Downloads |
 Feedback
|
Table Of Contents
RADIUS Pre-authentication for Voice Calls
SIP - Enhanced Billing Support for Gateways
Configurable Screening Indicator
SIP: Gateway HTTP Authentication Digest
Extending SIP Register Support on Gateway
How to Configure SIP AAA Features
Configuring RADIUS Pre-authentication for Voice Calls
Configure a RADIUS Group Server
Configure Access and Authentication
Configure RADIUS Communications
Configuring SIP - Enhanced Billing Support for Gateways
Configuring SIP: Gateway HTTP Authentication Digest
Configure SIP: Gateway HTTP Authentication Digest Via Dial-Peer
Configure SIP: Gateway HTTP Authentication Digest Via SIP UA
Verifying AAA Features for SIP
Configuration Examples for SIP AAA Features
SIP - Enhanced Billing Support for Gateways: Examples
SIP: Gateway HTTP Authentication Digest: Examples
Configuring SIP AAA Features
This chapter describes how to configure the following SIP AAA features:
•
Configurable Screening Indicator (handled in this document as a subset of SIP - Enhanced Billing Support for Gateways)
•
•
•
Feature History for Configurable Screening Indicator1
12.2(2)XB
This feature was introduced.
12.2(8)T
This feature was integrated into this release.
Feature History for RADIUS Pre-authentication for Voice Calls
Feature History for SIP - Enhanced Billing Support for SIP Gateways
12.2(2)XB
This feature was introduced.
12.2(8)T
This feature was integrated into this release.
12.2(11)T
This feature was implemented on additional platforms.
Feature History for SIP: Gateway HTTP Authentication Digest
Finding Support Information for Platforms and Cisco Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•
•
Prerequisites for SIP AAA
All SIP AAA Features
•
•
–
–
–
•
RADIUS Pre-authentication for Voice Calls Feature
•
•
•
Note
For information on Cisco RPMS, see the Cisco Resource Policy Management System 2.0.
For standards supporting RADIUS-based PPM servers, see RFC 2865, Remote Authentication Dial In User Service (RADIUS).SIP: Gateway HTTP Authentication Digest Feature
•
•
•
Restrictions for SIP AAA
All SIP AAA Features
•
•
SIP: Gateway HTTP Authentication Digest Via SIP UA Feature
•
Information About SIP AAA
AAA features for SIP provide the following benefits:
•
•
•
•
–
–
–
–
To configure AAA features for SIP, you should understand the following concepts:
•
•
•
RADIUS Pre-authentication for Voice Calls
This section explains how to configure the AAA RADIUS communication link between a universal gateway and a RADIUS-based PPM server for RADIUS preauthentication.
Information about an incoming call is relayed through the gateway to the RADIUS-based PPM server in the network before the call is connected. The RADIUS-based PPM server provides port policy management and preauthentication by evaluating the call information against contracted parameter levels in SLAs. If the call falls within SLA limits, the server preauthenticates the call and the universal gateway accepts it. If the server does not authorize the call, the universal gateway sends a disconnect message to the public network switch to reject the call. The available call information includes one or more of the following:
•
•
•
•
•
Note
For information on IZCT configuration, see Inter-Domain Gatekeeper Security Enhancement, Release 12.2(4)T.A timer monitors the preauthentication query in case the RADIUS-based PPM server application is unavailable or slow to respond. If the timer expires before an acceptance or rejection is provided, the universal gateway rejects the call.
The RADIUS Pre-authentication for Voice Calls feature supports the use of RADIUS attributes that are configured in RADIUS preauthentication profiles to specify preauthentication behavior. These attributes can also be used, for instance, to specify whether subsequent authentication should occur and, if so, what authentication method should be used.
The commands in this section are used for both leg 1 calls (calls from a PSTN that enter an incoming, or originating, gateway) and leg 3 calls (calls that exit the IP network to an outgoing, or terminating, gateway). The use of optional commands depends on individual network factors.
Note
The RADIUS Pre-authentication for Voice Calls feature provides the means to evaluate and accept or reject call setup requests for both voice and dial calls received at universal gateways. This process is known as preauthentication. The feature also optionally allows voice calls to bypass this evaluation.
With universal gateways, voice customers and dial customers contend for the same gateway resources. This competition can present problems for IP service wholesalers who lease their IP services to various customers such as Internet service providers (ISPs), Internet telephony service providers (ITSPs), and telephony application service providers (T-ASPs). Wholesalers need a way to implement and enforce with these customers service-level agreements (SLAs) that describe the levels of connectivity, performance, and availability that they guarantee to provide. The RADIUS Pre-authentication for Voice Calls feature allows a wholesaler to determine whether a call is within SLA limits before gateway resources are dedicated to terminating the call.
With RADIUS preauthentication enabled, end customers from over-subscribed service providers are prevented from consuming ports that exceed the number allotted to their service provider in its SLA. If the call is accepted in the preauthentication step, it proceeds to full dial authentication and authorization or to voice dial-peer matching and voice session application authentication and authorization.
RADIUS preauthentication uses a RADIUS-based port-policy management (PPM) server, such as the Cisco Resource Policy Management System (RPMS), to interpret and enforce universal PPM and preauthentication SLAs. RADIUS provides the communication link between the PPM server and universal gateways.
Customer profiles are defined in the PPM server with information from the SLA. Then, when a call is received at the universal gateway, the server determines which specific customer SLA policy to apply to the call on the basis of information associated with the call. For example, calls can be identified as either dial or voice on the basis of the called number (also called the dialed number identification service number or DNIS). Then the PPM server might be set up to allow only a certain number of dial calls. When a new dial call is received, it is rejected if adding it to the count makes the count exceed the number of dial calls stipulated in the SLA.
Calls that are accepted by the PPM server continue with their normal call setup sequences after preauthentication. The response from the PPM server is returned to the calling entity—such as an ISDN or SIP call signaling interface—which then proceeds with the regular call flow. Calls that are rejected by the PPM server follow the given call model and apply the error codes or rejection reasons that are specified by the signaling entity.
SIP-Based Voice Termination
In Figure 62, a voice call from a SIP telephone or SIP terminal is sent from an ITSP to a wholesaler.The Cisco SIP proxy server (Cisco SPS) chooses the appropriate universal gateway to which the SIP INVITE is forwarded, on the basis of its own routing mechanism. In Step 3, Cisco SPS makes a preauthentication query to the RPMS-based PPM server. Cisco SPS locks out calls that are rejected by the RPMS-based PPM server. In Step 5, the universal gateway makes a preauthentication reservation request to the RPMS-based PPM server, which locks in the resources to handle the call.
Note
Figure 62 SIP-Based Voice Termination
The call flow is as follows:
1.
2.
3.
4.
5.
6.
7.
8.
9.
SIP - Enhanced Billing Support for Gateways
This section describes the SIP - Enhanced Billing Support for Gateways feature. The feature describes the changes to authentication, authorization, and accounting (AAA) records and the Remote Authentication Dial-In User Service (RADIUS) implementations on Cisco SIP gateways. These changes were introduced to provide customers and partners the ability to effectively bill for traffic transported over SIP networks.
This section discusses the following topics:
Username Attribute
The username attribute is included in all AAA records and is the primary means for the billing system to identify an end user. The password attribute is included in authentication and authorization messages of inbound VoIP call legs.
For most implementations, the SIP gateway populates the username attribute in the SIP INVITE request with the calling number from the FROM: header, and the password attribute with null or with data from an IVR script. If a Proxy-Authorization header exists, it is ignored. The aaa username command determines the information with which to populate the username attribute.
