Configuration Note. RADIUS for Secure Device Access. Multi-Service Business Routers. Enterprise Session Border Controllers. VoIP Media Gateways

Similar documents
Configuration Note How to Backup and Restore SPS

Installation Guide. Version 1.0. AudioCodes Applications License Server. December 2014 Document # LTRT-00876

Configuration Note Recovery from Rescue Mode Procedure

User's Guide. AudioCodes CLI Wizard Utility. Session Border Controllers (SBC) Multi-Service Business Routers (MSBR)

Configuration Note Restoring Factory Defaults

Configuration Note. Connecting MSBR to WAN through 3G Cellular Modem. Multi-Service Business Router (MSBR) Mediant 850 MSBR.

Technical Application Note

Configuration Note. MP-26x Debugging and Diagnostic Tools. MP-26x Series. Version and Later. AudioCodes CPE & Access Gateway Products

Administrator and User Manual Hot Desking with SPS for Microsoft Lync

Configuration Note Recover from Rescue Mode Procedure

400HD Series of High Definition IP Phones. Configuration Note. Call Recording on AudioCodes. 400HD Series IP Phones. Document #: LTRT-11360

Configuration Note How to Install SPS on the SBA

Configuration Note 3G Cellular Modem WAN Connection

Configuration File Backup and Restore Procedure

Configuration Note. SPS Best Practice Preventative Maintenance and Health Check Procedures. Version 1.0. SIP Phone Support (SPS) VoIP Media Gateways

Mediant Software E-SBC. Session Border Controllers. Virtual Edition. Installation Manual. Version 6.6. October 2013 Document #: LTRT-10343

SBC Deployment Guide Architecture Options and Configuration Examples

Configuration Guide IP-to-IP Application

User's Guide Call Progress Tones Wizard (CPTWizard) Utility

SBC Configuration Examples

MP-11x, Mediant 1000 & Mediant Application Note

Mediant 1000B Chassis. Physical Description

Transport Layer Security (TLS) Configuration Note

SIP Phone Support. Release Notes. Version

Backup and Restore Procedure

Configuration Note. Connecting XO Communications SIP Trunking Service to Microsoft Lync Server Using

SBA Management Interface for Skype for Business

SBC Configuration Examples for Mediant SBC

Performance Monitoring and Alarm Guide

Configuring MediaPack 1288 Analog Gateway as Third-Party SIP Device (Advanced) in Cisco Unified Communications Manager Ver

AudioCodes Routing Manager (ARM)

IP Phone Manager Express

AudioCodes CPE & Access Gateway Products MP-20x Multimedia Home Gateway Quick Guide MediaPack 20x for BroadSoft s BroadCloud PacketSmart Monitoring

CloudBond 365 Standard / Standard+ Box Editions

Configuration Note Microsoft Lync Server 2013 & tipicall SIP Trunk using Mediant E-SBC

IP Phone Manager Express

CloudBond 365 Pro / Enterprise Box Editions

Quick Start Guide. AudioCodes One Voice for Microsoft Skype for Business. CloudBond 365. Pro / Enterprise Box Edition. Version 7.0

SmartTAP Call Recording Solution

Solution SPSS. Compatible. From Ver For. ays

Configuration Note. AireSpring SIP Trunk & Genesys Contact Center using AudioCodes Mediant SBC. Session Border Controllers (SBC)

Mediant Cloud Edition (CE)

Configuration Note Capturing Traffic on MSBR

Release Notes. AudioCodes One Voice for Microsoft Skype for Business. Mediant SBA for Microsoft Skype for. Business. Version 7.2

Configuration Note Microsoft Lync Server 2013 & BluIP SIP Trunk using Mediant E-SBC

User Management Pack 365

Configuration Note Debug Recording Feature

Mediant CCE Appliances

Configuration Note. Microsoft Lync Server 2013 & ITSP SIP Trunk using AudioCodes Mediant SBC. Interoperability Laboratory. Version 6.

