User Authentication Based On Radius; Interworking Sip Signaling - AudioCodes Mediant 800B User Manual

2. If the message is received without a SIP Authorization header, the device
"challenges" the client by sending a SIP 401 or 407 response. The client then
resends the request with an Authorization header (containing the user name and
password).
3. The device validates the SIP message according to the AuthNonceDuration,
AuthChallengeMethod and AuthQOP parameters.
♦
♦
The device's Authentication server functionality is configured per IP Group, using the
'Authentication Mode' parameter in the IP Group table (see ''Configuring IP Groups'' on
page 263).

28.7.2 User Authentication based on RADIUS

The device can authenticate SIP clients (users) using a remote RADIUS server. The device
supports the RADIUS extension for digest authentication of SIP clients, according to draft-
sterman-aaa-sip-01. Based on this standard, the device generates the nonce (in contrast to
RFC 5090, where it is done by the RADIUS server).
RADIUS based on draft-sterman-aaa-sip-01 operates as follows:
1. The device receives a SIP request without an Authorization header from the SIP
client.
2. The device generates the nonce and sends it to the client in a SIP 407 (Proxy
Authentication Required) response.
3. The SIP client sends the SIP request with the Authorization header to the device.
4. The device sends an Access-Request message to the RADIUS server.
5. The RADIUS server verifies the client's credentials and sends an Access-Accept (or
Access-Reject) response to the device.
6. The device accepts the SIP client's request (sends a SIP 200 OK or forwards the
authenticated request) or rejects it (sends another SIP 407 to the SIP client).
To configure this feature, set the SBCServerAuthMode ini file parameter to 2.
28.8

Interworking SIP Signaling

The device supports interworking of SIP signaling messages to ensure interoperability
between communicating SIP UAs or entities. This is critical in network environments where
the UAs on opposing SBC legs have different SIP signaling support. For example, some
UAs may support different versions of a SIP method while others may not event support a
specific SIP method. The configuration method for assigning specific SIP message
handling modes to UAs, includes configuring an IP Profile with the required interworking
mode, and then assigning the IP Profile to the relevant IP Group.
This section describes some of the device's support for handling SIP methods to ensure
interoperability.
User's Manual
If validation fails, the device rejects the message and sends a 403
(Forbidden) response to the client.
If validation succeeds, the device verifies client identification. It checks that
the username and password received from the client is the same username
and password in the device's User Information table / database (see ''SBC
User Information for SBC User Database'' on page 612). If the client is not
successfully authenticated after three attempts, the device sends a SIP 403
(Forbidden) response to the client. If the user is successfully identified, the
device accepts the SIP message request.
Mediant 800B Gateway and E-SBC
502 Document #: LTRT-10286