Within the Microsoft Passport authentication service that authenticates and identifies users, the passport user ID (PUID) is used. The PUID and a password are passed from a Microsoft network to the Internet telephony service provider (ITSP) network in the Proxy-Authorization header of a SIP INVITE request as a single, base-64 encoded string. For example,
Proxy-Authorization: basic MDAwMzAwMDA4MDM5MzJlNjouThe aaa username command enables parsing of the Proxy-Authorization header; decoding of the PUID and password; and populating of the PUID into the username attribute, and the decoded password into the password attribute. The decoded password is generally a "." because a Microsoft Network (MSN) authenticates users prior to this point. For example,
Username = "123456789012345"Password = "Z\335\304\326KU\037\301\261\326GS\255\242\002\202"The password in the example above is an encrypted "." and is the same for all users.
SIP Call ID
From the Call ID header of the SIP INVITE request, the SIP Call ID is extracted and populated in Cisco vendor-specific attributes (VSA) as an attribute value pair call-id=string. The value pair can be used to correlate RADIUS records from Cisco SIP gateways with RADIUS records from other SIP network elements for example, proxies.
Note
Session Protocol
Session Protocol is another attribute value pair that indicates whether the call is using SIP or H.323 as the signaling protocol.
Note
Silent Authentication Script
As part of the SIP - Enhanced Billing Support for SIP Gateways feature, a Tool Command Language (Tcl) Interactive Voice Response (IVR) 2.0 Silent Authorization script has been developed. The Silent Authorization script allows users to be authorized without having to separately enter a username or password into the system. The script automatically extracts the passport user ID (PUID) and password from the SIP INVITE request, and then authenticates that information through RADIUS authentication and authorization records. The script is referred to as silent since neither the caller or called party hears any prompts.
Note
•
Developers using the Tcl Silent Authorization script may be interested in joining the Cisco Developer Support Program. This program provides you with a consistent level of support that you can depend on while leveraging Cisco interfaces in your development projects. It also provides an easy process to open, update, and track issues through Cisco.com. The Cisco web-site is a key communication vehicle for using the Cisco Online Case tracking tool. A signed Developer Support Agreement is required to participate in this program. For more details, and access to this agreement, please visit us at http://www.cisco.com/en/US/products/svcs/ps3034/ps5408/ps5418/serv_home.html or contact developer-support@cisco.com.
Configurable Screening Indicator
Screening Indicator (SI) is a signaling-related information element found in octet 3a of the ISDN SETUP message that can be used as an authorization mechanism for incoming calls. The Tcl IVR 2.0 command set allows SIP terminating gateways to assign a specific value to the screening indicator through the use of Tcl scripts.
The screening indicator can contain four possible values:
•
•
•
•
Note
•
SIP: Gateway HTTP Authentication Digest
The SIP: Gateway HTTP Authentication Digest feature implements authentication using the digest access on the client side of a common SIP stack. The gateway responds to authentication challenges from an authenticating server, proxy server, or user-agent server (UAS). This feature also maintains parity between the Cisco gateways, proxy servers, and SIP phones that already support authentication.
Feature benefits include the following:
•
Note
•
Note
The SIP Survivable Remote Site Telephony (SRST) feature in an earlier release added support to register E.164 numbers for foreign exchange stations (FXSs) (analog telephone voice ports) and extended foreign exchange stations (IP phone virtual voice ports) to an external SIP registrar. This feature extends that functionality for the gateway to register numbers configured on PSTN trunks such as PRI pipes.
This section contains the following information:
•
•
Digest Access Authentication
SIP provides a stateless challenge-response mechanism for authentication based on digest access. A UAS or proxy server receiving a request challenges the initiator of the request to provide its identity. The user-agent client (UAC) generates a response by performing a message digest 5 (MD5) checksum on the challenge and its password. The response is passed back to the challenger in a subsequent request.
There are two modes of authentication:
•
•
This feature also supports multiple proxy authentication on the gateway. The gateway can respond to up to five different authentication challenges in the signaling path between gateway as UAC and a UAS.
UAC-to-UAS Authentication
When the UAS receives a request without credentials from a UAC, it challenges the originator to provide credentials by rejecting the request with a "401 Unauthorized" response that includes a WWW-Authenticate header. The header field value consists of arguments applicable to digest scheme, as follows:
•
•
In addition, the header field may contain the following optional arguments:
•
•
•
•
•
The UAC reoriginates the request with proper credentials in the Authorization header field. The Authorization header field value consists of authentication information and arguments:
•
•
•
Message digest 5 (MD5) is computed as follows:
MD5(concat(MD5(A1),(unquoted)nonce-value":"nc-value":"(unquoted)cnonce-value ":"(unquoted)qop-value":"MD5(A2)))where A1 = (unquoted) username-value ":" (unquoted) realm-value ":" password
A2 = Method ":" request-uri if qop is "auth"& A2 = Method ":" request-uri ":" MD5(entity-body) if qop is "auth-int".•
•
•
UAC-to-UAS Call Flow with Register Message
In this call flow (see Figure 63), the UA sends a Register message request without the Authorization header and receives a 401 status code message response challenge from the SIP server. The UA then resends the request including the proper credentials in the Authorization header.
Figure 63 UA-to-UAS Call Flow with Register Message
The UA sends a Register message request to the SIP server with the CSeq initialized to 1:
REGISTER sip:172.18.193.187:5060 SIP/2.0Via: SIP/2.0/UDP 172.18.193.120:5060;branch=z9hG4bK200BFrom: "36602" <sip:36602@172.18.193.120>;tag=98AS-87RTTo: <sip:36602@172.18.193.187>Call-ID: A9EEC728-495E11D6-8003AD63-F55A9C4User-Agent: Cisco-SIPGateway/IOS-12.xCSeq: 1 REGISTERContact: <sip:36602@172.18.193.120:5060>;user=phoneExpires: 60Content-Length: 0The SIP server responds with a 401 Unauthorized challenge response to the UA:
SIP/2.0 401 UnauthorizedVia: SIP/2.0/UDP 172.18.193.120:5060;branch=z9hG4bK200BFrom: "36602" <sip:36602@172.18.193.120>;tag=98AS-87RTTo: <sip:36602@172.18.193.187>;tag=3046583040568302Call-ID: A9EEC728-495E11D6-8003AD63-F55A9C4CSeq: 1 REGISTERWWW-Authenticate: Digest realm="example.com", qop="auth", nonce="ea9c8e88df84f1cec4341ae6cbe5a359", opaque="", stale=FALSE, algorithm=MD5Content-Length: 0The UA resends a Register message request to the SIP server that includes the authorization and increments the CSeq:
REGISTER sip:172.18.193.187:5060 SIP/2.0Via: SIP/2.0/UDP 172.18.193.120:5060;branch=z9hG4bK1DEAFrom: "36602" <sip:36602@172.18.193.120>;tag=98AS-89FDTo: <sip:36602@172.18.193.187>Call-ID: A9EEC728-495E11D6-8003AD63-F55A9C4User-Agent: Cisco-SIPGateway/IOS-12.xAuthorization: Digest username="36602", realm="example.com", nonce="ea9c8e88df84f1cec4341ae6cbe5a359", opaque="", uri="sip:172.18.193.187", response="dfe56131d1958046689d83306477ecc"CSeq: 2 REGISTERContact: <sip:36602@172.18.193.120:5060>;user=phoneExpires: 60Content-Length: 0The SIP server responds with a 200 OK message response to the UA:
SIP/2.0 200 OKVia: SIP/2.0/UDP 172.18.193.120:5060;received=172.18.193.120;branch=z9hG4bK1DEACall-ID: A9EEC728-495E11D6-8003AD63-F55A9C4From: "36602" <sip:36602@172.18.193.120>;tag=98AS-89FDTo: <sip:36602@172.18.193.187>;tag=1q92461294CSeq: 2 REGISTERContact: <sip:36602@172.18.193.120:5060>;expires="Wed, 02 Jul 2003 18:18:26 GMT"Expires: 60Content-Length: 0
Note
UAC-to-UAS Call Flow with INVITE Message
In this call flow (see Figure 64), the UAC sends an INVITE message request to a UAS without proper credentials and is challenged with a 401 Unauthorized message response. A new INVITE message request is then sent, containing the correct credentials. Finally, the call is completed.
Figure 64 UAC-to-UAS Call Flow with INVITE Message
The UAS challenges the UAC to provide user credentials by issuing a 401 Unauthorized message response:
SIP/2.0 401 UnauthorizedVia: SIP/2.0/UDP 172.18.193.120:5060;branch=z9hG4bK45TGNFrom: "36602" <sip:36602@172.18.193.120>;tag=98AS-87RTTo: <sip:36602@172.18.193.187>;tag=3046583040568302Call-ID: A9EEC728-495E11D6-8003AD63-F55A9C4CSeq: 101 INVITEWWW-Authenticate: Digest realm="example.com", qop="auth", nonce="ea9c8e8809345gf1cec4341ae6cgh5a359", opaque=""Content-Length: 0The UAC resubmits the request with proper credentials in the Authorization header:
INVITE sip:36601@172.18.193.187:5060 SIP/2.0Via: SIP/2.0/UDP 172.18.193.120:5060;branch=z9hG4bK8DF8HFrom: "36602"<sip:36602@172.18.193.120>;tag=50EB48-383To: <sip:36601@172.18.193.187>Call-ID: A9EEC728-495E11D6-8003AD63-F55A9C4CSeq: 102 INVITEAuthorization: Digest username="36602", realm="example.com", nonce="ea9c8e8809345gf1cec4341ae6cgh5a359", opaque="", uri="sip:36601@172.18.193.187", response="42ce3cef44b22f50c02350g6071bc8"...The UAC uses the same credentials in subsequent requests in that dialog:
PRACK sip:36601@172.18.193.187:5060 SIP/2.0Via: SIP/2.0/UDP 172.18.193.120:5060;branch=z9hG4bK8YH5790From: "36602"<sip:36602@172.18.193.120>;tag=50EB48-383To: <sip:36601@172.18.193.187>;tag=AG09-92315Call-ID: A9EEC728-495E11D6-8003AD63-F55A9C4CSeq: 103 PRACKAuthorization: Digest username="36602", realm="example.com", nonce="ea9c8e8809345gf1cec4341ae6cgh5a359", opaque="", uri="sip:36601@172.18.193.187", response="42ce3cef44b22f50c02350g6071bc9"Content-Length: 0Proxy-Server-to-UA Authentication
When a UA submits a request to a proxy server without proper credentials, the proxy server authenticates the originator by rejecting the request with a 407 message response (Proxy Authentication Required) and includes a Proxy-Authenticate header field value applicable to the proxy server for the requested resource. The UAC follows the same procedure mentioned in the "UAC-to-UAS Authentication" section to get proper credentials for the realm and resubmits the request with the credentials in the Proxy-Authorization header.
Note
Proxy Server to UA Authentication Call Flow
In this call flow the UAC completes a call to user a UAS by using two proxy servers (PS 1 or PS 2, (see Figure 65). The UAC has valid credentials in both domains. Because the initial INVITE message request does not contain the Authorization credentials proxy server 1 requires, a 407 Proxy Authorization message response containing the challenge information is sent. A new INVITE message request containing the correct credentials is then sent and the call proceeds after proxy server 2 challenges and receives valid credentials.
Figure 65 Proxy-Server-to-UA Call Flow
Proxy server 1 challenges the UAC for authentication:
SIP/2.0 407 Proxy Authorization RequiredVia: SIP/2.0/UDP 172.18.193.120:5060;branch=z9hG4bK207HFrom: <sip:36602@172.18.193.120>;tag=50EB48-383To: <sip:36601@172.18.193.187>;tag=929523858000835Call-ID: D61E40D3-496A11D6-80070030-9426ED30@172.18.193.120CSeq: 101 INVITEProxy-Authenticate: Digest realm="proxy1.example.com", qop="auth",nonce="wf84f1cczx41ae6cbeaea9ce88d359", opaque="", stale=FALSE, algorithm=MD5Content-Length: 0The UAC responds by resending the INVITE message request with authentication credentials. The same Call-ID is used, so the CSeq is increased.
INVITE sip:36601@172.18.193.187:5060 SIP/2.0Via: SIP/2.0/UDP 172.18.193.120:5060;branch=z9hG4bKEE1From: <sip:36602@172.18.193.120>;tag=50EB48-383To: <sip:36601@172.18.193.187>Call-ID: D61E40D3-496A11D6-80070030-9426ED30@172.18.193.120CSeq: 102 INVITEProxy-Authorization: Digest username="36602", realm="proxy1.example.com", nonce="wf84f1ceczx41ae6cbe5aea9c8e88d359", opaque="", uri="sip:36601@172.18.193.187", response="42ce3cef44b22f50c6a6071bc8"Contact: <sip:172.18.193.120:5060>...The proxy server 2 challenges the UAC INVITE message request for authentication which is the 407 authentication message response that is forwarded to the UAC by proxy server 1.
SIP/2.0 407 Proxy Authorization RequiredVia: SIP/2.0/UDP 172.18.193.120:5060;branch=z9hG4bKEE1From: <sip:36602@172.18.193.120>;tag=50EB48-383To: <sip:36601@172.18.193.187>;tag=083250982545745Call-ID: D61E40D3-496A11D6-80070030-9426ED30@172.18.193.120Proxy-Authenticate: Digest realm="proxy2.example.com", qop="auth", nonce="c1e22c41ae6cbe5ae983a9c8e88d359", opaque="", stale=FALSE, algorithm=MD5Content-Length: 0The UAC responds by resending the INVITE message request with authentication credentials for proxy server 1 and proxy server 2.
INVITE sip:36601@172.18.193.187:5060 SIP/2.0Via: SIP/2.0/UDP 172.18.193.120:5060;branch=z9hG4bK8GYFrom: <sip:36602@172.18.193.120>;tag=50EB48-383To: <sip:36601@172.18.193.187>Call-ID: D61E40D3-496A11D6-80070030-9426ED30@172.18.193.120CSeq: 103 INVITEProxy-Authorization: Digest username="36602", realm="proxy1.example.com", nonce="wf84f1ceczx41ae6cbe5aea9c8e88d359", opaque="", uri="sip:36601@172.18.193.187", response="42ce3cef44b22f50c6a6071bc8"Proxy-Authorization: Digest username="36602", realm="proxy2.example.com", nonce="c1e22c41ae6cbe5ae983a9c8e88d359", opaque="", uri="sip:36601@172.18.193.187", response="f44ab22f150c6a56071bce8"...Extending SIP Register Support on Gateway
The SIP: Gateway HTTP Authentication Digest feature enhances functionality for Cisco IOS SIP gateway to Register all addresses specified by destination patterns in operational POTS dial-peers for all ports. This provides customer flexibility to register and authenticate users behind a private branch exchange (PBX) connected to the gateway through a PRI interface. There is no change in the way the gateway with foreign-exchange-station (FXS) ports registers individual E.164 addresses.
This feature leverages dial peers to create granularity for registration and authentication. However, the dial peers can be created with wildcards (for example: .919T, where terminator [T] makes the gateway wait until the full dial-string is received.) and a range of numbers (for example: .919392..., where ... indicates numbers in the range 0000 to 9999). Such destination patterns are registered with a single character wildcard in the user portion of To and Contact headers. Table 36 shows how the various types of gateway dial plans map to its registration.
Table 36 SIP Cisco IOS Gateway Dial Peer Mapping to Register1
dial-peer voice 919 pots
destination-pattern 919.......
port 0:D
REGISTER sip:proxy.example.com SIP/2.0
To: <sip:919.......@172.18.193.120>
From: <sip:172.18.192.120>;tag=ABCD
Contact: <sip:919.......@172.18.193.120>;user=phone
dial-peer voice 555 pots
destination-pattern 555T
port 0:D
REGISTER sip:proxy.example.com SIP/2.0
To: <sip:555*@172.18.193.120>
From: <sip:172.18.192.120>;tag=ABCD
Contact: <sip:555*@172.18.193.120>;user=phone
dial-peer voice 5550100 pots
destination-pattern 5550100
port 0:D
REGISTER sip:proxy.example.com SIP/2.0
To: <sip:5550100@172.18.193.120>
From: <sip:5550100@172.18.192.120>;tag=ABCD
Contact: <sip:5550100@172.18.193.120>;user=phone
1 You need to modify the proxy/registrar behavior to correctly route calls for wildcard patterns or destination pattern with a range. Proxy server or registrars that do not match a wildcard patterns or destination pattern with a range should be ignored for that specific request.
How to Configure SIP AAA Features
This section contains the following procedures:
•
•
•
•
Configuring RADIUS Pre-authentication for Voice Calls
This section includes the following procedures:
•
•
•
Configure a RADIUS Group Server
To configure a a RADIUS group server, perform the following steps.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
DETAILED STEPS
Configure Access and Authentication
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
DETAILED STEPS
Configure Accounting
Note
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
DETAILED STEPS
Configure Preauthentication
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
DETAILED STEPS
Configure RADIUS Communications
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
DETAILED STEPS
Step 1
enable
Example:Router> enable
Enables privileged EXEC mode. Enter your password if prompted.
Step 2
configure terminal
Example:Router# configure terminal
Enters global configuration mode.
Step 3
radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string] [alias {hostname | ip-address}]
Example:radius-server host jimname
Specifies a RADIUS server host. Keywords and arguments are as follows:
•
•
•
•
•
•
•
The key is a text string that must match the encryption key used on the RADIUS server. Always configure the key as the last item in the radius-server host command syntax. This is because leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in the key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key.
•
Step 4
radius-server retransmit retries
Example:Router(config)# radius-server retransmit 1
(Optional) Specifies the number of times the Cisco IOS software searches the list of RADIUS server hosts before giving up. The argument is as follows:
•
Step 5
radius-server attribute 6 support-multiple
Example:Router(config)# radius-server attribute 6 support-multiple
(Optional) Sets an option for RADIUS Attribute 6 (Service-Type) values in a RADIUS profile. The keyword is as follows:
•
Step 6
radius-server attribute 44 include-in-access-req
Example:Router(config)# radius-server attribute 44 include-in-access-req
Sends RADIUS attribute 44 (Accounting Session ID) in access request packets before user authentication (including requests for preauthentication).
Note
Step 7
radius-server attribute nas-port format c
Example:Router(config)# radius-server attribute nas-port format c
(Required if using Cisco RPMS) Selects the NAS-Port format used for RADIUS accounting features.
Step 8
radius-server key {0 string | 7 string | string}
Example:Router(config)# radius-server key ncmmekweisnaowkakskiiw
(Optional) Sets the authentication and encryption key for all RADIUS communications between the router and the RADIUS daemon. Keywords and arguments are as follows:
•
•
•
Step 9
radius-server vsa send accounting
Example:Router(config)# radius-server vsa send accounting
(Optional) Configures the network access server to recognize and use vendor-specific attributes.
Step 10
radius-server vsa send authentication
Example:Router(config)# radius-server vsa send authentication
(Optional) Configures the network access server to recognize and use vendor-specific attributes.
Step 11
exit
Example:Router(config)# exit
Exits the current mode.
Configuring SIP - Enhanced Billing Support for Gateways
To configure the SIP - Enhanced Billing Support for Gateways feature, perform the following steps.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Configuring SIP: Gateway HTTP Authentication Digest
This section contains the following procedures:
•
•
Configure SIP: Gateway HTTP Authentication Digest Via Dial-Peer
To configure the SIP: Gateway HTTP Authentication Digest Via Dial-Peer feature, perform the following steps.
Note
•
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Configure SIP: Gateway HTTP Authentication Digest Via SIP UA
To configure the SIP: Gateway HTTP Authentication Digest Via SIP UA feature, perform the following steps.
Note
Restrictions
•
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
DETAILED STEPS
Verifying AAA Features for SIP
To verify AAA-feature configuration, perform the following steps as appropriate (commands are listed in alphabetical order).
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Step 1
Use this command to display call information for active voice calls. You can thus verify the username attribute.
The following sample output shows that the proxy-auth parameter is selected.
Router# show call active voiceTotal call-legs: 2GENERIC:SetupTime=1551144 ms.. (snip).ReceiveBytes=63006VOIP:ConnectionId[0x220A95B7 0x6B3611D5 0x801DBD53 0x8F65BA34].. (snip).CallerName=CallerIDBlocked=FalseUsername=1234567890123456 <-- PUID from Proxy-Auth headerThe following sample output shows that the calling-number parameter is selected.
Router# show call active voiceTotal call-legs: 2GENERIC:SetupTime=1587000 ms.. (snip).ReceiveBytes=22762VOIP:ConnectionId[0xF7C22E07 0x6B3611D5 0x8022BD53 0x8F65BA34].. (snip).CallerName=CallerIDBlocked=FalseUsername=1234 <-- calling-numberStep 2
Use this command to display RADIUS statistics for accounting and authentication packets.
Step 3
Use this command to display the number of leg 3 preauthentication requests, successes, and rejects.
Note
Step 4
Use this command to display the current configuration.
Step 5
Use this command to verify SIP user-agent register status.