Microsoft Office 365 X-UM with IP PBXs using AudioCodes CloudBond X-UM Standard

User's Guide. AudioCodes One Voice Operations Center. SBA ProConnect. Version 7.2

Administrator's Manual

VOCANOM Web Based Management Tool Administrator's Guide

SIP Phone Support (SPS)

Configuration Note. Enhanced Gateway with Analog Devices for Microsoft Lync Server Microsoft Lync Server 2010.

Mediant MSBR. Wireless Access Configuration. Configuration Guide. Version 6.8. Multi-Service Business Routers Product Series

Configuration Note. Microsoft Lync Server 2013 & NextGenTel SIP Trunk using Mediant E-SBC. Enterprise Session Border Controllers (E-SBC)

Configuration Note Microsoft Lync Server 2013 & Netia SIP Trunk using Mediant E-SBC

Performance Monitoring and Alarm Guide

Configuration Note Microsoft Lync Server 2013 & Windstream SIP Trunk using Mediant E-SBC

Mediant Virtual Edition (VE) SBC

Installation Manual ARM. AudioCodes Routing Manager. Version 7.0

Spectrum Enterprise SIP Trunking Service AudioCodes Mediant Series IP PBX Configuration Guide

Mediant VE SBC. Session Border Controller. Virtual Edition. Installation Manual. Version 6.8. June 2015 Document #: LTRT-10352

Connecting IP-PBX to BroadSoft's BroadCloud SIP Trunk using AudioCodes Mediant SBC

User's Manual. Version 5.6

CloudBond 365 & User Management Pack 365

AudioCodes Routing Manager (ARM)

User's Manual. Version 5.8

Mediant MSBR. Version 6.8. Security Setup. Configuration Guide. Version 6.8. Multi-Service Business Routers Product Series

EMS, SEM and IP Phone Manager

Configuration Note Windstream SIP Trunk & Genesys Contact Center using AudioCodes Mediant SBC

OAMP (EMS) Integration Guide

AudioCodes Element Management System (EMS) and Session Experience Manager (SEM) Release Notes. Version 6.8

Configuration Note. CAS Protocol Tables. Mediant Series Digital PSTN Gateways. Version 7.0

SEM for AudioCodes Media Gateways and Servers. Session Experience Manager. User's Manual. Version 6.8

Hardware Installation Manual

User's Manual MP-20x Telephone Adapter Version Document #: LTRT-50609

Application Note. AudioCodes One Voice for Microsoft 365. CloudBond 365. Partner Guidelines for Verifying Third-Party Applications

AudioCodes Academy Course Catalog February 2013

Administrator s Manual

Hardware Installation Manual

APPLICATION NOTE. Microsoft Unified Communications Network Architectures. Introduction

Mediant Appliances. Mediant 800 CCE & Mediant Server CCE. Microsoft Skype for Business Cloud Connector Edition (CCE) Version

400HD Series of High Definition IP Phones. User s Manual. 420HD IP Phone with Microsoft Lync. Version 2.0.1

AudioCodes Routing Manager (ARM)

Microsoft Skype for Business Server 2015 and DTAG SIP Trunk using AudioCodes Mediant MSBR E-SBC

Configuration Note Microsoft Office 365 Exchange UM with IP PBXs using AudioCodes Mediant SBC

Microsoft Skype for Business Server 2015 and Flowroute SIP Trunk using AudioCodes Mediant E-SBC

Microsoft Skype for Business Server 2015 and ShoreTel UC System using AudioCodes Mediant E-SBC

MediaPack 1xx Analog VoIP Gateway

Configuration Note. Telenor SIP Trunk & Genesys Contact Center using AudioCodes Mediant SBC. Session Border Controllers (SBC)

