SIP Authentication for Jabber clients

What protocol does the Jabber client use for SIP authentication?  I assume it's using HTTP digest based authentication per the SIP standard.  Is this true?

SIP authentication typically occurs over port 5060 (TCP, UDP, SCTP) or securely over 5061 (TLS) as per RFC3261 regarding SIP as a transport.
Cisco follows these same standards and refers to the ports used for SIP communication in the Jabber Video Admin Guide.
http://www.cisco.com/en/US/docs/telepresence/endpoint/movi/admin_guide/JabberVideo_Admin_Guide_4-4.pdf
- Scott

Similar Messages

  • Setting Up Certificate Validation for Jabber clients

    Hi:
    I would like to get certificates signed from private internal CA for Jabber clients. Cisco documentation says it requires HTTP/Tomcat for CUPS, HTTP/Tomcat for CUCM and UCXN[8.6].
    The exiting Tomcat certificate has these two files: tomcat.pem, tomcat.der and a bunch of tomcat-trust certificates as well with associated files.
    My question is is there any harm in generating a new tomcat certifcate or could I just generate CSR's for the two existing Tomcat files to be signed? When you generate a new Tomcat certificate does it create or overwrite the .pem and .der? I don't want to break anything in this process so looking for some feedback.
    http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/jabber/Windows/9_2_5/JABW_BK_CAAD3F25_00_cisco-jabber-for-windows-release-notes/JABW_BK_CAAD3F25_00_cisco-jabber-for-windows-release-notes_chapter_011.html

    Generating a CSR for the Tomcat certificate and installing the signed certificate will replace the .pem/.der file you see listed. Once you sign the CSR and upload the final certificate, you'll need to restart Cisco Tomcat from the CLI for it to pickup the new cert. Anything that is in a -trust store is something that server will accept during a TLS/SSL handshake, not something it uses itself.

  • Voice recording for jabber client

    hi,
    is there any voice recording solution for the jabber client via expressway E?
    seems there is no solution around, is it not supported?
    is it possible to use TCS to record the calls made by external jabber client?
    thanks.

    1. Use span (no span-less\Bridge_option) ports (via "expressway c e"  from outside)
    2. Use span-less\Bridge_option  and VPN access to connect from outside (without expressway).

  • Web based authentication for wired client, Crendentials submission failure.

    Hi,
    I am trying to set up the functionnality "cisco web based authentication" for the wired clients.
    The problem i encountered is that my switch doesnt forward the client's password to the ACS.
    When the user validate his credentials on the login page only the login seems to be forwarded.
    The result of the command "show ip admission cache" always show the client in the init state.(i use the default cisco web login page).
    the connection between aaa servers and the switch is working.
    You will find in attachements the running-config and the debug file.
    Thanks for your help, any ideas are welcome :) (its t os version c3750e-ipbasek9-mz.150-2.SE7).

    Well i took a look on your documents but i didnt find anything that helped me ;S.
    I'm still stucked on the same step.

  • Initial configuration of ACS 5.1 for EAP authentication for Wireless clients

    Hi,
    I have set-up with below devices :
    Wireless LAN controller 5508
    LAP 3302i
    and ACS 5.1
    since i am new in ACS 5.1 configuration , I need so information to go ahead to configure ACS 5.1.
    which EAP method to use for wireless client authentication ? what is the best practice ?
    I have gone through some cisco documents and it shows that best practice is to configure PEAP but for the same , I need to install certificate in ACS server as well in client PC. is that so ?
    I have no clear picture for this certificate ?
    from where i can get this certificate or do i need to purchase this certificate separately from cisco. how to install it in ACS server ?
    I will be obliged to get atleast initial configuration for ACS 5.1 to enable the EAP method,
    I need GUI based initial configuration for ACS 5.1
    This mentioned ACS 5.1 is installed on ACS 1121 hardware appliance.

