RADIUS-based Authentication of SIP User Agents
The device can authenticate SIP clients (users) using a remote RADIUS server. The device supports the RADIUS extension for digest authentication of SIP clients, according to draft-sterman-aaa-sip-01. Based on this standard, the device generates the nonce (in contrast to RFC 5090, where it is done by the RADIUS server).
RADIUS based on draft-sterman-aaa-sip-01 operates as follows:
| 1. | The device receives a SIP request without an Authorization header from the SIP client. |
| 2. | The device generates the nonce and sends it to the client in a SIP 407 (Proxy Authentication Required) response. |
| 3. | The SIP client sends the SIP request with the Authorization header to the device. |
| 4. | The device sends an Access-Request message to the RADIUS server. |
| 5. | The RADIUS server verifies the client's credentials and sends an Access-Accept (or Access-Reject) response to the device. |
| 6. | The device accepts the SIP client's request (sends a SIP 200 OK or forwards the authenticated request) or rejects it (sends another SIP 407 to the SIP client). |
To configure this feature, set the SBCServerAuthMode ini file parameter to 2.