CHAPTER 22 SBC Overview
Mediant 4000 SBC | User's Manual
a.
The device challenges the received SIP message only if it is configured as a SIP method
(e.g., INVITE) for authorization. This is configured in the IP Groups table, using the
'Authentication Method List' parameter.
b.
If the message is received without a SIP Authorization header, the device "challenges" the
client by sending a SIP 401 or 407 response. The client then resends the request with an
Authorization header (containing the user name and password).
c.
The device validates the SIP message according to the AuthNonceDuration,
AuthChallengeMethod and AuthQOP parameters.
◆
If validation fails, the device rejects the message and sends a 403 (Forbidden)
response to the client.
◆
If validation succeeds, the device verifies client identification. It checks that the
username and password received from the client is the same username and password
in the device's User Information table / database (see
). If the client is not successfully authenticated after three attempts,
the device sends a SIP 403 (Forbidden) response to the client. If the user is
successfully identified, the device accepts the SIP message request.
The device's Authentication server functionality is configured per IP Group, using the
'Authentication Mode' parameter in the IP Groups table (see
).
RADIUS-based User Authentication
The device can authenticate SIP clients (users) using a remote RADIUS server. The device
supports the RADIUS extension for digest authentication of SIP clients, according to draft-
sterman-aaa-sip-01. Based on this standard, the device generates the nonce (in contrast to RFC
5090, where it is done by the RADIUS server).
RADIUS based on draft-sterman-aaa-sip-01 operates as follows:
1.
The device receives a SIP request without an Authorization header from the SIP client.
2.
The device generates the nonce and sends it to the client in a SIP 407 (Proxy Authentication
Required) response.
3.
The SIP client sends the SIP request with the Authorization header to the device.
4.
The device sends an Access-Request message to the RADIUS server.
5.
The RADIUS server verifies the client's credentials and sends an Access-Accept (or Access-
Reject) response to the device.
6.
The device accepts the SIP client's request (sends a SIP 200 OK or forwards the
authenticated request) or rejects it (sends another SIP 407 to the SIP client).
To configure this feature, set the SBCServerAuthMode ini file parameter to 2.
OAuth2-based User Authentication
The device supports the OAuth 2.0 authentication protocol (RFC 7662 and Internet Draft "draft-ietf-
sipcore- sip- authn- 02"), allowing it to authenticate any specified incoming SIP request (e.g.,
REGISTER and INVITE) with a third-party OAuth Authorization server over HTTP/S.
OAuth authorization consists of the following main stages:
1.
(This stage does not involve the device.) The client application requires an OAuth Access
Token for the user. There are multiple schemes to do this. For example, it may use the
Authorization Code method, whereby the client application refers the user to the OAuth
Authorization server to request an Authorization Code. The client application then uses the
received Authorization Code to request an Access Token (and a Refresh Token) for the user
from the Authorization server.
- 515 -
Summary of Contents for Mediant 4000 SBC
Page 1: ...User s Manual AudioCodes Series of Session Border Controllers SBC Mediant 4000 SBC Version 7 2...
Page 40: ...Part I Getting Started with Initial Connectivity...
Page 48: ...Part II Management Tools...
Page 113: ...Part III General System Settings...
Page 118: ...Part IV General VoIP Configuration...
Page 525: ...Part V Session Border Controller Application...
Page 654: ...Part VI Cloud Resilience Package...
Page 663: ...Part VII High Availability System...
Page 685: ...Part VIII Maintenance...
Page 759: ...Part IX Status Performance Monitoring and Reporting...
Page 844: ...Part X Diagnostics...
Page 888: ...Part XI Appendix...