|
Page 3 of 10
6.2. Diameter Server Authenticates the User
This is the generic mechanism to authenticate users. In this
approach, we show an example of an administrative network where the
Diameter server is authenticating SIP user requests. This could be
the case of a medium-size network where the Diameter server is
keeping user records and authenticating SIP requests to perform a
certain transaction. We have chosen to show a SIP REGISTER request
in the example, but the SIP server could request authentication of
any other SIP request.
+--------+ +--------+ +--------+
| SIP | |Diameter| | SIP |
|server 1| | server | |server 2|
+--------+ +--------+ +--------+
| | |
1. SIP REGISTER | | |
-------------------->| 2. UAR | |
|------------------>| |
| 3. UAA | |
|<------------------| |
| 4. SIP REGISTER |
|-------------------------------------->|
| | 5. MAR |
| |<------------------|
| | 6. MAA |
| |------------------>|
| 7. SIP 401 (Unauthorized) |
8. SIP 401 (Unauth.) |<--------------------------------------|
<--------------------| | |
9. SIP REGISTER | | |
-------------------->| 10. UAR | |
|------------------>| |
| 11. UAA | |
|<------------------| |
| 12. SIP REGISTER |
|-------------------------------------->|
| | 13. MAR |
| |<------------------|
| | 14. MAA |
| |------------------>|
| 15. SIP 200 (OK) |
16. SIP 200 (OK) |<--------------------------------------|
<--------------------| | |
| | 17. SAR |
| |<------------------|
| | 18. SAA |
| |------------------>|
| | |
Figure 2: Authentication performed in the Diameter server
According to Figure 2, a SIP User Agent Client (UAC) sends a SIP
REGISTER request (step 1) to SIP server 1, which receives the SIP
request. In Figure 2, we assume that this SIP server is located at
the edge of the administrative home domain. The Diameter client in
SIP server 1 contacts its Diameter server by sending a Diameter
User-Authorization-Request (UAR) message (step 2) to determine if
this user is allowed to receive service, and if so, request the
address of a local SIP server capable of handling this user. The
Diameter server answers with a Diameter User-Authorization-Answer
(UAA) message (step 3), which indicates a list of capabilities that
SIP server 1 may use to select an appropriate SIP server (SIP server
2) and/or a SIP or SIPS URI pointing to SIP server 2.
SIP server 1 forwards the SIP REGISTER request (step 4) to an
appropriate SIP server (SIP server 2). Then the Diameter client in
SIP server 2 requests user authentication from the Diameter server by
sending a Diameter Multimedia-Auth-Request (MAR) message (step 5).
This request also serves to make the Diameter server aware of the SIP
or SIPS URI of SIP server 2, so as to return subsequent requests for
the same user to the same SIP server 2. The Diameter server responds
with a Diameter Multimedia-Auth-Answer (MAA) message (step 6) with
Result-Code AVP set to the value DIAMETER_MULTI_ROUND_AUTH. The
Diameter server also generates a nonce and includes a challenge in
the MAA message. SIP server 2 uses that challenge to map into the
WWW-Authenticate header in the SIP 401 (Unauthorized) response (step
7), which is sent back to SIP server 1 and then to the SIP UAC (step
8).
SIP server 1 receives a next SIP REGISTER request containing the user
credentials (step 9). Note that SIP server 1 does not need to keep a
state, and even more, there is no guarantee that the SIP request
arrives at the same SIP server 1; there could be a farm of SIP
servers 1 operating in redundant configuration. The Diameter client
in SIP server 1 contacts the Diameter server by sending a Diameter
UAR message (step 10) to determine the SIP server allocated to the
user. The Diameter server sends the SIP or SIPS URI of SIP server 2
in a Diameter UAA message (step 11).
Then SIP server 1 forwards the SIP REGISTER request to SIP server 2
(step 12). SIP server 2 extracts the credentials from the SIP
REGISTER request. The Diameter client in SIP server 2 sends those
credentials in a Diameter MAR message (step 13) to the Diameter
server. At this point, the Diameter server is able to authenticate
the user, and upon success, returns a Diameter MAA message (step 14)
with the AVP Result-Code set to the value DIAMETER_SUCCESS.
Then SIP server 2 generates a SIP 200 (OK) response (step 15), which
is forwarded to SIP server 1 and eventually to the SIP UAC (step 16).
If the Diameter client in SIP server 2 is interested in downloading
the user profile information or is required to store the address of
the SIP server in the Diameter server, then the Diameter client sends
a Diameter SAR message (step 17) to the Diameter server. The
Diameter server replies with a Diameter SAA message (step 18) that
contains the requested user profile information and the
acknowledgement of the SIP server address storage. These actions are
needed when the SIP server has to retrieve a user profile used to
provide services to the served user, or when the SIP server keeps a
state for the user, so the Diameter server needs to store the SIP
server's address.
|
