SIP Authentication Server Functionality
The device can function as an Authentication server for authenticating incoming SIP message requests, based on HTTP authentication Digest with MD5 or SHA-256 (configured by [SIPServerDigestAlgorithm]). Alternatively, such requests can be authenticated by an external, third-party server.
When functioning as an Authentication server, the device can authenticate the following SIP entities:
|
■
|
SIP servers: This is applicable to Server-type IP Groups. This provides protection from rogue SIP servers, preventing unauthorized usage of device resources and functionality. To authenticate remote servers, the device challenges the server with a user-defined username and password that is shared with the remote server. When the device receives an INVITE request from the remote server, it challenges the server by replying with a SIP 401 Unauthorized response containing the WWW-Authenticate header. The remote server then re-sends the INVITE containing an Authorization header with authentication information based on this username-password combination to confirm its identity. The device uses the username and password to authenticate the message prior to processing it. |
|
■
|
SIP clients: These are clients belonging to a User-type IP Group. This support prevents unauthorized usage of the device's resources by rogue SIP clients. When the device receives an INVITE or REGISTER request from a client (e.g., SIP phone) for SIP message authorization, the device processes the authorization as follows: |
|
a.
|
The device challenges the received SIP message only if it is configured as a SIP method (e.g., INVITE) for authorization. This is configured in the IP Groups table, using the 'Authentication Method List' parameter. |
|
b.
|
If the message is received without a SIP Authorization header, the device "challenges" the client by sending a SIP 401 or 407 response. The client then resends the request with an Authorization header (containing the username and password). |
|
c.
|
The device validates the SIP message according to the AuthNonceDuration, AuthChallengeMethod and AuthQOP parameters. |
|
◆
|
If validation fails, the device rejects the message and sends a 403 (Forbidden) response to the client. |
|
◆
|
If validation succeeds, the device verifies client identification. It checks that the username and password received from the client is the same username and password in the device's SBC User Information table / database (see SBC User Information for SBC User Database). If no username and password is configured in the SBC User Information table, the device authenticates the users based on the username and password configured for the relevant IP Group in the IP Groups table ('Username As Server' and 'Password As Server' parameters). If the client is not successfully authenticated after three attempts, the device sends a SIP 403 (Forbidden) response to the client. If the user is successfully identified, the device accepts the SIP message request. |
The device's Authentication server functionality is configured per IP Group, using the 'Authentication Mode' parameter in the IP Groups table (see Configuring IP Groups).