Cisco IOS XR Session Border Controller Configuration Guide Release 3.6
SIP Outbound Authentication
Download this chapter
SIP Outbound AuthenticationSIP Outbound Authentication
Download the complete book
Book-level PDF: Cisco IOS XR Session Border Controller Configuration GuideIOS XR Software Release 3.6Book-level PDF: Cisco IOS XR Session Border Controller Configuration GuideIOS XR Software Release 3.6 (PDF - 8 MB)
give_us_feedback

Table Of Contents

SIP Outbound Authentication

Contents

Prerequisites for Implementing SIP Outbound Authentication

Restrictions for Implementing SIP Outbound Authentication

Information About SIP Outbound Authentication

Configuring Outbound Authentication in the SBC

Authenticating the SBC to Remote Devices

How to Configure SIP Outbound Authentication

Configuring SIP Outbound Authentication

Examples of Show Commands

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance


SIP Outbound Authentication

The SBC supports SIP outbound authentication. When network entities communicate using SIP, one entity often needs to challenge another one to determine if it's authorized to transmit SIP signaling into the challenger's network. The SIP authentication model is based on the HTTP digest authentication, as described in the RFC 2617.

Note The use of basic authentication, where passwords are transmitted unencrypted, is not permitted in SIP.

Feature History for SIP Outbound Authentication

Release
Modification

Release 3.4.1

This feature was introduced on the Cisco XR 12000 Series Router.

Release 3.5.0

No modification.

Release 3.5.1

Modified the authentication-realm command.

Release 3.6.0

No modification.


Contents

This module contains the following sections:

Prerequisites for Implementing SIP Outbound Authentication

Restrictions for Implementing SIP Outbound Authentication

Information About SIP Outbound Authentication

How to Configure SIP Outbound Authentication

Examples of Show Commands

Additional References

Prerequisites for Implementing SIP Outbound Authentication

The following prerequisites are required to implement SIP outbound authentication:

Configure a SIP adjacency before you specify one or more authentication-realms.

Configure the SBC with a set of domains (realms) with which it can authenticate itself. Set the username and password to provide when challenged by each of these domains. This configuration is implemented per adjacency.

Note Multiple realms can be configured per adjacency and there is no limit on the number of these realms aside from memory availability. Different realms may be configured with the same username and password. Also, each realm may be configured with different username and password on different adjacencies. However, any realm can be configured a maximum of one time per adjacency.

Restrictions for Implementing SIP Outbound Authentication

The following restrictions apply to SIP Outbound Authentication:

The SBC rejects any attempt to configure an authentication-realm with the same domain name as an existing authentication-realm. This restriction is valid per adjacency. Multiple adjacencies may have authentication-realms configured with the same domain.

Note The current CLI prohibits the user from configuring two authentication-realms with the same domain for the same adjacency. If this is attempted, the CLI interprets the second authentication-realm configuration as an attempt to reconfigure the first authentication-realm, and updates the user's credentials accordingly.

Each authentication-realm can only be configured with a single username and password per adjacency.

Information About SIP Outbound Authentication

Configuring Outbound Authentication in the SBC

When a SIP adjacency is configured, the user may specify one or more authentication-realms. Each authentication-realm represents a remote domain, from which the SBC receives authentication challenges on the adjacency. When an authentication-realm is configured, the user must specify the correct user name and password that the SBC uses to authenticate itself in that realm. The SBC stores all valid authentication-realms for each adjacency.

Authenticating the SBC to Remote Devices

Upon receipt of a SIP 401 or 407 response that can be correlated to a request it sent, the SBC examines the attached authentication challenge. The SBC responds to any authentication challenge received on a given adjacency that matches one of the configured authentication-realms for that adjacency. Any authentication challenge that does not match the configured authentication-realm is passed through unchanged to the SBC's signaling peer for the adjacency, on which the original request was received.

To generate a response to an authentication challenge, the SBC does the following:

1. First, it looks up the realm parameter of the challenge in its list of configured authentication-realms for the outbound adjacency.

2. Second, it finds the password for that authentication-realm and generates an authentication response by combining the password with the nonce parameter from the challenge, and hashing the result.

3. If the challenger has requested auth-int quality of protection, the SBC also generates a hash of the entire message body and includes it in the response.

4. The SBC builds an Authorization (or Proxy-Authorization) header by including the following parameter values (following RFC 2617):

Nonce from challenge

Realm from challenge

Digest-URI is set to the SIP URI of the challenged request

Message-QOP is set to auth

Response calculated as described above

Username as specified for the relevant authentication-realm

If the challenge contained an opaque parameter, it is returned unchanged on the response.

If the challenge contained the qop-directive parameter, then the nonce-count parameter is set to the number of the sent requests, using the response calculated from this nonce.

Note that the domain parameter is not expected to be included on any challenges that the SBC must respond to. This parameter is not used on Proxy-Authenticate challenges, the type of challenge that the SBC most often receives. If the domain parameter is included, the SBC ignores it.