Router# show sip-ua register statusLine peer expires(sec) registered4001 20001 596 no4002 20002 596 no5100 1 596 no9998 2 596 nowhere:line=phone number to registerpeer=registration destination numberexpires (sec)=amount of time, in seconds, until registration expiresregistered=registration status
Troubleshooting Tips
Note
•
•
•
•
•
•
–
–
•
•
Following is sample output for some of these commands:
•
•
•
Sample Output for the debug ccsip Command
Router# debug ccsip messages*Oct 11 21:40:26.175://-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:Sent:INVITE sip:5550123@172.18.193.187:5060 SIP/2.0 ! Invite request message (command sequence 101)Via:SIP/2.0/UDP 172.18.193.120:5060;branch=z9hG4bK6EDFrom:"36602" <sip:36602@172.18.193.120>;tag=3E948-4C5To:<sip:5550123@172.18.193.187>Date:Fri, 11 Oct 2002 21:40:26 GMTCall-ID:E35DBEB1-DC9811D6-80098FBE-BE736A4@172.18.193.120Supported:100rel,timerMin-SE: 1800Cisco-Guid:3787171507-3700953558-2147913662-199702180User-Agent:Cisco-SIPGateway/IOS-12.xAllow:INVITE, OPTIONS, BYE, CANCEL, ACK, PRACK, COMET, REFER, SUBSCRIBE, NOTIFY, INFO, UPDATE, REGISTERCSeq:101 INVITEMax-Forwards:70Remote-Party-ID:"36602" <sip:36602@172.18.193.120>;party=calling;screen=no;privacy=offTimestamp:1034372426Contact:<sip:36602@172.18.193.120:5060>Expires:180Allow-Events:telephone-eventContent-Type:application/sdpContent-Length:244v=0o=CiscoSystemsSIP-GW-UserAgent 6603 1568 IN IP4 172.18.193.120s=SIP Callc=IN IP4 172.18.193.120t=0 0m=audio 17978 RTP/AVP 18 19c=IN IP4 172.18.193.120a=rtpmap:18 G729/8000a=fmtp:18 annexb=noa=rtpmap:19 CN/8000a=ptime:20*Oct 11 21:40:26.179://-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:Received:SIP/2.0 100 Trying ! 100 Trying response message (command sequence 101)Via:SIP/2.0/UDP 172.18.193.120:5060;received=172.18.193.120;branch=z9hG4bK6EDCall-ID:E35DBEB1-DC9811D6-80098FBE-BE736A4@172.18.193.120From:"36602" <sip:36602@172.18.193.120>;tag=3E948-4C5To:<sip:5550123@172.18.193.187>CSeq:101 INVITEContent-Length:0*Oct 11 21:40:26.179://-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:Received:SIP/2.0 407 Proxy Authentication Required ! 407 proxy authentication required response message (command sequence 101)Via:SIP/2.0/UDP 172.18.193.120:5060;received=172.18.193.120;branch=z9hG4bK6EDCall-ID:E35DBEB1-DC9811D6-80098FBE-BE736A4@172.18.193.120From:"36602" <sip:36602@172.18.193.120>;tag=3E948-4C5To:<sip:5550123@172.18.193.187>;tag=214b-70c4CSeq:101 INVITEProxy-Authenticate:DIGEST realm="example.com", nonce="405729fe", qop="auth", algorithm=MD5Content-Length:0*Oct 11 21:40:26.183://-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:Sent:ACK sip:5550123@172.18.193.187:5060 SIP/2.0 ! ACK request message (command sequence 101)Via:SIP/2.0/UDP 172.18.193.120:5060;branch=z9hG4bK6EDFrom:"36602" <sip:36602@172.18.193.120>;tag=3E948-4C5To:<sip:5550123@172.18.193.187>;tag=214b-70c4Date:Fri, 11 Oct 2002 21:40:26 GMTCall-ID:E35DBEB1-DC9811D6-80098FBE-BE736A4@172.18.193.120Max-Forwards:70CSeq:101 ACKContent-Length:0*Oct 11 21:40:26.183://-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:Sent:INVITE sip:5550123@172.18.193.187:5060 SIP/2.0 ! Invite message request (command sequence 102)Via:SIP/2.0/UDP 172.18.193.120:5060;branch=z9hG4bK8BAFrom:"36602" <sip:36602@172.18.193.120>;tag=3E948-4C5To:<sip:5550123@172.18.193.187>Date:Fri, 11 Oct 2002 21:40:26 GMTCall-ID:E35DBEB1-DC9811D6-80098FBE-BE736A4@172.18.193.120Supported:100rel,timerMin-SE: 1800Cisco-Guid:3787171507-3700953558-2147913662-199702180User-Agent:Cisco-SIPGateway/IOS-12.xAllow:INVITE, OPTIONS, BYE, CANCEL, ACK, PRACK, COMET, REFER, SUBSCRIBE, NOTIFY, INFO, UPDATE, REGISTERCSeq:102 INVITEMax-Forwards:70Remote-Party-ID:"36602" <sip:36602@172.18.193.120>;party=calling;screen=no;privacy=offTimestamp:1034372426Contact:<sip:36602@172.18.193.120:5060>Expires:180Allow-Events:telephone-eventProxy-Authorization:Digest username="36602",realm="example.com",uri="sip:172.18.193.187",response="404feee07cc7d3081d 04b977260efef5",nonce="405729fe",cnonce="AD7E41C1",qop=auth,algorithm=MD5,nc=00000001Content-Type:application/sdpContent-Length:244v=0o=CiscoSystemsSIP-GW-UserAgent 6603 1568 IN IP4 172.18.193.120s=SIP Callc=IN IP4 172.18.193.120t=0 0m=audio 17978 RTP/AVP 18 19c=IN IP4 172.18.193.120a=rtpmap:18 G729/8000a=fmtp:18 annexb=noa=rtpmap:19 CN/8000a=ptime:20*Oct 11 21:40:26.187://-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:Received:SIP/2.0 100 Trying ! 100 Trying response message (command sequence 102)Via:SIP/2.0/UDP 172.18.193.120:5060;received=172.18.193.120;branch=z9hG4bK8BACall-ID:E35DBEB1-DC9811D6-80098FBE-BE736A4@172.18.193.120From:"36602" <sip:36602@172.18.193.120>;tag=3E948-4C5To:<sip:5550123@172.18.193.187>CSeq:102 INVITEContent-Length:0*Oct 11 21:40:26.439://-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:Received:SIP/2.0 180 Ringing ! 180 Ringing response message (command sequence 102)Via:SIP/2.0/UDP 172.18.193.120:5060;received=172.18.193.120;branch=z9hG4bK8BAFrom:"36602" <sip:36602@172.18.193.120>;tag=3E948-4C5To:<sip:5550123@172.18.193.187>;tag=003094c2e56a035d4326b6a1-292418c6Call-ID:E35DBEB1-DC9811D6-80098FBE-BE736A4@172.18.193.120CSeq:102 INVITEServer:CSCO/4Contact:<sip:5550123@172.18.197.182:5060>Record-Route:<sip:5550123@172.18.193.187:5060;maddr=172.18.193.187>Content-Length:0*Oct 11 21:40:28.795://-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:Received:SIP/2.0 200 OK ! 200 OK response message (command sequence 102)Via:SIP/2.0/UDP 172.18.193.120:5060;received=172.18.193.120;branch=z9hG4bK8BAFrom:"36602" <sip:36602@172.18.193.120>;tag=3E948-4C5To:<sip:5550123@172.18.193.187>;tag=003094c2e56a035d4326b6a1-292418c6Call-ID:E35DBEB1-DC9811D6-80098FBE-BE736A4@172.18.193.120CSeq:102 INVITEServer:CSCO/4Contact:<sip:5550123@172.18.197.182:5060>Record-Route:<sip:5550123@172.18.193.187:5060;maddr=172.18.193.187>Content-Type:application/sdpContent-Length:146v=0o=Cisco-SIPUA 21297 9644 IN IP4 172.18.197.182s=SIP Callc=IN IP4 172.18.197.182t=0 0m=audio 28290 RTP/AVP 18a=rtpmap:18 G729/8000*Oct 11 21:40:28.799://-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:Sent:ACK sip:5550123@172.18.193.187:5060;maddr=172.18.193.187 SIP/2.0 ! ACK request message (command sequence 102)Via:SIP/2.0/UDP 172.18.193.120:5060;branch=z9hG4bK20A5From:"36602" <sip:36602@172.18.193.120>;tag=3E948-4C5To:<sip:5550123@172.18.193.187>;tag=003094c2e56a035d4326b6a1-292418c6Date:Fri, 11 Oct 2002 21:40:26 GMTCall-ID:E35DBEB1-DC9811D6-80098FBE-BE736A4@172.18.193.120Route:<sip:5550123@172.18.197.182:5060>Max-Forwards:70CSeq:102 ACKProxy-Authorization:Digest username="36602",realm="example.com",uri="sip:172.18.193.187",response="cc865e13d766426fb6 5f362c4f569334",nonce="405729fe",cnonce="9495DEBD",qop=auth,algorithm=MD5,nc=00000002Content-Length:0*Oct 11 21:40:32.891://-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:Sent:BYE sip:5550123@172.18.193.187:5060;maddr=172.18.193.187 SIP/2.0 ! BYE request message (command sequence 103)Via:SIP/2.0/UDP 172.18.193.120:5060;branch=z9hG4bK6AFFrom:"36602" <sip:36602@172.18.193.120>;tag=3E948-4C5To:<sip:5550123@172.18.193.187>;tag=003094c2e56a035d4326b6a1-292418c6Date:Fri, 11 Oct 2002 21:40:26 GMTCall-ID:E35DBEB1-DC9811D6-80098FBE-BE736A4@172.18.193.120User-Agent:Cisco-SIPGateway/IOS-12.xMax-Forwards:70Route:<sip:5550123@172.18.197.182:5060>Timestamp:1034372432CSeq:103 BYEReason:Q.850;cause=16Proxy-Authorization:Digest username="36602",realm="example.com",uri="sip:172.18.193.187",response="9b4d617d59782aeaf8 3cd49d932d12dd",nonce="405729fe",cnonce="22EB1F32",qop=auth,algorithm=MD5,nc=00000003Content-Length:0*Oct 11 21:40:32.895://-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:Received:SIP/2.0 100 Trying ! 100 Trying response message (command sequence 103)Via:SIP/2.0/UDP 172.18.193.120:5060;received=172.18.193.120;branch=z9hG4bK6AFCall-ID:E35DBEB1-DC9811D6-80098FBE-BE736A4@172.18.193.120From:"36602" <sip:36602@172.18.193.120>;tag=3E948-4C5To:<sip:5550123@172.18.193.187>;tag=003094c2e56a035d4326b6a1-292418c6CSeq:103 BYEContent-Length:0*Oct 11 21:40:32.963://-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:Received:SIP/2.0 200 OK ! 200 OK response message (command sequence 103)Via:SIP/2.0/UDP 172.18.193.120:5060;received=172.18.193.120;branch=z9hG4bK6AFFrom:"36602" <sip:36602@172.18.193.120>;tag=3E948-4C5To:<sip:5550123@172.18.193.187>;tag=003094c2e56a035d4326b6a1-292418c6Call-ID:E35DBEB1-DC9811D6-80098FBE-BE736A4@172.18.193.120CSeq:103 BYEServer:CSCO/4Content-Length:0Sample Output of the debug ccsip events Command
The example shows how the Proxy-Authorization header is broken down into a decoded username and password.
Router# debug ccsip eventsCCSIP SPI: SIP Call Events tracing is enabled21:03:21: sippmh_parse_proxy_auth: Challenge is 'Basic'.21:03:21: sippmh_parse_proxy_auth: Base64 user-pass string is 'MTIzNDU2Nzg5MDEyMzQ1Njou'.21:03:21: sip_process_proxy_auth: Decoded user-pass string is '1234567890123456:.'.21:03:21: sip_process_proxy_auth: Username is '1234567890123456'.21:03:21: sip_process_proxy_auth: Pass is '.'.21:03:21: sipSPIAddBillingInfoToCcb: sipCallId for billing records =10872472-173611CC-81E9C73D-F836C2B6@172.18.192.19421:03:21: ****Adding to UAS Request tableSample Output for the debug radius Command
Router# debug radiusRadius protocol debugging is onRadius protocol brief debugging is offRadius packet hex dump debugging is offRadius packet protocol debugging is onRadius packet retransmission debugging is offRadius server fail-over debugging is offJan 23 14:30:25.421:RADIUS/ENCODE(00071EBF):acct_session_id:742769Jan 23 14:30:25.421:RADIUS(00071EBF):sendingJan 23 14:30:25.421:RADIUS:Send to unknown id 25 192.168.41.57:1812, Access-Request, len 179Jan 23 14:30:25.421:RADIUS: authenticator 88 94 AC 32 89 84 73 6D - 71 00 50 6C D0 F8 FD 11Jan 23 14:30:25.421:RADIUS: User-Name [1] 9 "2210001"Jan 23 14:30:25.421:RADIUS: User-Password [2] 18 *Jan 23 14:30:25.421:RADIUS: Vendor, Cisco [26] 32Jan 23 14:30:25.421:RADIUS: Cisco AVpair [1] 26 "resource-service=reserve"Jan 23 14:30:25.421:RADIUS: Service-Type [6] 6 Call Check [10]Jan 23 14:30:25.421:RADIUS: Vendor, Cisco [26] 19Jan 23 14:30:25.421:RADIUS: cisco-nas-port [2] 13 "Serial6/0:0"Jan 23 14:30:25.425:RADIUS: NAS-Port [5] 6 6144Jan 23 14:30:25.425:RADIUS: Vendor, Cisco [26] 29Jan 23 14:30:25.425:RADIUS: Cisco AVpair [1] 23 "interface=Serial6/0:0"Jan 23 14:30:25.425:RADIUS: Called-Station-Id [30] 9 "2210001"Jan 23 14:30:25.425:RADIUS: Calling-Station-Id [31] 9 "1110001"Jan 23 14:30:25.425:RADIUS: NAS-Port-Type [61] 6 Async [0]Jan 23 14:30:25.425:RADIUS: NAS-IP-Address [4] 6 192.168.81.101Jan 23 14:30:25.425:RADIUS: Acct-Session-Id [44] 10 "000B5571"Jan 23 14:30:25.429:RADIUS:Received from id 25 192.168.41.57:1812, Access-Accept, len 20Jan 23 14:30:25.429:RADIUS: authenticator 2C 16 63 18 36 56 18 B2 - 76 EB A5 EF 11 45 BE F4Jan 23 14:30:25.429:RADIUS:Received from id 71EBFJan 23 14:30:25.429:RADIUS/DECODE:parse response short packet; IGNOREJan 23 14:30:25.433:RADIUS/ENCODE(00071EBF):Unsupported AAA attribute start_timeJan 23 14:30:25.433:RADIUS/ENCODE(00071EBF):Unsupported AAA attribute timezoneJan 23 14:30:25.433:RADIUS/ENCODE:format unknown; PASSJan 23 14:30:25.433:RADIUS(00071EBF):sendingJan 23 14:30:25.433:RADIUS:Send to unknown id 26 192.168.41.57:1813, Accounting-Request, len 443Jan 23 14:30:25.433:RADIUS: authenticator DA 1B 03 83 20 90 11 39 - F3 4F 70 F0 F5 8C CC 75Jan 23 14:30:25.433:RADIUS: Acct-Session-Id [44] 10 "000B5571"Jan 23 14:30:25.433:RADIUS: Vendor, Cisco [26] 56Jan 23 14:30:25.433:RADIUS: h323-setup-time [25] 50 "h323-setup-time=14:30:25.429 GMT Wed Jan 23 2002"Jan 23 14:30:25.433:RADIUS: Vendor, Cisco [26] 26Jan 23 14:30:25.433:RADIUS: h323-gw-id [33] 20 "h323-gw-id=OrigGW."Jan 23 14:30:25.433:RADIUS: Vendor, Cisco [26] 56Jan 23 14:30:25.433:RADIUS: Conf-Id [24] 50 "h323-conf-id=931C146B 0F4411D6 AB5591F0 CBF3D765"Jan 23 14:30:25.433:RADIUS: Vendor, Cisco [26] 31Jan 23 14:30:25.437:RADIUS: h323-call-origin [26] 25 "h323-call-origin=answer"Jan 23 14:30:25.437:RADIUS: Vendor, Cisco [26] 32Jan 23 14:30:25.437:RADIUS: h323-call-type [27] 26 "h323-call-type=Telephony"Jan 23 14:30:25.437:RADIUS: Vendor, Cisco [26] 65Jan 23 14:30:25.437:RADIUS: Cisco AVpair [1] 59 "h323-incoming-conf-id=931C146B 0F4411D6 AB5591F0 CBF3D765"Jan 23 14:30:25.437:RADIUS: Vendor, Cisco [26] 30Jan 23 14:30:25.437:RADIUS: Cisco AVpair [1] 24 "subscriber=RegularLine"Jan 23 14:30:25.437:RADIUS: User-Name [1] 9 "1110001"Jan 23 14:30:25.437:RADIUS: Acct-Status-Type [40] 6 Start [1]Jan 23 14:30:25.437:RADIUS: Vendor, Cisco [26] 19Jan 23 14:30:25.437:RADIUS: cisco-nas-port [2] 13 "Serial6/0:0"Jan 23 14:30:25.437:RADIUS: NAS-Port [5] 6 0Jan 23 14:30:25.437:RADIUS: Vendor, Cisco [26] 29Jan 23 14:30:25.437:RADIUS: Cisco AVpair [1] 23 "interface=Serial6/0:0"Jan 23 14:30:25.437:RADIUS: Called-Station-Id [30] 9 "2210001"Jan 23 14:30:25.437:RADIUS: Calling-Station-Id [31] 9 "1110001"Jan 23 14:30:25.437:RADIUS: NAS-Port-Type [61] 6 Async [0]Jan 23 14:30:25.437:RADIUS: Service-Type [6] 6 Login [1]Jan 23 14:30:25.437:RADIUS: NAS-IP-Address [4] 6 192.168.81.101Jan 23 14:30:25.437:RADIUS: Event-Timestamp [55] 6 1011796225Jan 23 14:30:25.437:RADIUS: Delay-Time [41] 6 0Jan 23 14:30:25.441:RADIUS/ENCODE(00071EC0):Unsupported AAA attribute start_timeJan 23 14:30:25.441:RADIUS/ENCODE(00071EC0):Unsupported AAA attribute timezoneJan 23 14:30:25.441:RADIUS(00071EC0):sendingJan 23 14:30:25.441:RADIUS:Send to unknown id 27 192.168.41.57:1813, Accounting-Request, len 411Jan 23 14:30:25.441:RADIUS: authenticator 15 83 23 D8 0B B2 3A C2 - 1D 8C EF B4 18 0F 1C 65Jan 23 14:30:25.441:RADIUS: Acct-Session-Id [44] 10 "000B5572"Jan 23 14:30:25.441:RADIUS: Vendor, Cisco [26] 56Jan 23 14:30:25.441:RADIUS: h323-setup-time [25] 50 "h323-setup-time=14:30:25.441 GMT Wed Jan 23 2002"Jan 23 14:30:25.441:RADIUS: Vendor, Cisco [26] 26Jan 23 14:30:25.441:RADIUS: h323-gw-id [33] 20 "h323-gw-id=OrigGW."Jan 23 14:30:25.441:RADIUS: Vendor, Cisco [26] 56Jan 23 14:30:25.441:RADIUS: Conf-Id [24] 50 "h323-conf-id=931C146B 0F4411D6 AB5591F0 CBF3D765"Jan 23 14:30:25.441:RADIUS: Vendor, Cisco [26] 34Jan 23 14:30:25.441:RADIUS: h323-call-origin [26] 28 "h323-call-origin=originate"Jan 23 14:30:25.441:RADIUS: Vendor, Cisco [26] 27Jan 23 14:30:25.441:RADIUS: h323-call-type [27] 21 "h323-call-type=VoIP"Jan 23 14:30:25.441:RADIUS: Vendor, Cisco [26] 65Configuration Examples for SIP AAA Features
This section provides the following configuration examples:
•
•
SIP - Enhanced Billing Support for Gateways: Examples
