CHAPTER30 SBC Overview
Mediant 1000 Gateway & E-SBC | User's Manual
SIP Authentication Server Functionality
The device can function as an Authentication server for authenticating received SIP message
requests, based on HTTP authentication Digest with MD5. Alternatively, such requests can be
authenticated by an external, third-party server.
When functioning as an Authentication server, the device can authenticate the following SIP
entities:
â– SIP servers: This is applicable to Server-type IP Groups. This provides protection from rogue
SIP servers, preventing unauthorized usage of device resources and functionality. To
authenticate remote servers, the device challenges the server with a user-defined username
and password that is shared with the remote server. When the device receives an INVITE
request from the remote server, it challenges the server by replying with a SIP 401
Unauthorized response containing the WWW-Authenticate header. The remote server then re-
sends the INVITE containing an Authorization header with authentication information based on
this username-password combination to confirm its identity. The device uses the username
and password to authenticate the message prior to processing it.
â– SIP clients: These are clients belonging to a User-type IP Group. This support prevents
unauthorized usage of the device's resources by rogue SIP clients. When the device receives
an INVITE or REGISTER request from a client (e.g., SIP phone) for SIP message
authorization, the device processes the authorization as follows:
a. The device challenges the received SIP message only if it is configured as a SIP method
(e.g., INVITE) for authorization. This is configured in the IP Groups table, using the
'Authentication Method List' parameter.
b. If the message is received without a SIP Authorization header, the device "challenges" the
client by sending a SIP 401 or 407 response. The client then resends the request with an
Authorization header (containing the user name and password).
c. The device validates the SIP message according to the AuthNonceDuration,
AuthChallengeMethod and AuthQOP parameters.
â—† If validation fails, the device rejects the message and sends a 403 (Forbidden)
response to the client.
â—† If validation succeeds, the device verifies client identification. It checks that the
username and password received from the client is the same username and password
in the device's User Information table / database (see SBC User Information for SBC
User Database). If the client is not successfully authenticated after three attempts,
the device sends a SIP 403 (Forbidden) response to the client. If the user is
successfully identified, the device accepts the SIP message request.
The device's Authentication server functionality is configured per IP Group, using the
'Authentication Mode' parameter in the IP Groups table (see Configuring IP Groups).
RADIUS-based User Authentication
The device can authenticate SIP clients (users) using a remote RADIUS server. The device
supports the RADIUS extension for digest authentication of SIP clients, according to draft-
sterman-aaa-sip-01. Based on this standard, the device generates the nonce (in contrast to RFC
5090, where it is done by the RADIUS server).
RADIUS based on draft-sterman-aaa-sip-01 operates as follows:
1. The device receives a SIP request without an Authorization header from the SIP client.
2. The device generates the nonce and sends it to the client in a SIP 407 (Proxy Authentication
Required) response.
3. The SIP client sends the SIP request with the Authorization header to the device.
4. The device sends an Access-Request message to the RADIUS server.
- 740 -
To Next Page
Loading...
Need help?
General