5. Finally, the SBC stores its calculated response and the received nonce with the other data for the authentication-realm. This allows the SBC to respond rapidly to the subsequent challenges from this realm with the same nonce. If the SBC lacks the resources to store its response, it carries on anyway. The next time an authorization challenge is received from this realm, the SBC has to recalculate its response. When the SBC re-uses a saved response, it updates the nonce count stored along with the nonce-response pair. This allows the SBC to correctly fill in the nonce-count field in Authorization responses.

How to Configure SIP Outbound Authentication

This section contains the steps for configuring SIP outbound authentication, allowing the user to add/remove one or more authentication-realms to/from an adjacency.

Configuring SIP Outbound Authentication

SUMMARY STEPS

1. configure

2. sbc service-name

3. sbe

4. adjacency sip adjacency-name

5. authentication-realm inbound <domain> | outbound <domain> <username> <password>

6. commit

7. exit

8. show services sbc service-name sbe adjacency adjacency-name authentication-realms

9. show services sbc service-name sbe all-authentication-realms

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

configure

Example:

RP/0/0/CPU0:router# configure

Enables global configuration mode.

Step 2 

sbc service-name

Example:

RP/0/0/CPU0:router(config)# sbc mysbc

Enters the mode of an SBC service.

Use the service-name argument to define the name of the service.

Step 3 

sbe

Example:

RP/0/0/CPU0:router(config-sbc)# sbe

Enters the mode of the signaling border element (SBE) function of the SBC.

Step 4 

adjacency sip adjacency-name

Example:

RP/0/0/CPU0:router(config-sbc-sbe)# adjacency sip test

Enters the mode of an SBE SIP adjacency.

Use the adjacency-name argument to define the name of the service.

Step 5 

authentication-realm inbound<domain>outbound <domain><username><password>

Example:

RP/0/0/CPU0:router(config-sbc-sbe-adj-sip)# authentication-realm example.com usersbc passwrdsbc

Configures a set of authentication credentials for the specified domain on the specified adjacency. This command can be issued either before or after the adjacency has been attached.

The no version of this command deconfigures the authentication-realm on the specified adjacency.

inbound—Specifies inbound authentication realm.

outbound—Specifies outbound authentication realm.

domain—Name of the domain for which the authentication credentials are valid.

username—User name that identifies the SBC in the specified domain.

password—Password to authenticate the username in the specified domain.

Step 6 

commit

Example:

RP/0/0/CPU0:router(config-sbc-sbe-adj-sip)#
commit

Saves configuration changes. Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session.

Step 7 

exit

Example:

RP/0/0/CPU0:router(config-sbc-sbe-adj-sip)# exit

Exits the adj-sip mode and returns to the SBE mode.

Step 8 

show services sbc service-name sbe adjacency adjacency-name authentication-realms

Example:

RP/0/0/CPU0:router# show services sbc mySbc sbe adjacency SipToIsp42 authentication-realms

Shows all currently configured authentication-realms for the specified SIP adjacency.

Step 9 

show services sbc service-name sbe all-authentication-realms

Example:

RP/0/0/CPU0:router# show services sbc mySbc sbe all-authentication-realms

Shows all currently configured authentication-realms for all SIP adjacencies.

Examples of Show Commands 

# show services sbc mySbc sbe adjacency SipToIsp42 authentication-realms

Configured authentication realms

--------------------------------

Domain       Username  Password     

Example.com  usersbc   passwordsbc  



# show services sbc mySbc sbe all-authentication-realms

Configured authentication realms

--------------------------------

Adjacency: SipToIsp42

Domain       Username  Password     Example.com  usersbc   passwordsbc  

Remote.com   usersbc   sbcpassword  


Adjacency: SipToIsp50

Domain       Username  Password     

Example.com  user2sbc  password2sbc 

Other.com    sbcuser   sbcsbcsbc

Additional References

The following sections provide references related to SIP outbound authentication on the SBC.

Related Documents

Related Topic
Document Title

Cisco IOS XR master command reference

Cisco IOS XR Master Commands List

Cisco IOS XR SBC interface configuration commands

Cisco IOS XR Session Border Controller Command Reference

Initial system bootup and configuration information for a router using the Cisco IOS XR Software

Cisco IOS XR Getting Started Guide

Cisco IOS XR command modes

Cisco IOS XR Command Mode Reference


Standards

Standards
Title

No new or modified standards are supported by this feature, and support from existing standards has not been modified by this feature.


MIBs

MIBs
MIBs Link

To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu:

http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml


RFCs

RFCs
Title

RFC 3261

SIP: Session Initiation Protocol

RFC 2543

Session Initiation Protocol

RFC 2617

HTTP Authentication: Basic and Digest Access Authentication


Technical Assistance

Description
Link

The Cisco Technical Support website contains thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.

http://www.cisco.com/techsupport