CHAPTER30 SBC Overview
Mediant 800 Gateway & E-SBC | User's Manual
a. The device challenges the received SIP message only if it is configured as a SIP method
(e.g., INVITE) for authorization. This is configured in the IP Groups table, using the
'Authentication Method List' parameter.
b. If the message is received without a SIP Authorization header, the device "challenges" the
client by sending a SIP 401 or 407 response. The client then resends the request with an
Authorization header (containing the user name and password).
c. The device validates the SIP message according to the AuthNonceDuration,
AuthChallengeMethod and AuthQOP parameters.
◆ If validation fails, the device rejects the message and sends a 403 (Forbidden)
response to the client.
◆ If validation succeeds, the device verifies client identification. It checks that the
username and password received from the client is the same username and password
in the device's User Information table / database (see SBC User Information for SBC
User Database). If the client is not successfully authenticated after three attempts,
the device sends a SIP 403 (Forbidden) response to the client. If the user is
successfully identified, the device accepts the SIP message request.
The device's Authentication server functionality is configured per IP Group, using the
'Authentication Mode' parameter in the IP Groups table (see Configuring IP Groups).
RADIUS-based User Authentication
The device can authenticate SIP clients (users) using a remote RADIUS server. The device
supports the RADIUS extension for digest authentication of SIP clients, according to draft-
sterman-aaa-sip-01. Based on this standard, the device generates the nonce (in contrast to RFC
5090, where it is done by the RADIUS server).
RADIUS based on draft-sterman-aaa-sip-01 operates as follows:
1. The device receives a SIP request without an Authorization header from the SIP client.
2. The device generates the nonce and sends it to the client in a SIP 407 (Proxy Authentication
Required) response.
3. The SIP client sends the SIP request with the Authorization header to the device.
4. The device sends an Access-Request message to the RADIUS server.
5. The RADIUS server verifies the client's credentials and sends an Access-Accept (or Access-
Reject) response to the device.
6. The device accepts the SIP client's request (sends a SIP 200 OK or forwards the
authenticated request) or rejects it (sends another SIP 407 to the SIP client).
To configure this feature, set the SBCServerAuthMode ini file parameter to 2.
OAuth2-based User Authentication
The device supports the OAuth 2.0 authentication protocol (RFC 7662 and Internet Draft "draft-ietf-
sipcore- sip- authn-02"), allowing it to authenticate any specified incoming SIP request (e.g.,
REGISTER and INVITE) with a third-party OAuth Authorization server over HTTP/S.
OAuth-based authentication is applicable only to the SBC application.
OAuth authorization consists of the following main stages:
- 762 -
To Next Page
Loading...
Need help?
General
