Radius-Based User Authentication; Oauth2-Based User Authentication - AudioCodes Mediant 4000 SBC User Manual
Session border controllers
Hide thumbs
Also See for Mediant 4000 SBC:
- User manual (964 pages) ,
- Hardware installation manual (40 pages) ,
- User manual (822 pages)
Table of Contents
Advertisement
CHAPTER 22 SBC Overview
a.
The device challenges the received SIP message only if it is configured as a SIP method
(e.g., INVITE) for authorization. This is configured in the IP Groups table, using the
'Authentication Method List' parameter.
b.
If the message is received without a SIP Authorization header, the device "challenges" the
client by sending a SIP 401 or 407 response. The client then resends the request with an
Authorization header (containing the user name and password).
c.
The device validates the SIP message according to the AuthNonceDuration,
AuthChallengeMethod and AuthQOP parameters.
◆
◆
The device's Authentication server functionality is configured per IP Group, using the
'Authentication Mode' parameter in the IP Groups table (see
RADIUS-based User Authentication
The device can authenticate SIP clients (users) using a remote RADIUS server. The device
supports the RADIUS extension for digest authentication of SIP clients, according to draft-
sterman-aaa-sip-01. Based on this standard, the device generates the nonce (in contrast to RFC
5090, where it is done by the RADIUS server).
RADIUS based on draft-sterman-aaa-sip-01 operates as follows:
1.
The device receives a SIP request without an Authorization header from the SIP client.
2.
The device generates the nonce and sends it to the client in a SIP 407 (Proxy Authentication
Required) response.
3.
The SIP client sends the SIP request with the Authorization header to the device.
4.
The device sends an Access-Request message to the RADIUS server.
5.
The RADIUS server verifies the client's credentials and sends an Access-Accept (or Access-
Reject) response to the device.
6.
The device accepts the SIP client's request (sends a SIP 200 OK or forwards the
authenticated request) or rejects it (sends another SIP 407 to the SIP client).
To configure this feature, set the SBCServerAuthMode ini file parameter to 2.
OAuth2-based User Authentication
The device supports the OAuth 2.0 authentication protocol (RFC 7662 and Internet Draft "draft-ietf-
sipcore- sip- authn- 02"), allowing it to authenticate any specified incoming SIP request (e.g.,
REGISTER and INVITE) with a third-party OAuth Authorization server over HTTP/S.
OAuth authorization consists of the following main stages:
1.
(This stage does not involve the device.) The client application requires an OAuth Access
Token for the user. There are multiple schemes to do this. For example, it may use the
Authorization Code method, whereby the client application refers the user to the OAuth
Authorization server to request an Authorization Code. The client application then uses the
received Authorization Code to request an Access Token (and a Refresh Token) for the user
from the Authorization server.
If validation fails, the device rejects the message and sends a 403 (Forbidden)
response to the client.
If validation succeeds, the device verifies client identification. It checks that the
username and password received from the client is the same username and password
in the device's User Information table / database (see
User
Database). If the client is not successfully authenticated after three attempts,
the device sends a SIP 403 (Forbidden) response to the client. If the user is
successfully identified, the device accepts the SIP message request.
Configuring IP
- 515 -
Mediant 4000 SBC | User's Manual
SBC User Information for SBC
Groups).
Advertisement
Table of Contents
Troubleshooting
