No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Voice Feature Guide 01

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Device Authentication

Configuring Device Authentication

Device authentication is a method to improve the security of the core network and prevent illegal devices from registering with the core network device.

Configuring Device Authentication (H.248-based)

This topic describes how to configure the H.248-based device authentication to prevent illegal MGs from registering with the MGC.

Prerequisite
  • The MG interface must be configured successfully.
  • The parameters, including the encryption type, the initial key and the DH authentication, and the MG ID, must be configured on the MGC. These parameters must be the same as the parameters configured on the MA5600T/MA5603T/MA5608T.
Precautions

If Huawei products such as the SoftX3000 is used as the MGC, the authentication MG ID must be a character string with more than eight bits.

Procedure

  1. In the global config mode, run the interface h248 command to enter the MG interface mode.
  2. Run the mg-software parameter 4 command to configure the registration mode.
  3. Run the mg-software parameter 6 0 command to configure the device authentication function on the MG interface.
  4. Run the auth command to configure the authentication MG ID and the initial key.
  5. Run the display auth command to query the authentication parameters.
  6. Run the reset coldstart command to reset the MG interface.

    Reset the MG interface to make the MG interface register with the MGC (and to make the modified attributes of the MG interface take effect) so that the MG interface can work in the normal state. The MG interface can be enabled in different ways (see Parameters of the reset command). For a newly configured MG interface, enable the MG interface through cold start.

Example

Configure the authentication parameters for the MA5600T/MA5603T/MA5608T as listed in Table 1-58.

Table 1-58 Data plan for configuring the H.248-based authentication

Item

Data

MG ID

0

Whether the wildcard is used in the registration

Yes

Authentication MG ID

MA5600T/MA5603T/MA5608T. It must be the same as the authentication MG ID on the MGC. Otherwise, the MG cannot register with the MGC.

Initial key

0123456789ABCDEF. It must be the same as the initial key configured on the MGC.

The following is a configuration example based on the data plan:

huawei(config)#interface h248 0
huawei(config-if-h248-0)#mg-software parameter 4 0
huawei(config-if-h248-0)#display mg-software parameter 4                        
  -------------------------------------------------                             
  Interface Id:0           para index:4   value:0                               
  -------------------------------------------------                             
 APPENDIX:                                                                      
  -------------------------------------------------                             
   Interface software parameter name:                                           
   4: Whether MG register to MGC with wildcard                                  
      0: Yes                                                                    
      1: No         
huawei(config-if-h248-0)#mg-software parameter 6 0  
huawei(config-if-h248-0)#display mg-software parameter 6                        
  -------------------------------------------------                             
  Interface Id:0           para index:6   value:0                               
  -------------------------------------------------                             
 APPENDIX:                                                                      
  -------------------------------------------------                             
   Interface software parameter name:                                           
   6: Whether MG support authentication                                         
      0: Yes                                                                    
      1: No           
huawei(config-if-h248-0)#auth auth_mgid MA5600T/MA5603T/MA5608T initial_key 0123456789ABCDEF
huawei(config-if-h248-0)#display auth    
 [AUTH_PARA config]                          
  Initial Key    : 0123456789ABCDEF        
  Auth MGid      : MA5600T/MA5603T/MA5608T                     
  Algorithm      : MD5                        
huawei(config-if-h248-0)#reset coldstart
  Are you sure to reset MG interface?(y/n)[n]:y

Configuring Device Authentication (MGCP-based)

This topic describes how to configure the MGCP-based authentication parameters for the MG interface on the MA5600T/MA5603T/MA5608T to implement device authentication and prevent illegal MGs from registering with the MGC.

Prerequisite
  • The MG interface must be configured successfully.
  • The parameters, including the encryption type, the initial key and the DH authentication, and the MG ID, must be configured on the MGC. These parameters must be the same as the parameters configured on the MA5600T/MA5603T/MA5608T.

Procedure

  1. In the global config mode, run the interface mgcp command to enter the MG interface mode.
  2. Run the mg-software parameter 4 command to configure the registration mode.
  3. Run the auth command to configure the authentication MG ID and the initial key.

    If Huawei products such as the SoftX3000 is used as the MGC, the authentication MG ID must be a character string with more than eight bits.

    NOTE:
    When the MGCP protocol is used, the MG interface supports two authentication modes:
    • Passive authentication mode: In this mode, the device registers with the MGC and is authenticated only after required by the MGC.
    • Active authentication mode: In this mode, the device is authenticated when the device registers with the MGC.
    In actual applications, you can select the authentication mode according to the requirements.

  4. Run the display auth command to query the authentication parameters.
  5. Run the reset command to reset the MG interface.
Example

Configure the authentication parameters for the MA5600T/MA5603T/MA5608T as listed in Table 1-59.

Table 1-59 Data plan for configuring the MGCP-based device authentication

Item

Data

MG ID

0

Whether the wildcard is used in the registration

Yes

Authentication mode

Active authentication mode

Authentication MG ID

MA5600T/MA5603T/MA5608T. It must be the same as the authentication MG ID on the MGC. Otherwise, the MG cannot register with the MGC.

