SIP Authentication
William Wong (Talk | contribs) (→TelcoBridges and SIP Authentication) |
William Wong (Talk | contribs) (→Tmedia/FreeSBC/ProSBC) |
||
(16 intermediate revisions by one user not shown) | |||
Line 1: | Line 1: | ||
SIP Authentication is a stateless challenge-based mechanism which ensures user's identity. Authentication challenge can be asked commonly for Invite and Bye methods. This means that anyone receiving an INVITE message can force the sender to prove his or her identity before the message is processed. In fact, SIP authentication is not limited to these two messages type. Any SIP method (the proper name for a SIP message) can be challenged by the recipient. | SIP Authentication is a stateless challenge-based mechanism which ensures user's identity. Authentication challenge can be asked commonly for Invite and Bye methods. This means that anyone receiving an INVITE message can force the sender to prove his or her identity before the message is processed. In fact, SIP authentication is not limited to these two messages type. Any SIP method (the proper name for a SIP message) can be challenged by the recipient. | ||
+ | |||
+ | == WWW (401 Unauthorized) or proxy-auth (407 Proxy Authentication)? == | ||
+ | * When authenticating to the server that will deliver a service, a www-authentication header should be used. The 401 (Unauthorized) response message is used by an origin server to challenge the authorization of a user agent. | ||
+ | * When authenticating to a server that will proxy the request to the endpoint, proxy-authentication should be used. The 407 (Proxy Authentication Required) response message is used by a proxy to challenge the authorization of a client. | ||
+ | * In _one_ transaction, both www_authentication and proxy_authentication can be used | ||
+ | * Normally, messages like INVITE and BYE will receive 407 responses and REGISTER and SUBSCRIBE will receive 401 responses. | ||
== TelcoBridges and SIP Authentication == | == TelcoBridges and SIP Authentication == | ||
Line 6: | Line 12: | ||
* TDM to IP calls (Tmedia) | * TDM to IP calls (Tmedia) | ||
− | + | === Tmedia/FreeSBC/ProSBC === | |
− | === FreeSBC === | + | In the case of IP to IP calls commonly for FreeSBC/ProSBC, the challenge messages are forwarded between the SIP device and authentication server. |
− | In the case of IP to IP calls, the challenge messages are forwarded between the SIP device and authentication server. | + | |
'''Invite callflow:''' | '''Invite callflow:''' | ||
Line 19: | Line 24: | ||
==== Configuration ==== | ==== Configuration ==== | ||
− | By default, TelcoBridges' products will forward authentication challenge messages. | + | By default, TelcoBridges' products will forward authentication challenge messages like INVITE, BYE, REGISTER (see [[Sip registration forwarding|Sip registration forwarding]]), etc. |
− | + | ||
− | === Tmedia === | + | === Tmedia/FreeSBC/ProSBC === |
− | In the case of TDM to IP calls | + | In the case of TDM to IP calls for Tmedia or Telcobridges product (including FreeSBC/ProSBC) that needs to respond to the authentication challenge message itself. For example, Telcobridges product connecting to SIP trunk, requiring registration and authenticattion to SIP Trunk. |
'''Invite callflow:''' | '''Invite callflow:''' | ||
Line 34: | Line 38: | ||
==== Configuration ==== | ==== Configuration ==== | ||
− | The Tmedia needs to configure the 'Authentication Parameters' section for each SIP NAP that requires to respond to authentication challenge messages. | + | The Tmedia needs to configure the 'Authentication Parameters' section for each SIP NAP that requires to respond to authentication challenge messages. See [[SIP Registration|SIP Registration]] and [[Configuring SIP Registration to SIP Proxy|SIP Registration to SIP Proxy]]. |
*[[Toolpack:Configuring_SIP_Authentication_A|v3.0: SIP Authentication]] | *[[Toolpack:Configuring_SIP_Authentication_A|v3.0: SIP Authentication]] | ||
Line 40: | Line 44: | ||
== References == | == References == | ||
*[https://www.voip-info.org/wiki/view/SIP+Authentication voip-info.org] | *[https://www.voip-info.org/wiki/view/SIP+Authentication voip-info.org] | ||
+ | *[https://www.voip-info.org/sip-authentication Sip Authentication] | ||
+ | *[https://andrewjprokop.wordpress.com/2015/01/27/understanding-sip-authentication Understanding Sip Authentication] | ||
[[Category:Revise on Major]] | [[Category:Revise on Major]] |
Latest revision as of 04:12, 26 March 2020
SIP Authentication is a stateless challenge-based mechanism which ensures user's identity. Authentication challenge can be asked commonly for Invite and Bye methods. This means that anyone receiving an INVITE message can force the sender to prove his or her identity before the message is processed. In fact, SIP authentication is not limited to these two messages type. Any SIP method (the proper name for a SIP message) can be challenged by the recipient.
Contents |
WWW (401 Unauthorized) or proxy-auth (407 Proxy Authentication)?
- When authenticating to the server that will deliver a service, a www-authentication header should be used. The 401 (Unauthorized) response message is used by an origin server to challenge the authorization of a user agent.
- When authenticating to a server that will proxy the request to the endpoint, proxy-authentication should be used. The 407 (Proxy Authentication Required) response message is used by a proxy to challenge the authorization of a client.
- In _one_ transaction, both www_authentication and proxy_authentication can be used
- Normally, messages like INVITE and BYE will receive 407 responses and REGISTER and SUBSCRIBE will receive 401 responses.
TelcoBridges and SIP Authentication
TelcoBridges can handle SIP Authentication differently according to your network.
- IP to IP calls (FreeSBC/ProSBC)
- TDM to IP calls (Tmedia)
Tmedia/FreeSBC/ProSBC
In the case of IP to IP calls commonly for FreeSBC/ProSBC, the challenge messages are forwarded between the SIP device and authentication server.
Invite callflow:
Bye callflow:
Configuration
By default, TelcoBridges' products will forward authentication challenge messages like INVITE, BYE, REGISTER (see Sip registration forwarding), etc.
Tmedia/FreeSBC/ProSBC
In the case of TDM to IP calls for Tmedia or Telcobridges product (including FreeSBC/ProSBC) that needs to respond to the authentication challenge message itself. For example, Telcobridges product connecting to SIP trunk, requiring registration and authenticattion to SIP Trunk.
Invite callflow:
Bye callflow:
Configuration
The Tmedia needs to configure the 'Authentication Parameters' section for each SIP NAP that requires to respond to authentication challenge messages. See SIP Registration and SIP Registration to SIP Proxy.