    Hi,
    which EAP method to use for wireless client authentication ? what is the best practice ?
    -> I would advise the most widely spread EAP method, which has the best ratio security/easy to deploy: PEAP with MSCHAPv2, which is available by default by all windows machines.
    I  have gone through some cisco documents and it shows that best practice  is to configure PEAP but for the same , I need to install certificate in  ACS server as well in client PC. is that so ?
    -> You will always need to install a server certificate, however, there is no need for client certificate because the authentication is based on the MSCHAP credentials exchange, not certificate based. The only requirement on the client regarding certificates is the following.
    If you want to validate the server certificate, you have to install the server certificate under the trusted CAs of the clients.
    If you do not require to trust the server certificate, you can simply disable the option of server certificate validation.
    I have no clear picture for this certificate ?
    from  where i can get this certificate or do i need to purchase this  certificate separately from cisco. how to install it in ACS server ?
    -> The server certificate can be a simple self signed certificate that you generate and install on the ACS GUI.
    Please feel free to follow this step-by-step guide on
    PEAP under Unified Wireless Networks with ACS 5.1 and Windows 2003 Server:
    http://www.cisco.com/en/US/partner/products/ps10315/products_configuration_example09186a0080b4cdb9.shtml or in pdf
    http://www.cisco.com/image/gif/paws/112175/acs51-peap-deployment-00.pdf.
    HTH,
    Tiago
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

  • Can't have my number authenticated for 2 clients a...

    I have a Win install and a Mac install on different computers (same country) Why when I authenticate one client and my texts are displayed with my mobile number as a sender fine, I find the other client has lost this setting and I have to authenticate on it again? When I auth the second client the 1st client loses the configuration and thus I have to auth each client every time when I want to send SMS with my number (same number, successfully authenticated through Skype.com as a Caller ID for calls)
    Cant we get all our clients authenticated at the same time?

    I was able to login from another network. Therefore the problem wasn't with my iTunes account.
    My problem with logging into my iTunes account was resolved a few days ago. The problem had to do with either my linksys router's dmz enabled status pointing to my OS X 10.5 server's IP on my local network. I disabled dmz on the router and I was able to log into my iTunes account again on all of my computers at home. I enabled dmz again on the router and iTunes continued to work properly.
    Thanx.

  • What are steps configure Certificate based authentication for Wireless clients with ACS 5.3?

    I need to autheticate my clients connecting via wireless.
    clients have user certificate installed on them, i need help configuring the ACS to do the authentication.
    can some one please help me with the steps.
    Thanks

    Two primary steps
    - define the trust certificates needed to verify the clients user certificates
    Users and Identity Stores > Certificate Authorities
    - change result of identity policy to select a certificate authorization profile. If have the defautl config
    Access Policies > Access Services > Default Network Access > Identity
    by default can select the "CN Username" as a result