Initial key

0123456789ABCDEF. It must be the same as the initial key configured on the MGC.

The following is a configuration example based on the data plan:

huawei(config)#interface mgcp 0
huawei(config-if-mgcp-0)#mg-software parameter 4 0
huawei(config-if-mgcp-0)#display mg-software parameter 4
  -------------------------------------------------                             
  Interface Id:0           para index:4   value:0                               
  -------------------------------------------------                             
 APPENDIX:                                                                      
  -------------------------------------------------                             
   Interface software parameter name:                                           
   4: Whether MG register to MGC with wildcard                                  
      0: Yes                                                                    
      1: No         
huawei(config-if-mgcp-0)#auth mode2 auth_mgid MA5600T/MA5603T/MA5608T initial_key 0123456789ABCDEF
huawei(config-if-mgcp-0)#display auth
  active request authentication mode config:                                    
  Initial Key    : 0123456789ABCDEF                                             
  Auth MGid      : MA5600T/MA5603T/MA5608T                                                       
  Algorithm      : MD5                                                          
huawei(config-if-mgcp-0)#reset
  Are you sure to reset MG interface?(y/n)[n]:y

Configuring Device Authentication Based on SIP

When the Session Initiation Protocol (SIP) is used, the voice service of the MA5600T/MA5603T/MA5608T supports the authentication for a SIP interface and single user in user name+password or user name+HA1 mode.

Prerequisite
  • The SIP interface has been added. For details about how to add a SIP interface, see Configuring the SIP Interface.
  • The authentication information has been configured on the IP multimedia subsystem (IMS) side.
Context
  • The device authentication must be supported on the IMS side. Ensure that the authentication data on the device side is the same as that on the IMS side.
  • The user authentication on the MA5600T/MA5603T/MA5608T running SIP involves SIP interface authentication and user authentication. In SIP interface authentication, proxy option detection messages are authenticated. In user authentication, user registration and call messages are authenticated.
  • A SIP user can be authenticated based on a SIP interface or a single user. Run the sip-auth parameter auth-mode command to configure a user authentication mode.
    • If the user authentication mode is set to interface, only the user name and password configured based on a SIP interface can be used for user authentication when the user authentication is based on both a SIP interface and a single user.
    • If the user authentication mode is set to single-user, the user name and password configured based on a single user are preferentially used for user authentication when the user authentication is based on both a SIP interface and a single user. The default user authentication mode is single-user.

Procedure

  • Perform the authentication based on a SIP interface.
    1. In the global config mode, run the interface sip command to enter the SIP interface mode.
    2. Run the sip-auth-parameter command to configure the authentication user name and password for the SIP interface.

      Security authentication information includes password authentication mode, user name, password, and user authentication mode.

      • Password authentication mode includes password and ha1. In password mode, the original user password is configured. In ha1 mode, a password is generated after the original user password is encrypted by using the message digest 5 (MD5) algorithm.
      • User authentication mode includes interface and single-user. The interface mode indicates that authentication is performed based on interface. This means that all users under an interface share an authentication user name. The single-user mode indicates that each user has a unique identity.

    3. Run the reset command to reset the SIP interface.
  • Perform the authentication based on a single user.
    1. In global config mode, run the esl user command to enter extend signaling link (ESL) user mode.
    2. According to the service type, run the sippstnuser auth set command or the sipbrauser auth set command or the sipprauser auth set command to configure the authentication user name, password for single user.
    3. Run the display sippstnuser authinfo command or the display sipbrauser authinfo command or the display sipprauser authinfo command to query the security authentication information.

Example

Configure the security authentication information of SIP interface 0 on the MA5600T/MA5603T/MA5608T, where,
  • User authentication mode is interface
  • Password authentication mode is password
  • User name is huawei.com
  • Password is 123456789
huawei(config)#interface sip 0
huawei(config-if-sip-0)#sip-auth-parameter auth-mode interface password-mode pas
sword
  User Name(<=64 characters, "-" indicates deletion):huawei.com
  User Password(<=64 characters, "-" indicates deletion):    //Enter password here.
  The configuration will take effect after resetting the interface              
huawei(config-if-sip-0)#reset
  Are you sure to reset the SIP interface?(y/n)[n]:y 
Configure the security authentication information of the PSTN user on port 0/2/1, where,
  • Telephone number is 88810001
  • Authentication password mode is password
  • User name is huawei
  • Password is huawei123
To configure the authentication data of such a PSTN user, do as follows:
huawei(config)#esl user
huawei(config-esl-user)#sippstnuser auth set 0/2/1 telno 88810001 password-mode password
  User Name(<=64 characters, "-" indicates deletion):huawei
  User Password(<=64 characters, "-" indicates deletion):    //Enter password here.
Translation
Download
Updated: 2019-02-22

Document ID: EDOC1100067358

Views: 16225

Downloads: 168

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next