So Daniel like i understand the problem is my radius configuration, another thing is that my ATA sending the same stuff, i mean if i will change the sip server to different one where i installed freeradius with ser it's working fine.
Daniel where i can start to fix that problem.?
Thank you very much for your time.
On 4/14/05, Alex alexandergav@gmail.com wrote:
So Daniel like i understand the problem is my radius configuration, another thing is that my ATA sending the same stuff, i mean if i will change the sip server to different one where i installed freeradius with ser it's working fine.
Daniel where i can start to fix that problem.?
Thank you very much for your time.
On 4/14/05, Daniel-Constantin Mierla daniel@voice-system.ro wrote:
The second REGISTER (the block 3) must contains the response to the authentication challenge carried by 401 reply (block 2). That means that the block 3 must contain an Authorization header with authentication credentials computed according to HTTP-Digest authentication mechanism (RFC2617). Also, see the section 22.Usage of HTTP Authentication in SIP RFC3261 for more about user authentication in SIP.
Daniel
On 04/14/05 13:16, Alex wrote:
Sorry Daniel , i didn't get that, I send here 4 blocks, 1 one is the register request the 2 is the reply from the server, 3 is the register request, 4 is the reply from the server. If you can please point me to the problem. Because like i see the 2 register requests (1,3 blocks) are the same.
On 4/14/05, Daniel-Constantin Mierla daniel@voice-system.ro wrote:
As you can see, the second REGISTER does not contain the authentication credentials (No Authorization header) in response to 401 reply. So, either you didn't configure the phone to authenticate or the Grandstream HT286 1.0.5.18 is faulty.
Daniel
On 04/14/05 12:35, Alex wrote:
Daniel thanks btw it's clean installation of Red Hat Enterprise Linux AS release 3 ser-08.14 , freeradius-1.2 , radiusclient-4.8
i am sending ngrep port 5060 i have here 2 requests of register and the replies to register.
xxx.xxx.xxx.xxx - sipserverip telephoneip - ip where the call coming from Phonenumber - phone number
U telephoneip:10739 -> xxx.xxx.xxx.xxx:5060 REGISTER sip:xxx.xxx.xxx.xxx SIP/2.0..Via: SIP/2.0/UDP telephoneip:10000;branch=z9hG4bK98514c3b052d7df6..From: "Test Alex" < sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone>;tag=50673f1baca1958c..To: sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone..Contact: <sip :Phonenumber@telephoneip:10000;user=phone>..Call-ID: 1cff1b8955b8fa5c@10.0.0.4..CSeq: 106 REGISTER..Expires: 3600..User-Agent : Grandstream HT286 1.0.5.18..Max-Forwards: 70..Allow: INVITE,ACK,CANCEL,BYE,NOTIFY,REFER,OPTIONS,INFO,SUBSCRIBE..Content-Lengt h: 0.... # U xxx.xxx.xxx.xxx:5060 -> telephoneip:10000 SIP/2.0 401 Unauthorized..Via: SIP/2.0/UDP telephoneip:10000;branch=z9hG4bK98514c3b052d7df6..From: "Test Alex" sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone;tag=50673f1baca1958c..To: sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone;tag=b27e1a1d33761e85846fc9 8f5f3a7e58.f894..Call-ID: 1cff1b8955b8fa5c@10.0.0.4..CSeq: 106 REGISTER..WWW-Authenticate: Digest realm="xxx.xxx.xxx.xxx", nonc e="425e3ac34dc9509392435c11fb260f41420049c7"..Server: Sip EXpress router (0.8.14 (i386/linux))..Content-Length: 0..Warning: 392 xxx.xxx.xxx.xxx:5060 "Noisy feedback tells: pid=1912 req_src_ip=telephoneip req_src_port=10739 in_uri=sip:xxx.xxx.xxx.xxx out_uri=sip:xxx.xxx.xxx.xxx via_cnt==1".... #