OAMP (EMS and SEM) Integration Guide

Microsoft Lync Server 2013 and Twilio SIP Trunk using AudioCodes Mediant E-SBC

CPE & Digital Access Gateways. MediaPack MP-40x. User s Manual. Version 2.2

MP-20x Telephone Adapter Release Notes

Microsoft Skype for Business Server 2015 and TELUS SIP Trunk using AudioCodes Mediant E-SBC

How to Configure Authentication and Access Control (AAA)

Installation, Operation and Maintenance Manual

One-Voice Resiliency. Branch Sites in Microsoft Lync Server or Skype for Business Environments. Version 7.0. Configuration Note

Transcription:

Multi-Service Business Routers Enterprise Session Border Controllers VoIP Media Gateways Configuration Note RADIUS for Secure Device Access December 2012 Document # LTRT-34201

Configuration Note Contents Table of Contents 1 Introduction... 1 2 Setting Up a Third-Party RADIUS Server... 3 3 Configuring RADIUS for the Device... 5 3.1 Configuring General RADIUS Settings... 5 3.2 Securing RADIUS Communication... 7 4 Authenticating RADIUS in the URL... 9 Version 6.6 3 December 2012

RADIUS Support List of Figures Figure 1-1: Device Implementing RADIUS Application... 1 Figure 3-1: RADIUS Settings Page... 5 Figure 3-2: Enabling HTTPS for Securing Web Access... 7 List of Tables Table 2-1: Web User Access Levels / Privileges and RADIUS Server Representation... 3 Configuration Note 4 Document #: LTRT-34201

Configuration Note Notices Notice This document describes how to set up a RADIUS server and how to configure the device to support it. Information contained in this document is believed to be accurate and reliable at the time of printing. However, due to ongoing product improvements and revisions, AudioCodes cannot guarantee the accuracy of printed material after the Date Published nor can it accept responsibility for errors or omissions. Updates to this document and other documents can be viewed by registered customers at http://www.audiocodes.com/downloads. Copyright 2012 AudioCodes Ltd. All rights reserved. This document is subject to change without notice. Date Published: December-06-2012 Trademarks AudioCodes, AC, AudioCoded, Ardito, CTI2, CTI², CTI Squared, HD VoIP, HD VoIP Sounds Better, InTouch, IPmedia, Mediant, MediaPack, NetCoder, Netrake, Nuera, Open Solutions Network, OSN, Stretto, TrunkPack, VMAS, VoicePacketizer, VoIPerfect, VoIPerfectHD, What s Inside Matters, Your Gateway To VoIP and 3GX are trademarks or registered trademarks of AudioCodes Limited. All other products or trademarks are property of their respective owners. Product specifications are subject to change without notice. WEEE EU Directive Pursuant to the WEEE EU Directive, electronic and electrical waste must not be disposed of with unsorted waste. Please contact your local recycling authority for disposal of this product. Customer Support Customer technical support and service are provided by AudioCodes Distributors, Partners, and Resellers from whom the product was purchased. For Customer support for products purchased directly from AudioCodes, contact support@audiocodes.com. Abbreviations and Terminology Each abbreviation, unless widely used, is spelled out in full when first used, Note: Throughout this document, unless otherwise specified, the term device refers to AudioCodes' VoIP Media Gateways, the Mediant MSBR Series and the Mediant E-SBC Series. Version 6.6 5 December 2012