  • Cisco ISE 1.3 using 802.1x Authentication for wireless clients

    Hi,
    I have stumbled into a strange issue trying to authenticate a user over wireless. I am using PEAP as the authentication protocol. I have configured my authentication and authorization policy but when I come to authenticate the authorization policy selected is the default which denies access.
    I have used the 802.1x compound conditions for matching the machine authentication and then the user authentication
    MACHINE AUTHENTICATION
    match
    framed
    Wireless
    AD group (machine)
    USER AUTHENTICATION
    match
    framed
    Wireless
    AD group (USER)
    was authenticated = true
    Below are steps taken to authenticate any ideas would be great.
    11001  Received RADIUS Access-Request  
      11017  RADIUS created a new session  
      15049  Evaluating Policy Group  
      15008  Evaluating Service Selection Policy  
      15048  Queried PIP  
      15048  Queried PIP  
      15048  Queried PIP  
      15006  Matched Default Rule  
      11507  Extracted EAP-Response/Identity  
      12300  Prepared EAP-Request proposing PEAP with challenge  
      11006  Returned RADIUS Access-Challenge  
      11001  Received RADIUS Access-Request  
      11018  RADIUS is re-using an existing session  
      12302  Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated  
      12318  Successfully negotiated PEAP version 0  
      12800  Extracted first TLS record; TLS handshake started  
      12805  Extracted TLS ClientHello message  
      12806  Prepared TLS ServerHello message  
      12807  Prepared TLS Certificate message  
      12810  Prepared TLS ServerDone message  
      12305  Prepared EAP-Request with another PEAP challenge  
      11006  Returned RADIUS Access-Challenge  
      11001  Received RADIUS Access-Request  
      11018  RADIUS is re-using an existing session  
      12304  Extracted EAP-Response containing PEAP challenge-response  
      12305  Prepared EAP-Request with another PEAP challenge  
      11006  Returned RADIUS Access-Challenge  
      11001  Received RADIUS Access-Request  
      11018  RADIUS is re-using an existing session  
      12304  Extracted EAP-Response containing PEAP challenge-response  
      12305  Prepared EAP-Request with another PEAP challenge  
      11006  Returned RADIUS Access-Challenge  
      11001  Received RADIUS Access-Request  
      11018  RADIUS is re-using an existing session  
      12304  Extracted EAP-Response containing PEAP challenge-response  
      12318  Successfully negotiated PEAP version 0  
      12812  Extracted TLS ClientKeyExchange message  
      12804  Extracted TLS Finished message  
      12801  Prepared TLS ChangeCipherSpec message  
      12802  Prepared TLS Finished message  
      12816  TLS handshake succeeded  
      12310  PEAP full handshake finished successfully  
      12305  Prepared EAP-Request with another PEAP challenge  
      11006  Returned RADIUS Access-Challenge  
      11001  Received RADIUS Access-Request  
      11018  RADIUS is re-using an existing session  
      12304  Extracted EAP-Response containing PEAP challenge-response  
      12313  PEAP inner method started  
      11521  Prepared EAP-Request/Identity for inner EAP method  
      12305  Prepared EAP-Request with another PEAP challenge  
      11006  Returned RADIUS Access-Challenge  
      11001  Received RADIUS Access-Request  
      11018  RADIUS is re-using an existing session  
      12304  Extracted EAP-Response containing PEAP challenge-response  
      11522  Extracted EAP-Response/Identity for inner EAP method  
      11806  Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge  
      12305  Prepared EAP-Request with another PEAP challenge  
      11006  Returned RADIUS Access-Challenge  
      11001  Received RADIUS Access-Request  
      11018  RADIUS is re-using an existing session  
      12304  Extracted EAP-Response containing PEAP challenge-response  
      11808  Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated  
      15041  Evaluating Identity Policy  
      15006  Matched Default Rule  
      22072  Selected identity source sequence  
      15013  Selected Identity Source - AD1  
      24430  Authenticating user against Active Directory  
      24325  Resolving identity  
      24313  Search for matching accounts at join point  
      24315  Single matching account found in domain  
      24323  Identity resolution detected single matching account  
      24343  RPC Logon request succeeded  
      24402  User authentication against Active Directory succeeded  
      22037  Authentication Passed  
      11824  EAP-MSCHAP authentication attempt passed  
      12305  Prepared EAP-Request with another PEAP challenge  
      11006  Returned RADIUS Access-Challenge  
      11001  Received RADIUS Access-Request  
      11018  RADIUS is re-using an existing session  
      12304  Extracted EAP-Response containing PEAP challenge-response  
      11810  Extracted EAP-Response for inner method containing MSCHAP challenge-response  
      11814  Inner EAP-MSCHAP authentication succeeded  
      11519  Prepared EAP-Success for inner EAP method  
      12314  PEAP inner method finished successfully  
      12305  Prepared EAP-Request with another PEAP challenge  
      11006  Returned RADIUS Access-Challenge  
      11001  Received RADIUS Access-Request  
      11018  RADIUS is re-using an existing session  
      12304  Extracted EAP-Response containing PEAP challenge-response  
      24423  ISE has not been able to confirm previous successful machine authentication  
      15036  Evaluating Authorization Policy  
      15048  Queried PIP  
      15048  Queried PIP  
      24432  Looking up user in Active Directory - xxx\zzz Support  
      24355  LDAP fetch succeeded  
      24416  User's Groups retrieval from Active Directory succeeded  
      15048  Queried PIP  
      15048  Queried PIP  
      15004  Matched rule - Default  
      15016  Selected Authorization Profile - DenyAccess  
      15039  Rejected per authorization profile  
      12306  PEAP authentication succeeded  
      11503  Prepared EAP-Success  
      11003  Returned RADIUS Access-Reject  
      5434  Endpoint conducted several failed authentications of the same scenario  

     24423  ISE has not been able to confirm previous successful machine authentication  
    Judging by that line and what your policy says, it appears that your authentication was rejected as your machine was not authenticated prior to this connection.
    first thing to check is whether MAR has been enabled on the identity source. second thing to check is whether your machine is set to send a certificate for authentication. there are other things you can look at but I'd do those two first.
    log off and on  or reboot and then see if you at least get a failed machine auth on the operations>authentication page and we can go from there. 

  • Cisco 2504 Domain Authentication for WIFI Clients

    I got a question.
    I have a 2504 controller, and a bunch of 3600 APs. (which now works, thanks to Scott Fella)
    I want the WIFI users to be able to connect to the WIFI, If their computer is part of the domain. Otherwise, they connect to the guest WIFI.
    How can I go about doing that? I tried searching the forums, but perhaps Im not searching for the right keywords.
    I thought it was LDAP, but I could not find much info on it.
    Thanks....         

    I wouldn't look at LDAP. I would use a radius server and machine authentication. If your a Microsoft shop, then bring up IAS for 2003 or NPS for 2008. These can work as your radius server. To figure out how to configure machine auth, just search Google for NPS wireless machine authentication.
    Here is one link
    http://araihan.wordpress.com/2010/04/30/complete-guide-to-build-a-cisco-wireless-infrastructure-using-cisco-wlc-5500-cisco-1142-ap-and-microsoft-radius-server/
    Sent from Cisco Technical Support iPhone App

  • Softphone Jabber client unable connected

    Hi All,
    i've configure cisco IM and Presence v10 integrated to CUCM v10 some service running well (UDS, CTI Deskphone, VM, Presence) but Jabber client cannot connect to Softphone  (SIP) and i was configure ucsf(Client Service Framework) for jabber client.
    please your advice.
    thank you

    Hi amit Kumar
    thanks for your information and i've configure it. i found CTLSEP not found from wireshark capture .
    Is there something wrong?
    thank you

  • Enable Kerberos Authentication for OWA only

    Hi guys,
    Having a customer that asked me if we can enable Kerberos Authentication for OWA only?
    When reading various blogposts (official and unofficial sources) it seems that this is done for the whole CASArray which means every vdir right? Is this so and shall we instead aim for using kerberos for both MAPI/Outlook Anywhere and OWA?
    Found this for MAPI clients: http://blogs.technet.com/b/exchange/archive/2011/04/15/recommendation-enabling-kerberos-authentication-for-mapi-clients.aspx
    This seems to be more complicated?

    Hi Fredrik,
    Base on my search , I found an article which may give you some hints:
    OWA publishing using Kerberos Constrained Delegation method for authentication delegation
    This article is to show case how you would configure kerberos constrained delegation method for authentication delegation .We would use the OWA publishing post as reference.
    Best regards,
    Niko Cheng
    TechNet Community Support

  • Softphone feature for Cisco Jabber Client

    Hello everyone,
    I have a CUCM cluster v.8.6.2 and a CUPS v.8.6.4. I've installed my full CUWL licenses as well as my CUP Licenses AND the Jabber for Everyone COP file. I've managed to install Jabber on Mac and on Windows and have all the features such as Chat, Desktop phone integration and Visual Voicemail with Cisco Unity Connection working as well. The only feature I'm having a huge hassle getting to work is the Softphone feature. I've tried adding a CUPC device with the user (btw everything is integrated and uses LDAP for authentication) as the digest account for it as well as the Owner ID. I've tried adding a CSF device as well (I remember reading it somewhere) but the Jabber client never discovers a Softphone device and all of the options on the client are grayed out for me to put in the device settings. I thought I saw it once looking for a device name CSFACILLI (ACILLI being my username) in the System Diagnostics for the Jabber for Mac client but now it just shows:
       Soft Phone Server
    Server Address:           cucm02.mycompany.net
    Server Port:                     2748
    Server Protocol:           --
    Device:                               --
    Line ID:                               --
    Status:                               Disconnected
    Any help or thoughts on this would be greatly appreciated! Thanks!
    Tony

