Securing Radius Communication; Radius-Based User Authentication In Url; Radius-Based Cdr Accounting; Ldap-Based Management And Sip Services - AudioCodes Mediant 4000 SBC User Manual

User's Manual

15.3.6.3 Securing RADIUS Communication

RADIUS authentication requires HTTP basic authentication (according to RFC 2617).
However, this is insecure as the usernames and passwords are transmitted in clear text
over plain HTTP. Thus, as digest authentication is not supported with RADIUS, it is
recommended that you use HTTPS with RADIUS so that the usernames and passwords
are encrypted. To enable the device to use HTTPS, configure the 'Secured Web
Connection (HTTPS)' parameter to HTTPS Only (see ''Configuring Secured (HTTPS)
Web'' on page 77).

15.3.6.4 RADIUS-based User Authentication in URL

RADIUS authentication of the management user is typically done after the user accesses
the Web interface by entering only the device's IP address in the Web browser's URL field
(for example, http://10.13.4.12/) and then entering the username and password credentials
in the Web interface's login screen. However, authentication with the RADIUS server can
also be done immediately after the user enters the URL, if the URL also contains the login
credentials.
http://10.4.4.112/Forms/RadiusAuthentication?WSBackUserName=John&WSBackPasswor
d=1234
Note:

15.3.7 RADIUS-based CDR Accounting

Once you have configured a RADIUS server(s) for accounting in ''Configuring RADIUS
Servers'' on page 229, you need to enable and configure RADIUS-based CDR accounting
(see ''Configuring RADIUS Accounting'' on page 750).
15.4

LDAP-based Management and SIP Services

The device supports the Lightweight Directory Access Protocol (LDAP) application protocol
and can operate with third-party, LDAP-compliant servers such as Microsoft Active
Directory (AD).
You can use LDAP for the following LDAP services:

SIP-related (Control) LDAP Queries: LDAP can be used for routing and
manipulation (e.g., calling name and destination address).
The device connects and binds to the remote LDAP server (IP address or
DNS/FQDN) during the service's initialization (at device start-up) or whenever you
change the LDAP server's IP address and port. Binding to the LDAP server is based
on username and password (Bind DN and Password). Service makes 10 attempts to
connect and bind to the remote LDAP server, with a timeout of 20 seconds between
attempts. If connection fails, the service remains in disconnected state until the LDAP
server's IP address or port is changed. If connection to the LDAP server later fails, the
service attempts to reconnect.
For the device to run a search, the path to the directory's subtree, known as the
distinguished name (DN), where the search is to be done must be configured (see
''Configuring LDAP DNs (Base Paths) per LDAP Server'' on page 245). The search
Version 7.2
This feature allows up to five simultaneous users only.
For
237
15. Services
example:
Mediant 4000 SBC