Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
690
Views
0
Helpful
1
Replies

Authenticating SIP request, Using ACS configured as Radius

shane.francis
Level 1
Level 1

‎05-04-2007 10:08 AM - edited ‎03-10-2019 03:08 PM

Hello everyone,

I have a Cisco 1112 SACS device configured as Radius server, the SIP servers are added to the ACS as Radius clients for server key: ?key? under authenticate using I choose ?Radius-IETF? for both Radius clients.

I setup users on the SIP server as follow ?1? and ?2? just for testing for calling to and from each other?

ACS Interface configuration for Radius-IETF for the Default Group I checked Login-TCP-port under group configuration Radius-IETF Login-TCP-Port I use port ?1812?.

On the ACS I setup users as follow ?1? and ?2? and the user configuration for both users are as followed Password Authentication: Cisco Secure Database and add the user to the default group.

My problem is when I call from phone 1 to phone 2 I get the message ?Authentication failed? up on checking the ACS failed log I can see the ACS communicating with both SIPS I also see the message ?Bad request from NAS?

Can anyone say what I?m missing and/or what I need to do so the ACS can authenticate the SIP request??

All I wan to accomplish is when the SIP sends a request to the ACS to check if the user is setup the ACS authenticate the user and sends the authorization response back to the SIPS.

Any help is appreciated.

Labels:
0 Helpful
1 Reply 1

a-vazquez
Level 6
Level 6

‎05-10-2007 10:53 AM

Authentication can occur at a RADIUS server or at the proxy server.

Two types of authentication are supported: HTTP digest authentication and HTTP basic authentication.

Either type can occur at either location.

During authentication, the UAC password is stored as follows:

For RADIUS-supported authentication, it is stored at the RADIUS server. For proxy-supported authentication, it is stored in a subscriber table in a MySQL database.

The default authentication scheme is HTTP digest authentication performed at the Cisco SPS. When digest authentication and basic authentication are performed at the proxy server, the username, as found in the authorization header or the proxy-authorization header, is the key to query the MySQL database.

If authentication takes place at the RADIUS server, Cisco SPS passes the username as one of the attribute/value pairs to the RADIUS server, where it can be used to key the user search before authentication. Additionally, you can configure Cisco SPS to add any desired SIP headers as VSAs in the authentication request to the RADIUS server. More info:

http://www.cisco.com/univercd/cc/td/doc/product/voice/sipproxy/admingd/ver2_1/1over.htm#65106

For more info and configuration, please see:

http://www.cisco.com/univercd/cc/td/doc/product/voice/sipproxy/admingd/ver2_0/stnconf.htm#1076068

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents