User Authentication Based On Radius - AudioCodes Mediant 3000 User Manual

User's Manual
header. The remote server then re-sends the INVITE containing an Authorization
header with authentication information based on this username-password combination
to confirm its identity. The device uses the username and password to authenticate
the message prior to processing it.

SIP clients: These are clients belonging to a User-type IP Group. This support
prevents unauthorized usage of the device's resources by rogue SIP clients. When the
device receives an INVITE or REGISTER request from a client (e.g., SIP phone) for
SIP message authorization, the device processes the authorization as follows:
1. The device challenges the received SIP message only if it is configured as a SIP
method (e.g., INVITE) for authorization. This is configured in the IP Group table,
using the 'Authentication Method List' parameter.
2. If the message is received without a SIP Authorization header, the device
"challenges" the client by sending a SIP 401 or 407 response. The client then
resends the request with an Authorization header (containing the user name and
password).
3. The device validates the SIP message according to the AuthNonceDuration,
AuthChallengeMethod and AuthQOP parameters.
♦
♦
The device's Authentication server functionality is configured per IP Group, using the
'Authentication Mode' parameter in the IP Group table (see ''Configuring IP Groups'' on
page 343).
Note:

28.8.2 User Authentication based on RADIUS

The device can authenticate SIP clients (users) using a remote RADIUS server. The device
supports the RADIUS extension for digest authentication of SIP clients, according to draft-
sterman-aaa-sip-01. Based on this standard, the device generates the nonce (in contrast to
RFC 5090, where it is done by the RADIUS server).
RADIUS based on draft-sterman-aaa-sip-01 operates as follows:
1. The device receives a SIP request without an Authorization header from the SIP
client.
2. The device generates the nonce and sends it to the client in a SIP 407 (Proxy
Authentication Required) response.
3. The SIP client sends the SIP request with the Authorization header to the device.
4. The device sends an Access-Request message to the RADIUS server.
5. The RADIUS server verifies the client's credentials and sends an Access-Accept (or
Access-Reject) response to the device.
6. The device accepts the SIP client's request (sends a SIP 200 OK or forwards the
authenticated request) or rejects it (sends another SIP 407 to the SIP client).
Version 7.0
If validation fails, the device rejects the message and sends a 403
(Forbidden) response to the client.
If validation succeeds, the device verifies client identification. It checks that
the username and password received from the client is the same username
and password in the device's User Information table / database (see ''SBC
User Information for SBC User Database'' on page 693). If the client is not
successfully authenticated after three attempts, the device sends a SIP 403
(Forbidden) response to the client. If the user is successfully identified, the
device accepts the SIP message request.
This feature is applicable only to Mediant 3000 in Simplex mode.
569
28. SBC Overview
Mediant 3000