Wednesday, 9 April 2014

SIP trunk authentication between ccm and vg

The purpose of this document aims to setting up authentication of sip trunk between cucm and cme.
Note: only one side of authentication was tested because of insufficient features of the ios.

Step 1:  creates a new sip security profile and digest authentication option should be enabled.
Step 2: after route-pattern and everything done, applies sip newly created sip security profile to sip turnk.
Step 3: in the enterprise configuration page, changes Cluster ID to “cucm7” that will be a part of authentication as “realm”.
Step 4:  creates an “Application User” cisco and only thing should be cared is “Digest Credentials”. We setup credentials as  “cisco,123”
Step 5: goes back to cme and configures proper parameters were already set in cucm.
r2#show run | s sip-ua
sip-ua
authentication username cisco password cisco,123 realm cucm7
registrar ipv4:142.100.64.11 expires 3600

Proof:
calls from 3001 on cme side to phones on cucm side. The result in debugging in cme as below:


           

INVITE MESSAGE FROM CME SIDE
INVITE sip:17055002000@142.100.64.11:5060 SIP/2.0
Via: SIP/2.0/UDP  12.12.12.2:5060;branch=z9hG4bK6F242B
From: "HK-PHONE1" <sip:+85224044001@142.100.64.11>;tag=85DAC8-2529
To: <sip:17055002000@142.100.64.11>
… data omitted …
Authorization: Digest username="cisco",realm="cucm7",uri="sip:17055002000@142.100.64.11:5060",response="b6836a43e6e6e9720c7fc82aafa5fcb5",nonce="c4Y3hNYV/PD4Hl3WRKbUDv3UvWdT3v0Z",algorithm=MD5
…data omitted …



ERROR MESSAGE SENT FROM CUCM SIDE WHEN AUTHEN FAILED
Received:
SIP/2.0 401 Unauthorized
Date: Fri, 01 Mar 2002 02:26:12 GMT
From: "HK-PHONE1" <sip:+85224044001@142.100.64.11>;tag=85DAC8-2529
Allow-Events: presence
WWW-Authenticate: Digest realm="cucm7", nonce="c4Y3hNYV/PD4Hl3WRKbUDv3UvWdT3v0Z", algorithm=MD5
…data omitted…




1 comment:

  1. I was looking for this solution but after realizing that it is not something I can do on my own, had to call my provider ThinkTel to send someone and fix the issue, glad I made that decision besides doing it myself.

    ReplyDelete