The following configuration example highlights the minimal configuration options that are necessary to carry out the full feature. After you configure the aaa username command described in this document, the gateway uses the information received in the SIP Authorization header and makes it available to AAA and Tcl IVR services. Typically, if you expect to use the full functionality of this feature, AAA and Tcl IVR have been configured previously.
Router# show running-configBuilding configuration...Current configuration : 4017 bytes!version 12.3no service single-slot-reload-enableservice timestamps debug datetime msecservice timestamps log uptimeno service password-encryption!hostname 3640-1!logging rate-limit console 10 except errors! Need the following aaa lineaaa new-model!! Need the following four aaa linesaaa authentication login h323 group radiusaaa authorization exec h323 group radiusaaa accounting connection h323 start-stop group radiusaaa session-id commonenable password lab!memory-size iomem 15clock timezone GMT 0voice-card 2!ip subnet-zero!ip domain-name example.sip.comip name-server 172.18.192.154ip name-server 10.10.1.5!no ip dhcp-client network-discoveryisdn switch-type primary-5essisdn voice-call-failure 0!voice service voipsiprel1xx disable!fax interface-type fax-mailmta receive maximum-recipients 0call-history-mib retain-timer 500!controller E1 1/0!controller E1 1/1!controller T1 2/0framing esflinecode b8zspri-group timeslots 1-24!controller T1 2/1framing sflinecode ami!! Need the following three linesgw-accounting h323gw-accounting h323 vsagw-accounting voip!interface Ethernet0/0ip address 10.10.1.4 255.255.255.0half-duplexip rsvp bandwidth 7500 7500!interface Ethernet0/1no ip addressshutdownhalf-duplex!interface Ethernet0/2no ip addressshutdownhalf-duplex!interface Ethernet0/3no ip addressshutdownhalf-duplex!interface FastEthernet1/0ip address 172.18.192.197 255.255.255.0duplex autospeed autoip rsvp bandwidth 75000 75000!interface Serial2/0:23no ip addressno logging event link-statusisdn switch-type primary-5essisdn incoming-voice modemisdn T306 200000isdn T310 200000no cdp enable!ip classlessip route 10.0.0.0 255.0.0.0 172.18.192.1ip route 172.18.0.0 255.255.0.0 172.18.192.1no ip http server!ip radius source-interface FastEthernet1/0logging source-interface FastEthernet1/0!! Need the following radius-server lines for accounting/authenticationradius-server host 172.18.192.154 auth-port 1645 acct-port 1646radius-server retransmit 1radius-server key labradius-server vsa send accountingradius-server vsa send authenticationcall rsvp-sync!! Need the following call application lines in order to enable! tcl scripting feature.call application voice voice_billing tftp://172.18.207.15/app_passport_silent.2.0.0.0.tcl!voice-port 2/0:23!voice-port 3/0/0!voice-port 3/0/1!voice-port 3/1/0!voice-port 3/1/1!mgcp profile defaultdial-peer cor custom!dial-peer voice 3640110 potsdestination-pattern 3640110port 3/0/0!dial-peer voice 3640120 potsdestination-pattern 3640120port 3/0/1!dial-peer voice 3660110 voipdestination-pattern 3660110session protocol sipv2session target ipv4:172.18.192.194codec g711ulaw!dial-peer voice 3660120 voipdestination-pattern 3660120session protocol sipv2session target ipv4:172.18.192.194codec g711ulaw!dial-peer voice 222 potshuntstopapplication sessiondestination-pattern 222no digit-stripdirect-inward-dialport 2/0:23!! Need to add the application line below to enable the tcl scriptdial-peer voice 999 voipapplication voice_billingdestination-pattern ...session protocol sipv2session target ipv4:10.10.1.2:5061codec g711ulaw!! Need to add the aaa line below in order to enable proxy-authorization! header processingsip-uaaaa username proxy-auth!line con 0exec-timeout 0 0length 0line aux 0line vty 0 4!!endSIP: Gateway HTTP Authentication Digest: Examples
This section provides the following configuration examples:
•
•
SIP: Gateway HTTP Authentication Digest Feature Disabled
Router# show running-configBuilding configuration...Current configuration :4903 bytes!version 12.3no parser cacheservice timestamps debug datetime msecservice timestamps log datetime msecno service password-encryptionservice internal!hostname Router!boot-start-markerboot-end-marker!enable secret 5 $1$Fyay$DfmV/uLXX.X94CoaRy569.enable password lab!voice-card 3!aaa new-model!aaa authentication login h323 group radiusaaa authorization exec h323 group radiusaaa accounting connection h323 start-stop group radiusaaa session-id commonip subnet-zeroip tcp path-mtu-discovery!ip cefip domain name example.sip.comip name-server 172.18.192.48!ip dhcp pool 1host 172.18.193.173 255.255.255.0client-identifier 0030.94c2.5d00option 150 ip 172.18.193.120default-router 172.18.193.120!voice call carrier capacity active!voice service pots!voice service voipsiprel1xx disable!voice class codec 1codec preference 1 g729r8codec preference 2 g711ulawcodec preference 5 g726r16codec preference 6 g726r24codec preference 7 g726r32codec preference 8 g723ar53codec preference 9 g723ar63!voice class codec 2codec preference 1 g711ulawcodec preference 2 g729r8codec preference 5 g726r16codec preference 6 g726r24!fax interface-type fax-mail!translation-rule 100!interface FastEthernet0/0ip address 172.18.193.120 255.255.255.0ip mtu 900duplex autospeed autono cdp enableip rsvp bandwidth 75000 75000!interface FastEthernet0/1no ip addressno ip mroute-cacheshutdownduplex autospeed autono cdp enable!ip http serverip classlessip route 0.0.0.0 0.0.0.0 FastEthernet0/0ip route 10.0.0.0 255.0.0.0 172.18.193.1ip route 172.18.0.0 255.255.0.0 172.18.193.1!ip radius source-interface FastEthernet0/0logging source-interface FastEthernet0/0dialer-list 1 protocol ip permitsnmp-server engineID local 00000009020000309426F6D0snmp-server community public ROsnmp-server community private RWsnmp-server packetsize 4096snmp-server enable traps tty!tftp-server flash:XMLDefault.cnf.xml!radius-server host 172.18.192.108 auth-port 1645 acct-port 1646radius-server retransmit 1radius-server key labradius-server vsa send accountingradius-server vsa send authentication!control-plane!voice-port 1/0/0!voice-port 1/0/1!voice-port 1/1/0!voice-port 1/1/1!voice-port 2/0/0station-id name 36602station-id number 36602!voice-port 