RADIUS attribute from rfc5090
SIP-AOR
This attribute is used for the authorization of SIP messages.
The SIP-AOR Attribute identifies the URI, the use of which must
be authenticated and authorized. The RADIUS server uses this
attribute to authorize the processing of the SIP request. The
SIP-AOR can be derived from, for example, the To header field
in a SIP REGISTER request (user under registration), or the
From header field in other SIP requests. However, the exact
mapping of this attribute to SIP can change due to new
developments in the protocol. This attribute MUST only be used
when the RADIUS client wants to authorize SIP users and MUST
only be used in Access-Request packets.
Type
122 for SIP-AOR
Length
>= 3
Text
The syntax of this attribute corresponds either to a SIP URI
(with the format defined in or a tel URI (with the
format defined in ).
The SIP-AOR Attribute holds the complete URI, including
parameters and other parts. It is up to the RADIUS server as
to which components of the URI are regarded in the
authorization decision.4. Diameter CompatibilityThis document defines support for Digest Authentication in RADIUS. A
companion document "Diameter Session Initiation Protocol (SIP)
Application" defines support for Digest Authentication in
Diameter, and addresses compatibility issues between RADIUS and
Diameter.5. Table of AttributesThe following table provides a guide to which attributes may be found
in which kinds of packets, and in what quantity.Access- Access- Access- Access- Acct-
Request Accept Reject Challenge Req # Attribute
0-1 0 0 0 0-1 1 User-Name
0-1 0 0 1 0 24 State
1 1 1 1 0-1 80 Message-Authenticator
0-1 0 0 0 0 103 Digest-Response
0-1 0 0 1 0-1 104 Digest-Realm
0-1 0 0 1 0 105 Digest-Nonce
0 0-1 0 0 0 106 Digest-Response-Auth
0 0-1 0 0 0 107 Digest-Nextnonce
1 0 0 0 0-1 108 Digest-Method
0-1 0 0 0 0-1 109 Digest-URI
0-1 0 0 0+ 0-1 110 Digest-Qop
0-1 0 0 0-1 0-1 111 Digest-Algorithm
0-1 0 0 0 0 112 Digest-Entity-Body-Hash
0-1 0 0 0 0 113 Digest-CNonce
0-1 0 0 0 0 114 Digest-Nonce-Count
0-1 0 0 0 0-1 115 Digest-Username
0-1 0 0 0-1 0 116 Digest-Opaque
0+ 0+ 0 0+ 0+ 117 Digest-Auth-Param
0-1 0 0 0 0 118 Digest-AKA-Auts
0 0 0 0+ 0+ 119 Digest-Domain
0 0 0 0-1 0 120 Digest-Stale
0 0-1 0 0 0 121 Digest-HA1
0-1 0 0 0 0 122 SIP-AOR
The following table defines the meaning of the above table entries.
0 This attribute MUST NOT be present in the packet.
0+ Zero or more instances of this attribute MAY be
present in the packet.
0-1 Zero or one instance of this attribute MAY be
present in the packet.
Digest-HA1 MUST be used instead of Digest-Response-Auth if
Digest-Qop is 'auth-int'.
Digest-Response-Auth MUST be used instead of Digest-HA1 if
Digest-Qop is 'auth'.
If Digest-Algorithm is missing, 'MD5' is assumed.
An Access-Challenge MUST contain a State attribute, which is
copied to the subsequent Access-Request. A server receiving
an Access-Request that contains a State attribute MUST
respond with either an Access-Accept or an Access-Reject;
the server MUST NOT respond with an Access-Challenge.6. ExamplesThis is an example selected from the traffic between a softphone (A),
a Proxy Server (B), and an example.com RADIUS server (C). The
communication between the Proxy Server and a SIP Public Switched
Telephone Network (PSTN) gateway is omitted for brevity. The SIP
messages are not shown completely.
The password of user '12345678' is 'secret'. The shared secret
between the RADIUS client and server is 'secret'. To ease testing,
only the last byte of the RADIUS authenticator changes between
requests. In a real implementation, this would be a serious flaw.
A->B
INVITE sip:[email protected] SIP/2.0
From:
To:
B->A
SIP/2.0 100 Trying
B->C
Code = Access-Request (1)
Packet identifier = 0x7c (124)
Length = 97
Authenticator = F5E55840E324AA49D216D9DBD069807C
NAS-IP-Address = 192.0.2.38
NAS-Port = 5
User-Name = 12345678
Digest-Method = INVITE
Digest-URI = sip:[email protected]
Message-Authenticator = 7600D5B0BDC33987A60D5C6167B28B3B
C->B
Code = Access-challenge (11)
Packet identifier = 0x7c (124)
Length = 72
Authenticator = EBE20199C26EFEAD69BF8AB0E786CA4D
Digest-Nonce = 3bada1a0
Digest-Realm = example.com
Digest-Qop = auth
Digest-Algorithm = MD5
Message-Authenticator = 5DA18ED3BBC9513DCBDE0A37F51B7DE3B->A
SIP/2.0 407 Proxy Authentication Required
Proxy-Authenticate: Digest realm="example.com"
,nonce="3bada1a0",qop=auth,algorithm=MD5
Content-Length: 0
A->B
ACK sip:[email protected] SIP/2.0
A->B
INVITE sip:[email protected] SIP/2.0
Proxy-Authorization: Digest nonce="3bada1a0"
,realm="example.com"
,response="756933f735fcd93f90a4bbdd5467f263"
,uri="sip:[email protected]",username="12345678"
,qop=auth,algorithm=MD5
,cnonce="56593a80,nc="00000001"
From:
To:
B->C
Code = Access-Request (1)
Packet identifier = 0x7d (125)
Length = 221
Authenticator = F5E55840E324AA49D216D9DBD069807D
NAS-IP-Address = 192.0.2.38
NAS-Port = 5
User-Name = 12345678
Digest-Method = INVITE
Digest-URI = sip:[email protected]
Digest-Realm = example.com
Digest-Qop = auth
Digest-Algorithm = MD5
Digest-CNonce = 56593a80
Digest-Nonce = 3bada1a0
Digest-Nonce-Count = 00000001
Digest-Response = 756933f735fcd93f90a4bbdd5467f263
Digest-Username = 12345678
SIP-AOR = sip:[email protected]
Message-Authenticator = B6C7F7F8D11EF261A26933D234561A60C->B
Code = Access-Accept (2)
Packet identifier = 0x7d (125)
Length = 72
Authenticator = FFDD74D6470D21CB6FC4D6056BE245D2
Digest-Response-Auth = f847de948d12285f8f4199e366f1af21
Message-Authenticator = 7B76E2F10A7067AF601938BF13B0A62E
B->A
SIP/2.0 180 Ringing
B->A
SIP/2.0 200 OK
A->B
ACK sip:[email protected] SIP/2.0
A second example shows the traffic between a web browser (A), a web
server (B), and a RADIUS server (C).
A->B
GET /index.html HTTP/1.1
B->C
Code = Access-Request (1)
Packet identifier = 0x7e (126)
Length = 68
Authenticator = F5E55840E324AA49D216D9DBD069807E
NAS-IP-Address = 192.0.2.38
NAS-Port = 5
Digest-Method = GET
Digest-URI = /index.html
Message-Authenticator = 690BFC95E88DF3B185F15CD78E469992C->B
Code = Access-challenge (11)
Packet identifier = 0x7e (126)
Length = 72
Authenticator = 2EE5EB01C02C773B6C6EC8515F565E8E
Digest-Nonce = a3086ac8
Digest-Realm = example.com
Digest-Qop = auth
Digest-Algorithm = MD5
Message-Authenticator = 646DB2B0AF9E72FFF2CF7FEB33C4952A
B->A
HTTP/1.1 401 Authentication Required
WWW-Authenticate: Digest realm="example.com",
nonce="a3086ac8",qop=auth,algorithm=MD5
Content-Length: 0
A->B
GET /index.html HTTP/1.1
Authorization: Digest = algorithm=MD5,qop=auth,nonce="a3086ac8"
,nc="00000001",cnonce="56593a80"
,realm="example.com"
,response="a4fac45c27a30f4f244c54a2e99fa117"
,uri="/index.html",username="12345678"
B->C
Code = Access-Request (1)
Packet identifier = 0x7f (127)
Length = 176
Authenticator = F5E55840E324AA49D216D9DBD069807F
NAS-IP-Address = 192.0.2.38
NAS-Port = 5
User-Name = 12345678
Digest-Method = GET
Digest-URI = /index.html
Digest-Realm = example.com
Digest-Qop = auth
Digest-Algorithm = MD5
Digest-CNonce = 56593a80
Digest-Nonce = a3086ac8
Digest-Nonce-Count = 00000001
Digest-Response = a4fac45c27a30f4f244c54a2e99fa117
Digest-Username = 12345678
Message-Authenticator = 237D85C1478C70C67EEAF22A9C456821C->B
Code = Access-Accept (2)
Packet identifier = 0x7f (127)
Length = 72
Authenticator = 6364FA6ED66012847C05A0895607C694
Digest-Response-Auth = 08c4e942d1d0a191de8b3aa98cd35147
Message-Authenticator = 43795A3166492AD2A890AD57D5F97D56
B->A
HTTP/1.1 200 OK
...
...7. IANA ConsiderationsThe following values from the RADIUS Attribute Types number space
were assigned in . This document requests that the values
in the table below be entered within the existing registry.
Attribute #
--------------- ----
Digest-Response 103
Digest-Realm 104
Digest-Nonce 105
Digest-Response-Auth 106
Digest-Nextnonce 107
Digest-Method 108
Digest-URI 109
Digest-Qop 110
Digest-Algorithm 111
Digest-Entity-Body-Hash 112
Digest-CNonce 113
Digest-Nonce-Count 114
Digest-Username 115
Digest-Opaque 116
Digest-Auth-Param 117
Digest-AKA-Auts 118
Digest-Domain 119
Digest-Stale 120
Digest-HA1 121
SIP-AOR 1228. Security ConsiderationsThe RADIUS extensions described in this document enable RADIUS to
transport the data that is required to perform a digest calculation.
As a result, RADIUS inherits the vulnerabilities of HTTP Digest (see) in addition to RADIUS security vulnerabilities
described in, and.
An attacker compromising a RADIUS client or proxy can carry out man-
in-the-middle attacks even if the paths between A, B and B, C (Figure
2) have been secured with TLS or IPsec.
The RADIUS server MUST check the Digest-Realm Attribute it has
received from a client. If the RADIUS client is not authorized to
serve HTTP-style clients of that realm, it might be compromised.