RADIUS Support Reader's Notes Configuration Note 6 Document #: LTRT-34201

Configuration Note 1. Introduction 1 Introduction You can enhance security for your AudioCodes device by implementing Remote Authentication Dial-In User Service (RADIUS - RFC 2865) for authenticating multiple login user accounts of the device s embedded Web and Telnet servers. Thus, RADIUS also prevents unauthorized access to your device. When RADIUS authentication is not used, the login user name and password are locally authenticated by the device with the Web interface's local user names and passwords (defined in the 'Web User Accounts' page) or with the Telnet server s user names and passwords. When RADIUS authentication is used, the RADIUS server stores the device's login user names, passwords, and access (authorization) levels (Web only). When a management client tries to access the device, the device sends the RADIUS server the client s username and password for authentication. The RADIUS server replies with an acceptance or a rejection notification. While RADIUS authentication is performed, the device s Web interface is blocked until an acceptance response is received from the RADIUS server. The local Web and Telnet user names and passwords can be used as a fallback mechanism in case the RADIUS server doesn t respond. Note that communication between the device and the RADIUS server is done by using a Shared Secret, which is not transmitted over the network. For setting up RADIUS support, the following needs to be done: Set up a RADIUS server (third-party) to communicate with the device. Configure the device as a RADIUS client for communication with the RADIUS server. Figure 1-1: Device Implementing RADIUS Application Version 6.6 1 December 2012

RADIUS Support Reader's Notes Configuration Note 2 Document #: LTRT-34201

Configuration Note 2. Setting Up a Third-Party RADIUS Server 2 Setting Up a Third-Party RADIUS Server This section provides an example for setting up the third-party RADIUS sever, FreeRADIUS, which can be downloaded from www.freeradius.org. Follow the directions at this Web site for installing and configuring the server. If you use a RADIUS server from a different vendor, refer to its appropriate documentation. To set up a third-party RADIUS server (e.g., FreeRADIUS): 1. Define the AudioCodes device as an authorized client of the RADIUS server, with the following: Predefined shared secret (password used to secure communication between the device and the RADIUS server) Vendor ID Below is an example of the clients.conf file (FreeRADIUS client configuration): # # clients.conf - client configuration directives # client 10.31.4.47 { secret = FutureRADIUS shortname = audc_device } 2. If access levels are required, set up a Vendor-Specific Attributes (VSA) dictionary for the RADIUS server and select an attribute ID that represents each user's access level. The example below shows a dictionary file for FreeRADIUS that defines the attribute "ACL-Auth-Level" with "ID=35". For the device's user access levels and their corresponding numeric representation in RADIUS servers, see Table 2-1. # # AudioCodes VSA dictionary # VENDOR AudioCodes 5003 ATTRIBUTE ACL-Auth-Level 35 integer AudioCodes VALUE ACL-Auth-Level ACL-Auth-UserLevel 50 VALUE ACL-Auth-Level ACL-Auth-AdminLevel 100 VALUE ACL-Auth-Level ACL-Auth-SecurityAdminLevel 200 Table 2-1: Web User Access Levels / Privileges and RADIUS Server Representation Device Access Levels Numeric Representation in RADIUS Server Privileges Security Administrator 200 Read-write privileges for all pages. Administrator 100 Read-write privileges for all pages except securityrelated pages, which are read-only. User Monitor 50 No access to security-related and file-loading pages; read-only access to the other pages. This read-only access level is typically applied to the secondary Web user account No Access 0 No access to any page. Version 6.6 3 December 2012

RADIUS Support 3. Define the list of users authorized to use the device, using one of the password authentication methods supported by the server implementation. The example below shows a user configuration file for FreeRADIUS using a plain-text password: # users - local user configuration database john Auth-Type := Local, User-Password == "qwerty" Service-Type = Login-User, ACL-Auth-Level = ACL-Auth-SecurityAdminLevel sue Auth-Type := Local, User-Password == "123456" Service-Type = Login-User, ACL-Auth-Level = ACL-Auth-UserLevel 4. Record and retain the IP address, port number, shared secret code, vendor ID, and VSA access level identifier (if access levels are implemented) used by the RADIUS server. Configuration Note 4 Document #: LTRT-34201

