX60.

0 Helpful

Go to solution
startryst
Level 1
Level 1
In response to gubadman

‎01-10-2013 06:01 PM

Hi, Guy

Got your point, and I've tried with your suggestion, but the problem is I haven't setup an SMTP server in my TMSPE, so when I clieck the System -> Provisioning -> Users -> Certain User -> Send Account Information, it only prompt as an messsage at the right below corner of the screen, I couldn't know the digit password you metioned above.

In addition, I've tried to click Edit User to change the password to something contain alphanumeric, but the EX60 still failed to get the provisioning from VCS Expressway.

0 Helpful

Go to solution
Lynn Edmiston
Level 1
Level 1
In response to startryst

‎05-29-2013 02:28 PM

Thanks, Guy, you helped me solve my problem. I fixed the issue of EX60 authenticating to TMS/VCS by manually setting a user password in TMSPE. For my Jabber clients I can leave the password blank since hashes are passed to and from AD.

0 Helpful

Go to solution
Darin Walker
Level 1
Level 1

‎05-29-2013 04:10 PM

You were able to setup a jabber account using no password? Interesting.

Sent from Cisco Technical Support iPhone App

0 Helpful

Go to solution
Lynn Edmiston
Level 1
Level 1
In response to Darin Walker

‎05-30-2013 07:52 AM

We are using Jabber Movi with the legacy setting to allow Windows credential passthrough.

0 Helpful

Go to solution
Darin Walker
Level 1
Level 1
In response to Lynn Edmiston

‎06-04-2013 06:53 PM

How did you get the credentials to pass through. I have the same version "Movi"

Sent from Cisco Technical Support iPhone App

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents