Configuring Mutual Tls Authentication; Tls For Sip Clients; Tls For Remote Device Management - AudioCodes Mediant 4000 SBC User Manual
Hide thumbs
Also See for Mediant 4000 SBC:
- User manual (1037 pages) ,
- Hardware installation manual (40 pages) ,
- User manual (930 pages)
Table of Contents
Advertisement
10.8
Configuring Mutual TLS Authentication
This section describes how to configure mutual (two-way) TLS authentication.
10.8.1 TLS for SIP Clients
When Secure SIP (SIPS) is implemented using TLS, it is sometimes required to use two-
way (mutual) authentication between the device and a SIP user agent (client). When the
device acts as the TLS server in a specific connection, the device demands the
authentication of the SIP client's certificate. Both the device and the client use certificates
from a CA to authenticate each other, sending their X.509 certificates to one another during
the TLS handshake. Once the sender is verified, the receiver sends its' certificate to the
sender for verification. SIP signaling starts when authentication of both sides completes
successfully.
TLS mutual authentication can be configured for calls by enabling mutual authentication on
the SIP Interface associated with the calls. The TLS Context associated with the SIP
Interface or Proxy Set belonging to these calls are used.
Note:
SIP mutual authentication can also be configured globally for all calls, using the
'TLS
Mutual
''Configuring TLS Parameters'' on page 160).
To configure mutual TLS authentication for SIP messaging:
1.
Enable two-way authentication on the specific SIP Interface:
a.
In the SIP Interfaces table (see ''Configuring SIP Interfaces'' on page 319),
configure the 'TLS Mutual Authentication' parameter to Enable for the specific
SIP Interface.
b.
Reset the device with a save-to-flash for your settings to take effect.
2.
Configure a TLS Context with the following certificates:
•
Import the certificate of the CA that signed the certificate of the SIP client into the
Trusted Certificates table (certificate root store) so that the device can
authenticate the client (see ''Importing Certificates and Certificate Chain into
Trusted Certificate Store'' on page 106).
•
Make sure that the TLS certificate is signed by a CA that the SIP client trusts so
that the client can authenticate the device.
10.8.2 TLS for Remote Device Management
By default, servers using TLS provide one-way authentication. The client is certain that the
identity of the server is authentic. When an organizational PKI is used, two-way
authentication may be desired - both client and server should be authenticated using X.509
certificates. This is achieved by installing a client certificate on the management PC and
loading the root CA's certificate to the device's Trusted Certificates table (certificate root
store). The Trusted Root Certificate file may contain more than one CA certificate
combined, using a text editor.
To enable mutual TLS authentication for HTTPS:
1.
On the Web Settings page (see ''Configuring Secured (HTTPS) Web'' on page 65),
configure the 'Secured Web Connection (HTTPS)' parameter to HTTPS Only. The
setting ensures that you have a method for accessing the device in case the client
certificate doesn't work. Restore the previous setting after testing the configuration.
User's Manual
Authentication'
(SIPSRequireClientCertificate)
108
Mediant 4000 SBC
parameter
(see
Document #: LTRT-41729
Advertisement
Table of Contents