Configuration Note 3. Configuring RADIUS for the Device 3 Configuring RADIUS for the Device This section describes how to configure the device for RADIUS support, using the device's embedded Web server interface. 3.1 Configuring General RADIUS Settings The procedure below describes the general configurations for RADIUS support. To configure the device's RADIUS support: 1. Access the device's Web interface. 2. Open the RADIUS Settings page (Configuration tab > System menu > Management > RADIUS Settings). Figure 3-1: RADIUS Settings Page 3 4 5 7 8 6 3. From the 'Enable RADIUS Access Control' drop-down list, select Enable to enable the RADIUS application. 4. From the 'Use RADIUS for Web/Telnet Login' drop-down list, select Enable to enable RADIUS authentication for Web and Telnet login. 5. Define the RADIUS server with which the device communicates: a. In the 'RADIUS Authentication Server IP Address' field, enter the RADIUS server s IP address. b. In the 'RADIUS Authentication Server Port' field, enter the RADIUS server s port number. c. In the 'RADIUS Shared Secret' field, enter the shared secret code used to authenticate the device to the RADIUS server. 6. In the 'RADIUS VSA Vendor ID' field, enter the device's vendor ID. This must be the same one as configured in the RADIUS server (see Section 2, Step 2). Version 6.6 5 December 2012

RADIUS Support 7. When implementing Web user access levels, do one of the following: If the RADIUS server response includes the access level attribute: In the 'RADIUS VSA Access Level Attribute' field, enter the code that indicates the access level attribute in the VSA section of the received RADIUS packet. For defining the RADIUS server with access levels, see Section 2, Step 3. If the RADIUS server responses exclude the access level attribute: In the 'Default Access Level' field, enter the default access level that is applied to all users authenticated by the RADIUS server. 8. Define RADIUS timeout handling: a. From the 'Device Behavior Upon RADIUS Timeout' drop-down list, select the option if the RADIUS server does not respond within five seconds: Deny Access: the device denies access to the Web and Telnet interfaces. Verify Access Locally: the device checks the user name and password defined locally for the device (in the Web User Accounts page) and if correct, it allows access. b. In the 'Local RADIUS Password Cache Timeout' field, enter a time limit (in seconds) after which the user name and password verified by the RADIUS server becomes invalid and a user name and password must be re-validated with the RADIUS server. c. From the 'Local RADIUS Password Cache Mode' drop-down list, select the option for the local RADIUS password cache timer: Reset Timer Upon Access: upon each access to a Web page, the timer resets (reverts to the initial value configured in the previous step). Absolute Expiry Timer: when you access a Web page, the timer doesn t reset, but continues its count down. 9. Click Submit. 10. Save your settings to flash memory with a device reset (refer to the device's User's Manual). Configuration Note 6 Document #: LTRT-34201

Configuration Note 3. Configuring RADIUS for the Device 3.2 Securing RADIUS Communication RADIUS authentication requires HTTP basic authentication (according to RFC 2617). However, this is insecure as the user names and passwords are transmitted in clear text over plain HTTP. Therefore, as digest authentication is not supported with RADIUS, it is highly recommended that the RADIUS implementation is used with HTTPS so that the user names and passwords are encrypted. To configure HTTPS: 1. Access the device's Web interface. 2. Open the WEB Security Settings page (Configuration tab > System menu > Management > WEB Security Settings). 3. From the 'Secured Web Connection (HTTPS)' drop-down list, select HTTPS Only. Figure 3-2: Enabling HTTPS for Securing Web Access 4. Click Submit. 5. Save your settings to flash memory with a device reset. Version 6.6 7 December 2012

RADIUS Support Reader's Notes Configuration Note 8 Document #: LTRT-34201

Configuration Note 4. Authenticating RADIUS in the URL 4 Authenticating RADIUS in the URL RADIUS authentication is typically done after the user accesses the Web interface by entering only the device's IP address in the Web browser's URL field (for example, http://10.13.4.12/) and then entering the user name and password credentials in the Web interface login screen. Authentication with the RADIUS server can also be done immediately after the URL is entered if it includes the login credentials, for example: http://10.4.4.112/forms/radiusauthentication?wsbackusername=john&wsbackpassword=1234 Note: This feature allows up to five simultaneous users only. Version 6.6 9 December 2012

Configuration Note www.audiocodes.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback