Configuring Mutual Tls Authentication; Tls For Sip Clients; Tls For Remote Device Management - AudioCodes Mediant 1000B User Manual
Gateway & enterprise sbc
Hide thumbs
Also See for Mediant 1000B:
- User manual (1148 pages) ,
- Hardware installation manual (92 pages) ,
- Configuration note (52 pages)
Table of Contents
Advertisement
10.8
Configuring Mutual TLS Authentication
This section describes how to configure mutual (two-way) TLS authentication.
10.8.1 TLS for SIP Clients
When Secure SIP (SIPS) is implemented using TLS, it is sometimes required to use two-
way (mutual) authentication between the device and a SIP user agent (client). When the
device acts as the TLS server in a specific connection, the device demands the
authentication of the SIP client's certificate. Both the device and the client use certificates
from a CA to authenticate each other, sending their X.509 certificates to one another during
the TLS handshake. Once the sender is verified, the receiver sends its' certificate to the
sender for verification. SIP signaling starts when authentication of both sides completes
successfully.
TLS mutual authentication can be configured for calls by enabling mutual authentication on
the SIP Interface associated with the calls. The TLS Context associated with the SIP
Interface or Proxy Set belonging to these calls are used.
Note:
SIP mutual authentication can also be configured globally for all calls, using the
'TLS
Mutual
''Configuring TLS Parameters'' on page 175).
To configure mutual TLS authentication for SIP messaging:
1.
Enable two-way authentication on the specific SIP Interface:
a.
In the SIP Interfaces table (see ''Configuring SIP Interfaces'' on page 345),
configure the 'TLS Mutual Authentication' parameter to Enable for the specific
SIP Interface.
b.
Reset the device with a save-to-flash for your settings to take effect.
2.
Configure a TLS Context with the following certificates:
•
Import the certificate of the CA that signed the certificate of the SIP client into the
Trusted Certificates table (certificate root store) so that the device can
authenticate the client (see ''Importing Certificates and Certificate Chain into
Trusted Certificate Store'' on page 119).
•
Make sure that the TLS certificate is signed by a CA that the SIP client trusts so
that the client can authenticate the device.
10.8.2 TLS for Remote Device Management
By default, servers using TLS provide one-way authentication. The client is certain that the
identity of the server is authentic. When an organizational PKI is used, two-way
authentication may be desired - both client and server should be authenticated using X.509
certificates. This is achieved by installing a client certificate on the management PC and
loading the root CA's certificate to the device's Trusted Certificates table (certificate root
store). The Trusted Root Certificate file may contain more than one CA certificate
combined, using a text editor.
To enable mutual TLS authentication for HTTPS:
1.
On the Web Settings page (see ''Configuring Secured (HTTPS) Web'' on page 81),
configure the 'Secured Web Connection (HTTPS)' parameter to HTTPS Only. The
setting ensures that you have a method for accessing the device in case the client
User's Manual
Authentication'
(SIPSRequireClientCertificate)
122
Mediant 1000B Gateway & E-SBC
parameter
Document #: LTRT-27055
(see
- Quick Links:
- Product Overview
Hide quick links:
Advertisement
Table of Contents