U telephoneip:10740 -> xxx.xxx.xxx.xxx:5060 REGISTER sip:xxx.xxx.xxx.xxx SIP/2.0..Via: SIP/2.0/UDP telephoneip:10000;branch=z9hG4bK98514c3b052d7df6..From: "Test Alex" < sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone>;tag=50673f1baca1958c..To: sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone..Contact: <sip :Phonenumber@telephoneip:10000;user=phone>..Call-ID: 1cff1b8955b8fa5c@10.0.0.4..CSeq: 106 REGISTER..Expires: 3600..User-Agent : Grandstream HT286 1.0.5.18..Max-Forwards: 70..Allow: INVITE,ACK,CANCEL,BYE,NOTIFY,REFER,OPTIONS,INFO,SUBSCRIBE..Content-Lengt h: 0.... # U xxx.xxx.xxx.xxx:5060 -> telephoneip:10000 SIP/2.0 401 Unauthorized..Via: SIP/2.0/UDP telephoneip:10000;branch=z9hG4bK98514c3b052d7df6..From: "Test Alex" sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone;tag=50673f1baca1958c..To: sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone;tag=b27e1a1d33761e85846fc9 8f5f3a7e58.f894..Call-ID: 1cff1b8955b8fa5c@10.0.0.4..CSeq: 106 REGISTER..WWW-Authenticate: Digest realm="xxx.xxx.xxx.xxx", nonc e="425e3acb812b5b2e8aa023e3fcffc618dc4cf661"..Server: Sip EXpress router (0.8.14 (i386/linux))..Content-Length: 0..Warning: 392 xxx.xxx.xxx.xxx:5060 "Noisy feedback tells: pid=1885 req_src_ip=telephoneip req_src_port=10740 in_uri=sip:xxx.xxx.xxx.xxx out_uri=sip:xxx.xxx.xxx.xxx via_cnt==1".... #
tell me if you need something else.
On 4/14/05, Daniel-Constantin Mierla daniel@voice-system.ro wrote:
Could you post the network dump with REGISTER/401/REGISTER messages? I will take a look to see if something is wrong.
On 04/14/05 12:16, Alex wrote:
>Digest realm is the same for the register requests. >furthermore the realm in To tag is correct. > > > > > > Did you mean To URI instead of To tag?
Daniel
>what else it can be. >Thanks for any help. > >On 4/14/05, Daniel-Constantin Mierla daniel@voice-system.ro wrote: > > > > > > >>Watch the network traffic (ngrep or ethereal on port 5060) and check the >>realm from 401 is the same as the one from next REGISTER. Also, when >>you use the empty realm parameter to radius_ww_authorize() and >>www_challenge(), the realm is taken from To URI. >> >>Daniel >> >> >>On 04/14/05 08:08, Alex wrote: >> >> >> >> >> >> >> >>>Hi guys maybe someone can find the problem, i still can't see anything >>>going to radius authentication. (the radius logs are empty) >>> >>>the register request is coming but it's not going to authenticate >>>through the radius. >>>Any help will be appreciated. >>> >>>here is the debug from ser : >>>--------------------------------------------------------------------------------------------- >>>14(1036) parse_headers: flags=-1 >>>14(1036) check_via_address(62.219.158.191, 62.219.158.191, 1) >>>14(1036) DEBUG:destroy_avp_list: destroing list (nil) >>>14(1036) receive_msg: cleaning up >>>9(1012) SIP Request: >>>9(1012) method: <REGISTER> >>>9(1012) uri: sip:xxx.xxx.xxx.xxx >>>9(1012) version: <SIP/2.0> >>>9(1012) parse_headers: flags=1 >>>9(1012) Found param type 232, <branch> = <z9hG4bKfc5751413c832e6d>; state=16 >>>9(1012) end of header reached, state=5 >>>9(1012) parse_headers: Via found, flags=1 >>>9(1012) parse_headers: this is the first via >>>9(1012) After parse_msg... >>>9(1012) preparing to run routing scripts... >>>9(1012) REGISTER: Authenticating user >>>9(1012) parse_headers: flags=4 >>>9(1012) end of header reached, state=9 >>>9(1012) DEBUG: get_hdr_field: <To> [45]; >>>uri=[sip:phonenumber@xxx.xxx.xxx.xxx;user=phone] >>>9(1012) DEBUG: to body [sip:phonenumber@xxx.xxx.xxx.xxx;user=phone >>>] >>> >>>9(1012) parse_headers: flags=4096 >>>9(1012) get_hdr_field: cseq <CSeq>: <103> <REGISTER> >>>9(1012) DEBUG: get_hdr_body : content_length=0 >>>9(1012) found end of header >>>9(1012) pre_auth(): Credentials with given realm not found >>>9(1012) REGISTER: challenging user >>>9(1012) build_auth_hf(): 'WWW-Authenticate: Digest >>>realm="xxx.xxx.xxx.xxx", >>>nonce="425e063022afc1142ed6730d46da41692ff3ed57" >>> >>>_______________________________________________ >>>Serusers mailing list >>>serusers@lists.iptel.org >>>http://lists.iptel.org/mailman/listinfo/serusers >>> >>> >>> >>> >>> >>> >>> >>> >>> > > >
Hi!
