User`s manual
Table Of Contents
- Mediant 2000 & TP-1610 & TP-260/UNI SIP User’s Manual Version 5.0
- Table of Contents
- List of Figures
- List of Tables
- Notices
- 1. Overview
- 2. Physical Description
- 3. Installation
- 4. Getting Started
- 5. Web Management
- Computer Requirements
- Protection and Security Mechanisms
- Accessing the Embedded Web Server
- Getting Acquainted with the Web Interface
- Protocol Management
- Advanced Configuration
- Status & Diagnostic
- Software Update Menu
- Maintenance
- Logging Off the Embedded Web Server
- 6. Gateway's ini File Configuration
- Secured ini File
- Modifying an ini File
- The ini File Content
- The ini File Structure
- The ini File Example
- Networking Parameters
- System Parameters
- Web and Telnet Parameters
- Security Parameters
- RADIUS Parameters
- SNMP Parameters
- SIP Configuration Parameters
- Voice Mail Parameters
- ISDN and CAS Interworking-Related Parameters
- Number Manipulation and Routing Parameters
- E1/T1 Configuration Parameters
- Channel Parameters
- Configuration Files Parameters
- 7. Using BootP / DHCP
- 8. Telephony Capabilities
- Working with Supplementary Services
- Configuring the DTMF Transport Types
- Fax & Modem Transport Modes
- Event Notification using X-Detect Header
- ThroughPacket™
- Dynamic Jitter Buffer Operation
- Configuring the Gateway’s Alternative Routing (based on Conn
- Call Detail Report
- Supported RADIUS Attributes
- Trunk to Trunk Routing Example
- Proxy or Registrar Registration Example
- SIP Call Flow Example
- SIP Authentication Example
- 9. Networking Capabilities
- 10. Advanced PSTN Configuration
- 11. Advanced System Capabilities
- 12. Special Applications
- 13. Security
- 14. Diagnostics
- 15. SNMP-Based Management
- SNMP Standards and Objects
- Carrier Grade Alarm System
- Cold Start Trap
- Third-Party Performance Monitoring Measurements
- TrunkPack-VoP Series Supported MIBs
- Traps
- SNMP Interface Details
- SNMP Manager Backward Compatibility
- Dual Module Interface
- SNMP NAT Traversal
- SNMP Administrative State Control
- AudioCodes’ Element Management System
- 16. Configuration Files
- Appendix A. Selected Technical Specifications
- Appendix B. Supplied SIP Software Kit
- Appendix C. SIP Compliance Tables
- Appendix D. The BootP/TFTP Configuration Utility
- Appendix E. RTP/RTCP Payload Types and Port Allocation
- Appendix F. RTP Control Protocol Extended Reports (RTCP-XR)
- Appendix G. Accessory Programs and Tools
- Appendix H. Release Reason Mapping
- Appendix I. SNMP Traps
- Appendix J. Installation and Configuration of Apache HTTP Server
- Appendix K. Regulatory Information
SIP User's Manual 13. Security
Version 5.0 295 October 2006
13.4 RADIUS Login Authentication
Users can enhance the security and capabilities of logging to the gateway’s Web and
Telnet embedded servers by using a Remote Authentication Dial-In User Service
(RADIUS) to store numerous usernames, passwords and access level attributes (Web
only), allowing multiple user management on a centralized platform. RADIUS (RFC 2865)
is a standard authentication protocol that defines a method for contacting a predefined
server and verifying a given name and password pair against a remote database, in a
secure manner.
When accessing the Web and Telnet servers, users must provide a valid username and
password. When RADIUS authentication isn’t used, the username and password are
authenticated with the Embedded Web Server’s usernames and passwords of the primary
or secondary accounts (refer to Section
5.2.1 on page 56) or with the Telnet server’s
username and password stored internally in the gateway’s memory. When RADIUS
authentication is used, the gateway doesn’t store the username and password but simply
forwards them to the pre-configured RADIUS server for authentication (acceptance or
rejection). The internal Web / Telnet passwords can be used as a fallback mechanism in
case the RADIUS server doesn’t respond (configured by the parameter
BehaviorUponRadiusTimeout). Note that when RADIUS authentication is performed, the
Web / Telnet servers are blocked until a response is received (with a timeout of 5
seconds).
RADIUS authentication requires HTTP basic authentication, meaning the username and
password are transmitted in clear text over the network. Therefore, users are
recommended to set the parameter ‘HttpsOnly = 1’ to force the use of HTTPS, since the
transport is encrypted.
13.4.1 Setting Up a RADIUS Server
The following examples refer to FreeRADIUS, a free RADIUS server that can be
downloaded from www.freeradius.org
. Follow the directions on that site for information on
installing and configuring the server. If you use a RADIUS server from a different vendor,
refer to its appropriate documentation.
¾ To set up a RADIUS server, take these 5 steps:
1. Define the gateway as an authorized client of the RADIUS server, with a predefined
‘shared secret’ (a password used to secure communication) and a vendor ID. The
figure below displays an example of the file clients.conf (FreeRADIUS client
configuration).
Figure 13-12: Example of the File clients.conf (FreeRADIUS Client Configuration)
#
# clients.conf - client configuration directives
#
client 10.31.4.47 {
secret = FutureRADIUS
shortname = tp1610_master_tpm
}
2. If access levels are required, set up a VSA dictionary for the RADIUS server and
select an attribute ID that represents each user's access level. The following example
shows a dictionary file for FreeRADIUS that defines the attribute ‘ACL-Auth-Level’ with
ID=35.