Table Of Contents

SIP Inbound Authentication

Contents

Prerequisites for Implementing SIP Inbound Authentication

Restrictions for Implementing SIP Inbound Authentication

Information About SIP Inbound Authentication

Local Inbound Authentication

Remote Inbound Authentication

Interaction with Outbound Authentication

Failure Modes for Inbound Authentication

Unacceptable Parameters

Access-Request Rejection

Insufficient Memory

No Match on Authentication Realm

No Match on Nonce

Nonce Timed Out

No Acceptable RADIUS Servers

How to Configure SIP Inbound Authentication

Examples of Show Commands

SIP Inbound Authentication

---

Cisco Unified Border Element (SP Edition) supports two modes of Session Initiation Protocol (SIP) inbound authentication to challenge inbound SIP requests: local and remote. You must select the mode of authentication to configure Cisco Unified Border Element (SP Edition) according to the level of support present in the Remote Authentication Dial-In User Service (RADIUS) servers. If the RADIUS servers are compliant with only draft-sterman-aaa-sip-00 to 01, then select the local mode. If the RADIUS servers are compliant with only RFC 4590, then use the remote authentication mode.

Cisco Unified Border Element (SP Edition) was formerly known as Integrated Session Border Controller and may be commonly referred to in this document as the session border controller (SBC).

For a complete description of commands used in this chapter, refer to the Cisco Unified Border Element (SP Edition) Command Reference: Unified Model at http://www.cisco.com/en/US/docs/ios/sbc/command/reference/sbcu_book.html.

For information about all Cisco IOS commands, use the Command Lookup Tool at http://tools.cisco.com/Support/CLILookup or a Cisco IOS master commands list.

---

Note This feature is optional and you can configure the Cisco Unified Border Element (SP Edition) not to challenge the inbound requests.

---

---

Note For Cisco IOS XE Release 2.4, this feature is supported in the unified model only.

---

Feature History for SIP Inbound Authentication

Release	Modification
Cisco IOS XE Release 2.4	This feature was introduced on the Cisco ASR 1000 Series Aggregation Services Routers along with support for the unified model.

Contents

This module contains the following sections:

•Prerequisites for Implementing SIP Inbound Authentication

•Restrictions for Implementing SIP Inbound Authentication

•Information About SIP Inbound Authentication

•How to Configure SIP Inbound Authentication

•Examples of Show Commands

Prerequisites for Implementing SIP Inbound Authentication

The following prerequisites are required to implement SIP inbound authentication:

•Configure a SIP adjacency with the intended mode of authentication before you configure Cisco Unified Border Element (SP Edition) to authenticate inbound calls.

•Configure the RADIUS server to specify which mode of inbound authentication is selected.

Restrictions for Implementing SIP Inbound Authentication

The following restrictions and limitations apply to implement SIP inbound authentication:

•Cisco Unified Border Element (SP Edition) supports only one inbound authentication realm per adjacency.

•Cisco Unified Border Element (SP Edition) does not check the validity of nonces generated by a RADIUS server; the RADIUS server must be configured to perform this check.

•Cisco Unified Border Element (SP Edition) does not designate a particular RADIUS server group on an adjacency for inbound authentication.

•Since trust-transference of calls does not occur between inbound authentication, outbound authentication, and Transport Layer Security (TLS) connections, a successful inbound authentication does not ensure that Cisco Unified Border Element (SP Edition) marks the call as secure or implement outbound authentication. Users can, however, configure inbound authentication, outbound authentication, and TLS independently on the same adjacency.

Information About SIP Inbound Authentication

This section contains the following subsections:

•Local Inbound Authentication

•Remote Inbound Authentication

•Interaction with Outbound Authentication

•Failure Modes for Inbound Authentication

Local Inbound Authentication

When configured to perform local inbound authentication, Cisco Unified Border Element (SP Edition) is responsible for challenging an unauthorized request from the remote peer first. Therefore, to be able to challenge the request from the remote peer, the adjacency must already be configured with an authentication realm. After the remote peer has validated the request, it is forwarded to the RADIUS server, which then decides whether to permit the call to pass through or not.

Remote Inbound Authentication

When configured to perform remote inbound authentication, Cisco Unified Border Element (SP Edition) relies on the RADIUS server to challenge an authorized request from the remote peer. Cisco Unified Border Element (SP Edition) forwards the challenge request generated by the RADIUS server to the remote peer, and also forwards the remote peer's authentication request to the RADIUS server.

Interaction with Outbound Authentication

If an adjacency is configured for inbound authentication, then after it successfully authenticates an inbound request, the authorization headers matching the realm for that adjacency are stripped out and not propagated to the outbound signal. Authorization headers for other realms, however, are passed through to the outbound request.

Failure Modes for Inbound Authentication

When the inbound authentication is configured, the following failure modes may occur (in addition to the standard SIP signal failure modes):

Unacceptable Parameters

If the endpoint or RADIUS server specifies a quality of protection parameter other than auth or auth-int, then the inbound request is rejected and a 403 response is generated. Similarly, Cisco Unified Border Element (SP Edition) generates a 403 response when algorithms other than MD5 and MD5-sess are used.

Access-Request Rejection

If the RADIUS server rejects the Access-Request signal with an Access-Reject response, Cisco Unified Border Element (SP Edition) sends a 403 response to the endpoint.

Insufficient Memory

If Cisco Unified Border Element (SP Edition) does not have sufficient memory to process an inbound authentication request, it rejects the request and sends a 503 response.

No Match on Authentication Realm

If the peer does not return any authentication headers that specify the authentication realm contained in the adjacency's configuration, then Cisco Unified Border Element (SP Edition) rechallenges the request with 401 response.

No Match on Nonce

If the peer's nonce does not match the one generated by Cisco Unified Border Element (SP Edition), then Cisco Unified Border Element (SP Edition) rejects the authentication request and sends a 403 response.

Nonce Timed Out

If the peer's nonce has timed out, then Cisco Unified Border Element (SP Edition) challenges the nonce by sending a 401 response and a new nonce.

No Acceptable RADIUS Servers

If there is no RADIUS server to support a mode configured on the adjacency, then Cisco Unified Border Element (SP Edition) rejects the authentication request with a 501 response and creates a log to alert the user of the inconsistent configuration.

How to Configure SIP Inbound Authentication

This section contains the steps for configuring SIP local inbound authentication a RADIUS server.

SUMMARY STEPS

1. configure

2. sbc service-name

3. sbe

4. radius [accounting client-name | authentication]

5. server server-name

6. address

7. mode local

8. key password

9. exit

10. activate

11. exit

12. adjacency sip adjacency-name

13. authentication-realm inbound realm

14. authentication mode local

15. authentication nonce timeout time

16. exit

DETAILED STEPS

	Command or Action	Purpose
Step 1	configure Example: Router# configure	Enables global configuration mode.
Step 2	sbc service-name Example: Router(config)# sbc mysbc	Enters the mode of an SBC service. •Use the service-name argument to define the name of the service.
Step 3	sbe Example: Router(config-sbc)# sbe	Enters the mode of the signaling border element (SBE) function of the SBC.
Step 4	radius [accounting client-name | authentication] Example: Router(config-sbc-sbe)# radius authentication	Enters the mode for configuring a RADIUS client for authentication purposes.
Step 5	server server-name Example: Router(config-sbc-sbe-auth)#server authserv	Enters the mode for configuring the authentication server.
Step 6	address ipv4 ipv4-address Example: Router(config-sbc-sbe-auth-ser)# address ipv4 200.200.200.122	Specifies the IPv4 address of the authentication server.
Step 7	mode {local|remote} or server server-name mode {local|remote} Example: Router(config-sbc-sbe-auth-ser)# mode local	Configures the RADIUS server for local inbound authentication. By default, the mode is remote.
Step 8	key password Example: Router(config-sbc-sbe-auth-ser)# key authpass1	Sets the authentication server key.
Step 9	exit Example: Router(config-sbc-sbe-auth-ser)# exit	Exits the mode for configuring the authentication server.
Step 10	activate Example: Router(config-sbc-sbe-auth)# activate	Activates the RADIUS client.
Step 11	exit Example: Router(config-sbc-sbe-auth)# exit	Exits the mode for configuring the RADIUS client and enters the SBE mode.
Step 12	adjacency sip adjacency-name Example: Router(config-sbc-sbe)# adjacency sip test	Enters the mode of an SBE SIP adjacency. •Use the adjacency-name argument to define the name of the service.
Step 13	authentication-realm inbound realm Example: Router(config-sbc-sbe-adj-sip)# authentica- tion-realm inbound cisco.com	Configures a set of authentication credentials for a specified domain on the specified SIP adjacency. Note This is a mandatory parameter for local mode.
Step 14	authentication mode local Example: Router(config-sbc-sbe-adj-sip)# authentication mode local	Configures the SIP adjacency for local inbound authentication. To configure the SIP adjacency, for remote inbound authentication, set the value to remote.
Step 15	authentication nonce timeout time Example: Router(config-sbc-sbe-adj-sip)# authentication nonce timeout 10000	Configures the value of the authentication nonce timeout in seconds. The range of acceptable values is 0 to 65535 seconds. The default value is 300 seconds.
Step 16	exit Example: Router(config-sbc-sbe-adj-sip)# exit	Exits the adj-sip mode and returns to the SBE mode.

Examples of Show Commands

Router# show sbc mySbc sbe adjacencies SipToIsp42 detail

SBC server mySbc

Adjacency SipToIsp42 

Status:  Attached

Signaling address: 10.2.0.122:5060

Signaling-peer:    200.200.200.179:8888

Force next hop:   No

Account:   core

Group:     None

In Header Profile:    Default

Out Header Profile:   Default

In method profile:    Default

Out method profile:   Default

In UA option profile: Default

Out UA option profile:   Default

In proxy option profile: Default

Priority set name:       Default

Local-id:             None

Rewrite REGISTER:     Off

Target address:       None

NAT Status:           Auto-Detect

Reg-min-expiry:       3000 seconds

Fast-register:        Enabled

Fast-register-int:    30 seconds

Authenticated mode:   Local

Authenticated realm:  Cisco.com

Authenticated nonce life time: 300 seconds

IMS visited NetID:    NOne

Inherit profile:      Default

Force next hop:       No

Home network ID:      None

UnEncrypt key data:   None

SIPIpassthrough:      No

Rewrite from domain:  Yes

Rewrite to header:    Yes

Media passthrough:    No

Preferred transport:  UDP

Hunting Triggers:     Global Triggers

Redirect mode:        Passthrough