SER is sending a nonce in its 401 reply. This is the challenge from the SER to the UA. The UA now has to calculate a reply implying his password and the given nonce. The answer has to be added in an Authorization-Header inside the next REGISTER.
The message flow (without RADIUS messages) would look like:
UA SER | | | REGISTER w/o Auth | |-------------------->| | | | 401 Unauthorized (with nonce) |<--------------------| | | | ACK | |-------------------->| | | | REGISTER with Auth (calculated from nonce) |-------------------->| | | | 200 OK | |<--------------------| | |
The second register has to have an "Authorization" header, otherwise your client is misconfigured or misbehaving. Test it with another client, e.g. X-Lite (www.xten.com)
Alex Mack
Alex schrieb:
So Daniel like i understand the problem is my radius configuration, another thing is that my ATA sending the same stuff, i mean if i will change the sip server to different one where i installed freeradius with ser it's working fine.
Daniel where i can start to fix that problem.?
Thank you very much for your time.
On 4/14/05, Alex alexandergav@gmail.com wrote:
So Daniel like i understand the problem is my radius configuration, another thing is that my ATA sending the same stuff, i mean if i will change the sip server to different one where i installed freeradius with ser it's working fine.
Daniel where i can start to fix that problem.?
Thank you very much for your time.
On 4/14/05, Daniel-Constantin Mierla daniel@voice-system.ro wrote:
The second REGISTER (the block 3) must contains the response to the authentication challenge carried by 401 reply (block 2). That means that the block 3 must contain an Authorization header with authentication credentials computed according to HTTP-Digest authentication mechanism (RFC2617). Also, see the section 22.Usage of HTTP Authentication in SIP RFC3261 for more about user authentication in SIP.
Daniel
On 04/14/05 13:16, Alex wrote:
Sorry Daniel , i didn't get that, I send here 4 blocks, 1 one is the register request the 2 is the reply from the server, 3 is the register request, 4 is the reply from the server. If you can please point me to the problem. Because like i see the 2 register requests (1,3 blocks) are the same.
On 4/14/05, Daniel-Constantin Mierla daniel@voice-system.ro wrote:
As you can see, the second REGISTER does not contain the authentication credentials (No Authorization header) in response to 401 reply. So, either you didn't configure the phone to authenticate or the Grandstream HT286 1.0.5.18 is faulty.
Daniel
On 04/14/05 12:35, Alex wrote:
Daniel thanks btw it's clean installation of Red Hat Enterprise Linux AS release 3 ser-08.14 , freeradius-1.2 , radiusclient-4.8
i am sending ngrep port 5060 i have here 2 requests of register and the replies to register.
