Radius-Based Cdr Accounting; Ldap-Based Management And Sip Services - AudioCodes Mediant 4000 SBC User Manual

CHAPTER 16 Services

RADIUS-based CDR Accounting

Once you have configured a RADIUS server(s) for accounting in
you need to enable and configure RADIUS-based CDR accounting (see
Accounting).

LDAP-based Management and SIP Services

The device supports the Lightweight Directory Access Protocol (LDAP) application protocol and
can operate with third-party, LDAP-compliant servers such as Microsoft Active Directory (AD).
You can use LDAP for the following LDAP services:
■ SIP-related (Control) LDAP Queries: LDAP can be used for routing and manipulation (e.g.,
calling name and destination address).
The device connects and binds to the remote LDAP server (IP address or DNS/FQDN) during
the service's initialization (at device start-up) or whenever you change the LDAP server's IP
address and port. Binding to the LDAP server is based on username and password (Bind DN
and Password). Service makes 10 attempts to connect and bind to the remote LDAP server,
with a timeout of 20 seconds between attempts. If connection fails, the service remains in
disconnected state until the LDAP server's IP address or port is changed. If connection to the
LDAP server later fails, the service attempts to reconnect.
For the device to run a search, the path to the directory's subtree, known as the distinguished
name (DN), where the search is to be done must be configured (see
(Base Paths) per LDAP
and one or more attributes whose values must be returned to the device must also be
configured. For more information on configuring these attributes and search filters, see
based Routing for Microsoft Skype for
The device can store recent LDAP queries and responses in its local cache. The cache is used
for subsequent queries and/or in case of LDAP server failure. For more information, see
Configuring the Device's LDAP
If connection with the LDAP server disconnects (broken), the device sends the SNMP alarm,
acLDAPLostConnection. Upon successful reconnection, the alarm clears. If connection with
the LDAP server is disrupted during the search, all search requests are dropped and an alarm
indicating a failed status is sent to client applications.
■ Management-related LDAP Queries: LDAP can be used for authenticating and authorizing
management users (Web and CLI) and is based on the user's login username and password
(credentials) when attempting login to one of the device's management platforms. When
configuring the login username (LDAP Bind DN) and password (LDAP Password) to send to
the LDAP server, you can use templates based on the dollar ($) sign, which the device
replaces with the actual username and password entered by the user during the login attempt.
You can also configure the device to send the username and password in clear-text format or
encrypted using TLS (SSL).
The device connects to the LDAP server (i.e., an LDAP session is created) only when a login
attempt occurs. The LDAP Bind operation establishes the authentication of the user based on
the username-password combination. The server typically checks the password against the
userPassword attribute in the named entry. A successful Bind operation indicates that the
username-password combination is correct; a failed Bind operation indicates that the
username-password combination is incorrect.
Once the user is successfully authenticated, the established LDAP session may be used for
further LDAP queries to determine the user's management access level and privileges
(Operator, Admin, or Security Admin). This is known as the user authorization stage. To
determine the access level, the device searches the LDAP directory for groups of which the
user is a member, for example:
Server). The search key (filter), which defines the exact DN to search
Business.
Cache.
- 215 -
Mediant 4000 SBC | User's Manual
Configuring RADIUS Servers,
Configuring RADIUS
Configuring LDAP DNs
AD-