Configure SIP Registrations to Authenticate and Authorize on a Per-user Basis (MRA) for CUCM 11.5

Introduction

This document describes enhanced behavior in Cisco Unified Communications Manager (CUCM) that provides an additional layer of UserID authentication in the Session Initiation Protocol (SIP) REGISTER messages versus the current method of authentication only at the Expressway.

Prerequisites

Requirements 

Cisco recommends that you have knowledge of these topics:

• CUCM Administration and Configuration
• SIP Portocol
• Video Communication Server (VCS) Expressway

Components Used 

The information in this document is based on these software and hardware versions:

• Cisco Unified Communications Manager 11.5 and later
• Video Communication Server (VCS) Expressway

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, Ensure that you understand the potential impact of any command.

Background Information

In the past, device registration through Video Communication Server (VCS) Expressway works when the device sends username and password via Hypertext Transfer Protocol (HTTP). Expressway then authenticates the username and allows the device to proceed with the registration towards CUCM without further verification.

The new behavior is that now CUCM checks the SIP REGISTER message and ensures the UserID has proper association to the device. Through this feature the UserID should authorize before it registers into the CUCM; therefore, provides the next level of protection against the device from external/unknown network. This ensures that the SIP REGISTER is authorized, i.e only a valid device associated with the valid user should register. If there is no UserID association to the device then registration rejects with 401 response code.

Background History

• CSCuu97283
• CVE ID CVE-2015-6410

Limitations

• Only affects SIP Phones
• On-Premise registrations are unaffected

Configure

Network Diagram

Components Used (Old vs. New Architecture)

Old behavior image:

New behavior image:

Configurations

New service parameter to toggle this feature on/off: System > Service Parameters > server > Cisco CallManager > SIP Registration Authorization Enabled

Values:

• True - (default)
• False

The correct UserID association to the correct device determines if SIP registration authorizes or rejects.

The registration authorization process request follows these scenarios:

Scenario 1. If UserID is not present in the REGISTER message it should authorize and 200 OK is sent.

Note: This ensures on-prem interoperability and backward compatibility with older Expressway versions.

Scenario 2. If UserID is present in the REGISTER message then...

• IF UserID matches owner-id field in CUCM Phone Configuration page, THEN Authorize and send 200 OK
• IF UserID matches UserID association with the device in the CUCM End User Configuration page, THEN Authorize and send 200 OK
• IF both owner-id field is blank and device association to the End User does not exist, THEN Authorize and send 200 OK
• ELSE IF no match, THEN FAIL and send 401 Unauthorized 

Scenario 3. If REGISTER message contains more than one UserID of different values, THEN FAIL and send 401 Unauthorized.

Note: Only Expressway populate these UserID headers

Use Cases Results Table 

Enable the feature via Communications Manager (CCM) Service Parameter. It is on by default and no further configuration is required.

Verify

Contact Header

CUCM checks the Contact header of REGISTER message for modification by Expressway

Contact: <sip:ffeffb75-880e-f58f-a8ec-f5025d0f9136@10.50.179.6:5060;transport=tcp;orig- hostport=192.168.0.121:55854>;+sip.instance="<urn:uuid:00000000-0000-0000-0000-
 00506005457e>";+u.sip!model.ccm.cisco.com="604";+u.sip!userid.ccm.cisco.com="mjavie r";+u.sip!serialno.ccm.cisco.com=A1AZ20D00153;audio=TRUE;video=TRUE;mobility="fixed";
 duplex="full";description="TANDBERG-SIP“

New Alarm (AuthorizationErrorwithWarningLevel)

A new Alarm (AuthorizationErrorwithWarningLevel) is now available when there is SIP Registration Authorization failure

Troubleshoot

Look for authorization attempts in CCM Traces debug output

Successful Authorization examples:

Scenario 1:

00013222.041 |15:46:20.792 |AppInfo |SIPStationD(7) - User Authorized - Phone Config page

Scenario 2:

00015642.041 |16:01:39.112 |AppInfo |SIPStationD(9) - User Authorized - EndUser page

Failed Authorization and Alarm example:

00186341.041 |13:17:37.187 |AppInfo |SIPStationD(133) - User: shree is unauthorized to register a device
00186341.042 |13:17:37.187 |AppInfo |SIPStationD(133) - sendRegisterResp: non-200 response code 401, ccbId 2303, expires 4294967295, warning Authorization failure -
 Unauthorized user for this device

00186341.043 |13:17:37.188 |AppInfo |EndPointTransientConnection - An endpoint attempted to register but did not complete registration Connecting Port:5060 Device name:
SEPCD1111000015 Device type:647 Reason Code:35 Protocol:SIP Device MAC address:CD1111000015 LastSignalReceived:SIPRegisterInd StationState:wait_register App ID:Cisco 
CallManager Cluster ID:10.77.29.71 Node ID:CuCM-71

00186341.044 |13:17:37.188 |AlarmWarn|AlarmClass: CallManager, AlarmName: EndPointTransientConnection, AlarmSeverity: Warning, AlarmMessage: , AlarmDescription: An endpoint 
attempted to register but did not complete registration, AlarmParameters: ConnectingPort:5060, DeviceName:SEPCD1111000015, DeviceType:647, Reason:35, Protocol:SIP, 
MACAddress:CD1111000015, LastSignalReceived:SIPRegisterInd, StationState:wait_register, AppID:Cisco CallManager, ClusterID:10.77.29.71, NodeID:CuCM-71,

00186346.000 |13:17:37.189 |SdlSig |SIPRegisterResp |wait |SIPHandler(1,100,80,1) |SIPStationD(1,100,74,133) |1,100,14,772.2^10.77.29.189^SEPCD1111000015 |[T:N-H:0,N:0,L:0,
V:0,Z:0,D:0] ccbID= 2303 --TransType=1 --TransSecurity=0 PeerAddr= 10.77.29.189:5060 respCode= 401 action= 2 device=