xxx.xxx.xxx.xxx - sipserverip telephoneip - ip where the call coming from Phonenumber - phone number
U telephoneip:10739 -> xxx.xxx.xxx.xxx:5060 REGISTER sip:xxx.xxx.xxx.xxx SIP/2.0..Via: SIP/2.0/UDP telephoneip:10000;branch=z9hG4bK98514c3b052d7df6..From: "Test Alex" < sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone>;tag=50673f1baca1958c..To: sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone..Contact: <sip :Phonenumber@telephoneip:10000;user=phone>..Call-ID: 1cff1b8955b8fa5c@10.0.0.4..CSeq: 106 REGISTER..Expires: 3600..User-Agent : Grandstream HT286 1.0.5.18..Max-Forwards: 70..Allow: INVITE,ACK,CANCEL,BYE,NOTIFY,REFER,OPTIONS,INFO,SUBSCRIBE..Content-Lengt h: 0.... # U xxx.xxx.xxx.xxx:5060 -> telephoneip:10000 SIP/2.0 401 Unauthorized..Via: SIP/2.0/UDP telephoneip:10000;branch=z9hG4bK98514c3b052d7df6..From: "Test Alex" sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone;tag=50673f1baca1958c..To: sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone;tag=b27e1a1d33761e85846fc9 8f5f3a7e58.f894..Call-ID: 1cff1b8955b8fa5c@10.0.0.4..CSeq: 106 REGISTER..WWW-Authenticate: Digest realm="xxx.xxx.xxx.xxx", nonc e="425e3ac34dc9509392435c11fb260f41420049c7"..Server: Sip EXpress router (0.8.14 (i386/linux))..Content-Length: 0..Warning: 392 xxx.xxx.xxx.xxx:5060 "Noisy feedback tells: pid=1912 req_src_ip=telephoneip req_src_port=10739 in_uri=sip:xxx.xxx.xxx.xxx out_uri=sip:xxx.xxx.xxx.xxx via_cnt==1".... #
U telephoneip:10740 -> xxx.xxx.xxx.xxx:5060 REGISTER sip:xxx.xxx.xxx.xxx SIP/2.0..Via: SIP/2.0/UDP telephoneip:10000;branch=z9hG4bK98514c3b052d7df6..From: "Test Alex" < sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone>;tag=50673f1baca1958c..To: sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone..Contact: <sip :Phonenumber@telephoneip:10000;user=phone>..Call-ID: 1cff1b8955b8fa5c@10.0.0.4..CSeq: 106 REGISTER..Expires: 3600..User-Agent : Grandstream HT286 1.0.5.18..Max-Forwards: 70..Allow: INVITE,ACK,CANCEL,BYE,NOTIFY,REFER,OPTIONS,INFO,SUBSCRIBE..Content-Lengt h: 0.... # U xxx.xxx.xxx.xxx:5060 -> telephoneip:10000 SIP/2.0 401 Unauthorized..Via: SIP/2.0/UDP telephoneip:10000;branch=z9hG4bK98514c3b052d7df6..From: "Test Alex" sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone;tag=50673f1baca1958c..To: sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone;tag=b27e1a1d33761e85846fc9 8f5f3a7e58.f894..Call-ID: 1cff1b8955b8fa5c@10.0.0.4..CSeq: 106 REGISTER..WWW-Authenticate: Digest realm="xxx.xxx.xxx.xxx", nonc e="425e3acb812b5b2e8aa023e3fcffc618dc4cf661"..Server: Sip EXpress router (0.8.14 (i386/linux))..Content-Length: 0..Warning: 392 xxx.xxx.xxx.xxx:5060 "Noisy feedback tells: pid=1885 req_src_ip=telephoneip req_src_port=10740 in_uri=sip:xxx.xxx.xxx.xxx out_uri=sip:xxx.xxx.xxx.xxx via_cnt==1".... #
tell me if you need something else.