2/0/1!mgcpmgcp sdp simple!dial-peer cor custom!dial-peer voice 1 potsapplication sessiondestination-pattern 36602port 2/0/0!dial-peer voice 5 voipapplication sessiondestination-pattern 5550123session protocol sipv2session target ipv4:172.18.193.187!dial-peer voice 81 voipapplication sessiondestination-pattern 3100801session protocol sipv2session target ipv4:172.18.193.100req-qos controlled-loadacc-qos controlled-load!dial-peer voice 41 voipapplication sessiondestination-pattern 333session protocol sipv2session target ipv4:10.102.17.80dtmf-relay rtp-nte!dial-peer voice 7 voipapplication sessiondestination-pattern 999session protocol sipv2session target ipv4:172.18.193.98incoming called-number 888!dial-peer voice 38 voipapplication sessiondestination-pattern 3100802voice-class codec 1session protocol sipv2session target ipv4:172.18.193.99!dial-peer voice 88 voippreference 1destination-pattern 888session protocol sipv2session target ipv4:172.18.193.187!dial-peer voice 123 voipdestination-pattern 222session protocol sipv2session target ipv4:10.102.17.80!dial-peer voice 6 voipdestination-pattern 36601session protocol sipv2session target ipv4:172.18.193.98session transport udpincoming called-number 36602!gatewaytimer receive-rtp 1200!sip-uaretry invite 1retry bye 2timers expires 60000!rtr responder!line con 0exec-timeout 0 0transport preferred alltransport output allline aux 0transport preferred alltransport output allline vty 0 4password labtransport preferred alltransport input alltransport output all!endSIP: Gateway HTTP Authentication Digest Feature Enabled
Router# show running-configBuilding configuration...Current configuration :5087 bytes!version 12.3no parser cacheservice timestamps debug datetime msecservice timestamps log datetime msecno service password-encryptionservice internal!hostname Router!boot-start-markerboot-end-marker!enable secret 5 $1$Fyay$DfmV/uLXX.X94CoaRy569.enable password lab!voice-card 3!aaa new-model!aaa authentication login h323 group radiusaaa authorization exec h323 group radiusaaa accounting connection h323 start-stop group radiusaaa session-id commonip subnet-zeroip tcp path-mtu-discovery!ip cefip domain name example.sip.comip name-server 172.18.192.48!ip dhcp pool 1host 172.18.193.173 255.255.255.0client-identifier 0030.94c2.5d00option 150 ip 172.18.193.120default-router 172.18.193.120!voice call carrier capacity active!voice service pots!voice service voipsiprel1xx disable!voice class codec 1codec preference 1 g729r8codec preference 2 g711ulawcodec preference 5 g726r16codec preference 6 g726r24codec preference 7 g726r32codec preference 8 g723ar53codec preference 9 g723ar63!voice class codec 2codec preference 1 g711ulawcodec preference 2 g729r8codec preference 5 g726r16codec preference 6 g726r24!fax interface-type fax-mail!translation-rule 100!interface FastEthernet0/0ip address 172.18.193.120 255.255.255.0ip mtu 900duplex autospeed autono cdp enableip rsvp bandwidth 75000 75000!interface FastEthernet0/1no ip addressno ip mroute-cacheshutdownduplex autospeed autono cdp enable!ip http serverip classlessip route 0.0.0.0 0.0.0.0 FastEthernet0/0ip route 10.0.0.0 255.0.0.0 172.18.193.1ip route 172.18.0.0 255.255.0.0 172.18.193.1!ip radius source-interface FastEthernet0/0logging source-interface FastEthernet0/0dialer-list 1 protocol ip permitsnmp-server engineID local 00000009020000309426F6D0snmp-server community public ROsnmp-server community private RWsnmp-server packetsize 4096snmp-server enable traps tty!tftp-server flash:XMLDefault.cnf.xml!radius-server host 172.18.192.108 auth-port 1645 acct-port 1646radius-server retransmit 1radius-server key labradius-server vsa send accountingradius-server vsa send authentication!control-plane!voice-port 1/0/0!voice-port 1/0/1!voice-port 1/1/0!voice-port 1/1/1!voice-port 2/0/0station-id name 36602station-id number 36602!voice-port 2/0/1!mgcpmgcp sdp simple!dial-peer cor custom!dial-peer voice 1 potsapplication sessiondestination-pattern 36602port 2/0/0authentication username user1 password password1 realm example1.com ! authenticationxample 1authentication username user2 password password2 realm example2.com ! authenticationxample 2!dial-peer voice 5 voipapplication sessiondestination-pattern 5550123session protocol sipv2session target ipv4:172.18.193.187!dial-peer voice 81 voipapplication sessiondestination-pattern 3100801session protocol sipv2session target ipv4:172.18.193.100req-qos controlled-loadacc-qos controlled-load!dial-peer voice 41 voipapplication sessiondestination-pattern 333session protocol sipv2session target ipv4:10.102.17.80dtmf-relay rtp-nte!dial-peer voice 7 voipapplication sessiondestination-pattern 999session protocol sipv2session target ipv4:172.18.193.98incoming called-number 888!dial-peer voice 38 voipapplication sessiondestination-pattern 3100802voice-class codec 1session protocol sipv2session target ipv4:172.18.193.99!dial-peer voice 88 voippreference 1destination-pattern 888session protocol sipv2session target ipv4:172.18.193.187!dial-peer voice 123 voipdestination-pattern 222session protocol sipv2session target ipv4:10.102.17.80!dial-peer voice 6 voipdestination-pattern 36601session protocol sipv2session target ipv4:172.18.193.98session transport udpincoming called-number 36602!gatewaytimer receive-rtp 1200!sip-uaauthentication username user3 password password3 ! authentication example 3retry invite 1retry bye 2timers expires 60000registrar ipv4:172.18.193.187 expires 100 ! registrar example!rtr responder!line con 0exec-timeout 0 0transport preferred alltransport output allline aux 0transport preferred alltransport output allline vty 0 4password labtransport preferred alltransport input alltransport output all!endAdditional References
General SIP References
•
•
References Mentioned in This Chapter (Listed Alphabetically)
•
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_book.html•
•
•
•
•
•
•
•
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2007 Cisco Systems, Inc. All rights reserved.1 Introduced as part of the SIP Gateway Support of RSVP and TEL URL feature.
