Filter
Top Products
DMA Operations Guide Device Authentication
244 Polycom, Inc.
Inbound H.323 Device Authentication
In an environment where H.235 authentication is used, H.323 devices include
their credentials (name and password) in registration and signaling (RAS)
requests. The Polycom DMA system authenticates requests as follows:
• If the request is a signaling request (ARQ, BRQ, DRQ) from an
unregistered endpoint, the Call Server doesn’t authenticate the
credentials.
• If the request is a signaling request from a registered endpoint, or if the
request is from an MCU or neighbor gatekeeper, the Call Server attempts
to authenticate using its device authentication list.
If the credentials can’t be authenticated, the Call Server rejects the registration
or signaling request. For call signaling requests, it also rejects the request if the
credentials differ from those with which the device registered.
Inbound SIP Device Authentication
The SIP digest authentication mechanism is described in RFC 3261, starting in
section 22, page 192, and in RFC 2617 section 3, page 5). When a SIP endpoint
registers with or calls the Polycom DMA system, if the request includes
authentication information, that information is checked against the Call
Server’s local device authentication list, which you create on this page.
If SIP authentication is enabled and an endpoint’s request doesn’t include
authentication information, the Call Server responds with an authentication
challenge (a 401 or 407 response, depending on how you configure it)
containing the required fields (see RFCs). If the endpoint responds with valid
authentication information, the system accepts the registration or call.
Shared Outbound Authentication
On the Shared Outbound Authentication tab, you can maintain the Call
Server’s general list of authentication credentials, which it uses to authenticate
itself on behalf of calling devices to external SIP peers for which the
appropriate device-specific credentials haven’t been defined.
The Call Server intercepts and responds to authentication challenges from SIP
peers on behalf of some or all devices calling though the Call Server. This
feature allows authentication security between the Call Server and its peers to
be completely separate from security between the endpoints and the Call
Server.
Note
If inbound SIP authentication is turned on, the Polycom DMA system challenges
any SIP message coming to the system. Any SIP peer and other device that
interoperates with the system must be configured to authenticate itself, or you must
turn off Device authentication for that specific device. See “Edit Device Dialog
Box” on page 86.