    Aaron,
    Here's the bit I found interesting from the reporting function:
    -- 2012-07-25 08:31:01.000 DEBUG [0xacab02c0] -  CCUCMClient::downloadConfig -- begin:
    -- 2012-07-25 08:31:01.000 DEBUG [0xacab02c0] -  CCUCMClient::getCnfFile -- begin: , strDeviceName.c_str()=CSFacill, bHttp=FALSE
    -- 2012-07-25 08:31:01.000 DEBUG [0xacab02c0] -  CTFTPClient::Get -- begin: , remotefile=CTLFile.tlv, host=cucm02.mycompany.net, bIsAsyMode=TRUE, port=69
    -- 2012-07-25 08:31:01.000 DEBUG [0xb038d000] -  TFTP_Error Select error
    -- 2012-07-25 08:31:01.000 DEBUG [0xb038d000] -  TFTP_Error Can't get packet, retrycount=3
    -- 2012-07-25 08:31:01.000 DEBUG [0xb038d000] -   CTFTPClient::ContinueGet -- end!
    -- 2012-07-25 08:31:01.000 DEBUG [0xacab02c0] -  CTFTPClient::Get -- end!
    -- 2012-07-25 08:31:01.000 DEBUG [0xb038d000] -  CTFTPClient::ReceiveData -- end!
    -- 2012-07-25 08:31:01.000 DEBUG [0xacab02c0] -  CCUCMClient::getCnfFile -- end!
    -- 2012-07-25 08:31:01.000 DEBUG [0xacab02c0] -  CCUCMClient::downloadConfig -- end!
    -- 2012-07-25 08:31:01.000 DEBUG [0xacab02c0] -  CPhone::setPhoneMode -- end!
    -- 2012-07-25 08:31:01.000 DEBUG [0xb030b000] -  CTFTPClient::ReceiveData -- begin: , nCookie=5, bIsAsyMode=TRUE
    It looks like it's trying to get CTLFile.tlv from my TFTP servers (which are my subscribers). I went under TFTP File Management under OS Administration on the Subscribers and no such file exists. Is this something I have to download from Cisco? It does look like it's trying for the correct device, just can't get the Configuration File it needs... Your thoughts?
    Thanks,
    Tony

  • Jabber for Windows client Voice Mail issue

    hi, cisco guys
        i have a collaboration test for my customer in resent days.
        the follow picture is the topo of my test system
       1.  cucm1 use ICT non-GK trunk to connected with cucm2 and the ip phones with dn 56xx registered on cm1
        the iphones and jabber clients with dn 54xx registered on cm2
       2. cm2 intergrated with Unity Connection server and  Cups server
           the version of cm1 and cm2 and unity connection is 8.6.2-21900
          the version of cups is 8.6.4
      3.  the issue occurrenced when the ip phone user 5412 call to 5411 but no answered, user 5412 sent a
          voice mail to user 5411,only MVI of the ip phone 9951 with dn 5411 turned on but jabber client wihtout any prompt message
          but when the user 5665 which  registered on cm1 called user 5411 and sent a voice mail , status in normal,
          mvi turned on , the jabber client also can  recived the prompt message and the the vocie mail could be played on the jabber client
          what's the issue  probably be caused by & how can i solve it
          need your help!!!!

    I don't know if you have a specific subnets permitted in the CUPS ACL
    This is dangerous and incorrect guidence. The Incoming ACL allows the addresses defined to bypass authentication. In other words, I could impersonate your CEO if I wanted to. There are only two common use cases where doing this is appropriate: 1) the CUxAC server IP; or 2) older versions of CCX where CAD didn't support DIGEST authentication.
    As for the original question: your English is difficult to understand. Is the following problem statement accurate?
    When 5412 on CM2 leaves a voicemail for 5411 on CM2, the MWI is lit for 5411 but Jabber does not reflect the waiting message?
    If this is accurate, is the message also shown in the Web Inbox? https:///inbox
    The serverIP should be the CUC server defined in the voicemail profile on CUPS for the user who owns 5411.
    Please remember to rate helpful responses and identify helpful or correct answers.

  • Jabber Client for CME license

    i have CME 2921 ISR router and i need to implement cisco jabber client for 50 user
    is this needs a license or not
    if yes, please provide me how to orser it and what is its part number
    thank you very much

    If you are going to use Jabber, that counts like a regular SIP Phone, just like 7945, or 99XX phones, you don't need an additional  license:
    http://www.cisco.com/en/US/docs/voice_ip_comm/cucme/admin/configuration/guide/cmelabel.html#wp1058022
    HTH
    Jorge Armijo
    Please remember to rate helpful responses and identify helpful or correct answers.

