Hi Stagg,
set the debug level to 6 and you will get the logs from openser - this
will help you identify why the auth is rejected.
Regards,
Bogdan
PS: you can send the logs to me if you do not manage to read them (also
attach the SIP trace)
Stagg Shelton wrote:
I am using proxy_authorize & proxy_challenge on
the invite.
if (!(method=="REGISTER"))
{
if (!allow_trusted())
{
if (!proxy_authorize("", "subscriber")) {
$var(debug) = proxy_authorize("", "subscriber");
xlog("Not Proxy Authorize: $var(debug)");
proxy_challenge("", "0");
exit;
}
if (!check_from()) {
sl_send_reply("403","Forbidden auth ID");
exit;
}
consume_credentials();
# caller authenticated
}
}
Below is the output I see in the log file when this path is executed.
Jun 30 10:10:47 rolecall /sbin/openser[15625]: Not Proxy Authorize: -4
Jun 30 10:10:47 rolecall /sbin/openser[15629]: Not Proxy Authorize: -5
Jun 30 10:10:47 rolecall /sbin/openser[15625]: Not Proxy Authorize: -5
Jun 30 10:10:47 rolecall /sbin/openser[15627]: Not Proxy Authorize: -5
As you can see on the initial invite the credentials are not found
which is to be expected. But on the subsequent invites OpenSER is
returning the generic error which doesn't tell me a whole lot. Can
you tell me how to obtain more verbose debugging.
Is it possible that OpenSER is using the From tag and not the
credentials supplied in the Proxy-Authorization header?
Thank You
Stagg Shelton
On Jun 30, 2008, at 4:21 AM, Bogdan-Andrei Iancu wrote:
Hi Stagg,
For INVITEs, use proxy_challenge() + proxy_authorize() functions and
not the www_xxxxxxx() functions.
Regards,
Bogdan
Stagg Shelton wrote:
> I've been trying to work through openser successfully
> authenticating a user on an INVITE. I've tried using
> www_challenge and proxy_challenge. Each time, OpenSER will
> respond to the INVITE with the appropriate Authentication header
> depending on what I'm using, and asterisk will resend the INVITE
> with the Digest credentials. I've determined that OpenSER returns
> a -5 when processing either www_authorize or proxy_authorize and
> the INVITE has the Digest credentials.
>
> The authentication seems to work just fine when asterisk Registers
> to openser. Are there any known issues with asterisk
> authenticating during an INVITE? I would prefer to do it this way
> in case the PBX loses its primary network connectivity and is
> failing to a secondary route, or some other reason that would
> cause the IP address to change.
>
> I am currently using OpenSER 1.3.1
>
> Thank You
> Stagg Shelton
> _______________________________________________
> Users mailing list
> Users(a)lists.openser.org
>
http://lists.openser.org/cgi-bin/mailman/listinfo/users
>
>
>
_______________________________________________
Users mailing list
Users(a)lists.openser.org
http://lists.openser.org/cgi-bin/mailman/listinfo/users