On 4/14/05, Daniel-Constantin Mierla daniel@voice-system.ro wrote:
>Could you post the network dump with REGISTER/401/REGISTER messages? I >will take a look to see if something is wrong. > > >On 04/14/05 12:16, Alex wrote: > > > > > > > >>Digest realm is the same for the register requests. >>furthermore the realm in To tag is correct. >> >> >> >> >> >> >> >> >Did you mean To URI instead of To tag? > >Daniel > > > > > > > >>what else it can be. >>Thanks for any help. >> >>On 4/14/05, Daniel-Constantin Mierla daniel@voice-system.ro wrote: >> >> >> >> >> >> >> >> >>>Watch the network traffic (ngrep or ethereal on port 5060) and check the >>>realm from 401 is the same as the one from next REGISTER. Also, when >>>you use the empty realm parameter to radius_ww_authorize() and >>>www_challenge(), the realm is taken from To URI. >>> >>>Daniel >>> >>> >>>On 04/14/05 08:08, Alex wrote: >>> >>> >>> >>> >>> >>> >>> >>> >>> >>>>Hi guys maybe someone can find the problem, i still can't see anything >>>>going to radius authentication. (the radius logs are empty) >>>> >>>>the register request is coming but it's not going to authenticate >>>>through the radius. >>>>Any help will be appreciated. >>>> >>>>here is the debug from ser : >>>>--------------------------------------------------------------------------------------------- >>>>14(1036) parse_headers: flags=-1 >>>>14(1036) check_via_address(62.219.158.191, 62.219.158.191, 1) >>>>14(1036) DEBUG:destroy_avp_list: destroing list (nil) >>>>14(1036) receive_msg: cleaning up >>>>9(1012) SIP Request: >>>>9(1012) method: <REGISTER> >>>>9(1012) uri: sip:xxx.xxx.xxx.xxx >>>>9(1012) version: <SIP/2.0> >>>>9(1012) parse_headers: flags=1 >>>>9(1012) Found param type 232, <branch> = <z9hG4bKfc5751413c832e6d>; state=16 >>>>9(1012) end of header reached, state=5 >>>>9(1012) parse_headers: Via found, flags=1 >>>>9(1012) parse_headers: this is the first via >>>>9(1012) After parse_msg... >>>>9(1012) preparing to run routing scripts... >>>>9(1012) REGISTER: Authenticating user >>>>9(1012) parse_headers: flags=4 >>>>9(1012) end of header reached, state=9 >>>>9(1012) DEBUG: get_hdr_field: <To> [45]; >>>>uri=[sip:phonenumber@xxx.xxx.xxx.xxx;user=phone] >>>>9(1012) DEBUG: to body [sip:phonenumber@xxx.xxx.xxx.xxx;user=phone >>>>] >>>> >>>>9(1012) parse_headers: flags=4096 >>>>9(1012) get_hdr_field: cseq <CSeq>: <103> <REGISTER> >>>>9(1012) DEBUG: get_hdr_body : content_length=0 >>>>9(1012) found end of header >>>>9(1012) pre_auth(): Credentials with given realm not found >>>>9(1012) REGISTER: challenging user >>>>9(1012) build_auth_hf(): 'WWW-Authenticate: Digest >>>>realm="xxx.xxx.xxx.xxx", >>>>nonce="425e063022afc1142ed6730d46da41692ff3ed57" >>>> >>>>_______________________________________________ >>>>Serusers mailing list >>>>serusers@lists.iptel.org >>>>http://lists.iptel.org/mailman/listinfo/serusers >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >> >> >>
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
so if the 2-nd register has to have Authorization header , how i can fix it so it will have it, because if i change the client to use different server it's working fine. If there any thing i can do on the server side to fix it ??
Thanks for any help.
On 4/14/05, Alex Mack amack@fhm.edu wrote:
Hi!
SER is sending a nonce in its 401 reply. This is the challenge from the SER to the UA. The UA now has to calculate a reply implying his password and the given nonce. The answer has to be added in an Authorization-Header inside the next REGISTER.
The message flow (without RADIUS messages) would look like:
UA SER | | | REGISTER w/o Auth | |-------------------->| | | | 401 Unauthorized (with nonce) |<--------------------| | | | ACK | |-------------------->| | | | REGISTER with Auth (calculated from nonce) |-------------------->| | | | 200 OK | |<--------------------| | |
The second register has to have an "Authorization" header, otherwise your client is misconfigured or misbehaving. Test it with another client, e.g. X-Lite (www.xten.com)
Alex Mack
Alex schrieb:
So Daniel like i understand the problem is my radius configuration, another thing is that my ATA sending the same stuff, i mean if i will change the sip server to different one where i installed freeradius with ser it's working fine.
Daniel where i can start to fix that problem.?
Thank you very much for your time.
On 4/14/05, Alex alexandergav@gmail.com wrote:
So Daniel like i understand the problem is my radius configuration, another thing is that my ATA sending the same stuff, i mean if i will change the sip server to different one where i installed freeradius with ser it's working fine.
Daniel where i can start to fix that problem.?
Thank you very much for your time.