  • Cisco Jabber for Windows Client SDK

    Is there an SDK for Cisco Jabber for Windows client? I could only find the Web SDK. Are there no other SDKs that would let me control features of the Jabber Windows Client?

    And in order to avoid TAPI limitation, they say they have started using Jabber which controls all phone functionalities through an Application User connected to the Call Manager.
    Assuming they are referring to the normal Jabber for Windows/Mac/iOS/Android applications then this is wrong. Jabber - the client, not the IM&P servers which are part of the CUCM cluster (if you're familiar with Lync consider CUCM+IM&P servers a Front End Pool) - do not use an Application User at all. When a user starts Jabber, assuming SAML SSO is off, they supply an email address. This is used to find the servers via DNS SRV records, or the Mobile and Remote Access Expressway (roughly analogous to a Lync Edge pool) to tunnel through the firewall. After the email address they are prompted for their End User username and password. This is then used to access several APIs on the server, namely the User Data Service to discover what the user has. This would include what the user has configured/available to them. After this is done the Jabber client does one of three things with respect to phone functionality:
    If the user has no phone devices provisioned for them - physical or software - it becomes an IM&P client only.
    If the user has a software phone phone provisioned, it registers as that using SIP. In this way Jabber is the actual phone. This is called a CSF device for Jabber Windows/OS X.
    If the user has a desk phone assigned to their End User account AND administrative policy is to default to desk phone control, it registers to CTI Manager on the CUCM server to control the user's physical phone.
    A user can toggle between option two and three, if appropriately provisioned, but cannot have both simultaneously. In other words, Jabber is either controlling a physical phone over CTI or is a phone itself using SIP. The difference is where the audio/video media is sent from/to.
    All of this happens using that human's End User credentials.
    Now, if you wanted to have a server control the user's phone - either a physical one or Jabber - you would use the TSP as an interface to CTI Manager on the CUCM server and receive real-time events (e.g. the user went off-hook, the phone is ringing with this caller ID, etc.) and issue commands to that phone (e.g. make a call to X). This is done using an Application User account because the server would need to do this for multiple users simultaneously. If you also use the Super Provider concept, the CUCM administrator doesn't have to take the extra step of associating every phone to your Application User manually. Instead, you can simply issue CTI subscriptions to see any/all device activity you want.
    This is all assuming you wanted to do the integration server-side to avoid having to update the Cisco TSP application on every user PC (which also limits your WPF application to machines capable of running the TSP) every time the CUCM administrator patches the servers. If you don't care about that, then you can do this all client-side on the user's PC, and have them supply their End User credentials.
    Of course, you could also reconsider the Jabber SDK and just embed the make/receive call functionality directly into your application instead.

Maybe you are looking for

  • Newer generations compatible with 2nd generation iPod shuffle?

    I Have a iPod shuffle 2nd generation. Are the chargers for the newer generations compatible (3rd, 4th or 5th)?

  • In CS6 InDesign (8.0.1) I tried looking for Folio Overlays panel and it doesn't appear...

    In CS6 InDesign (8.0.1) I tried looking for Folio Overlays panel and it doesn't appear. So, I tried to go to Updates under Help menu but the Updates button is deactivated. Any ideas?

  • Extending classes with private methods?

    my understanding of extending classes is that you gain all the functions and methods of that class thus You could over ride any one of them. How ever I am confused on weather or not you inherit and can over ride private methods of the class you are e

  • Lumia services and application problem

    Dear sir, I am using nokia phones from last 10 years. I have lumia 820. Before lumia i have nokia n8 which is too good. Problem with lumia series is as under Not enough applications like flash transfer, prper Maps, file manager and many more. Size of

  • Kodak Gallery Help

    Hi. I just upgraded to Ilife 09. After i upload say 100 pics, ill delete 50 by hitting the delete button. Then to add to Kodak Gallery, I drag/drop my iphoto event ( which says it now has 50 pics) and for some reason Kodak says, "uploading 100 photos