Is the database shared? If so maybe when they authenticate add a secure token to the header that the second proxy can use for auth?

Just a suggestion not sure if its the answer your looking for or perhaps I didn't understand the scenario well enough.

On Nov 19, 2012 7:53 AM, "Andreas Granig" <agranig@sipwise.com> wrote:
Hi,

There are lots of parameters controlling the creation of nonce values on
a server, and I'm curious if there is a way to kind of "sync" them
between servers.

The use case would be to have a UA send for example its registration to
Proxy1. Proxy1 would challenge it, UA will send the registration again,
this time with credentials. Proxy1 would look up the user based on
$au/$ar in the subscriber table, and if it's not found, will look up the
responsible proxy from another table (with key being $au@$ar), forward
it to Proxy2, which then would be able authenticate the user.

The reason for this is that the auth credentials are unique across all
servers and reliably identify a user, whereas for example From could be
something else (e.g. in case of an IP-PBX sending a CLI in the
From-userpart).

Challenging the user on the second proxy again would theoretically be
possible, but if the UA gets a 401 twice (once from Proxy1, once from
Proxy2), it'll most likely pop up a password form for soft-clients, so I
want to avoid that.

Any ideas how to accomplish that?

Andreas




_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users