On 4/14/05, Daniel-Constantin Mierla daniel@voice-system.ro wrote:
The second REGISTER (the block 3) must contains the response to the authentication challenge carried by 401 reply (block 2). That means that the block 3 must contain an Authorization header with authentication credentials computed according to HTTP-Digest authentication mechanism (RFC2617). Also, see the section 22.Usage of HTTP Authentication in SIP RFC3261 for more about user authentication in SIP.
Daniel
On 04/14/05 13:16, Alex wrote:
Sorry Daniel , i didn't get that, I send here 4 blocks, 1 one is the register request the 2 is the reply from the server, 3 is the register request, 4 is the reply from the server. If you can please point me to the problem. Because like i see the 2 register requests (1,3 blocks) are the same.
On 4/14/05, Daniel-Constantin Mierla daniel@voice-system.ro wrote:
As you can see, the second REGISTER does not contain the authentication credentials (No Authorization header) in response to 401 reply. So, either you didn't configure the phone to authenticate or the Grandstream HT286 1.0.5.18 is faulty.
Daniel
On 04/14/05 12:35, Alex wrote:
>Daniel thanks >btw it's clean installation of Red Hat Enterprise Linux AS release 3 >ser-08.14 , freeradius-1.2 , radiusclient-4.8 > >i am sending ngrep port 5060 >i have here 2 requests of register and the replies to register. > > >xxx.xxx.xxx.xxx - sipserverip >telephoneip - ip where the call coming from >Phonenumber - phone number > >-------------------------------------------------------------------------------------------------- > >U telephoneip:10739 -> xxx.xxx.xxx.xxx:5060 >REGISTER sip:xxx.xxx.xxx.xxx SIP/2.0..Via: SIP/2.0/UDP >telephoneip:10000;branch=z9hG4bK98514c3b052d7df6..From: "Test Alex" < >sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone>;tag=50673f1baca1958c..To: >sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone..Contact: <sip >:Phonenumber@telephoneip:10000;user=phone>..Call-ID: >1cff1b8955b8fa5c@10.0.0.4..CSeq: 106 REGISTER..Expires: >3600..User-Agent >: Grandstream HT286 1.0.5.18..Max-Forwards: 70..Allow: >INVITE,ACK,CANCEL,BYE,NOTIFY,REFER,OPTIONS,INFO,SUBSCRIBE..Content-Lengt >h: 0.... ># >U xxx.xxx.xxx.xxx:5060 -> telephoneip:10000 >SIP/2.0 401 Unauthorized..Via: SIP/2.0/UDP >telephoneip:10000;branch=z9hG4bK98514c3b052d7df6..From: "Test Alex" >sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone;tag=50673f1baca1958c..To: >sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone;tag=b27e1a1d33761e85846fc9 >8f5f3a7e58.f894..Call-ID: 1cff1b8955b8fa5c@10.0.0.4..CSeq: 106 >REGISTER..WWW-Authenticate: Digest realm="xxx.xxx.xxx.xxx", nonc >e="425e3ac34dc9509392435c11fb260f41420049c7"..Server: Sip EXpress >router (0.8.14 (i386/linux))..Content-Length: 0..Warning: 392 > xxx.xxx.xxx.xxx:5060 "Noisy feedback tells: pid=1912 >req_src_ip=telephoneip req_src_port=10739 in_uri=sip:xxx.xxx.xxx.xxx >out_uri=sip:xxx.xxx.xxx.xxx via_cnt==1".... ># > >U telephoneip:10740 -> xxx.xxx.xxx.xxx:5060 >REGISTER sip:xxx.xxx.xxx.xxx SIP/2.0..Via: SIP/2.0/UDP >telephoneip:10000;branch=z9hG4bK98514c3b052d7df6..From: "Test Alex" < >sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone>;tag=50673f1baca1958c..To: >sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone..Contact: <sip >:Phonenumber@telephoneip:10000;user=phone>..Call-ID: >1cff1b8955b8fa5c@10.0.0.4..CSeq: 106 REGISTER..Expires: >3600..User-Agent >: Grandstream HT286 1.0.5.18..Max-Forwards: 70..Allow: >INVITE,ACK,CANCEL,BYE,NOTIFY,REFER,OPTIONS,INFO,SUBSCRIBE..Content-Lengt >h: 0.... ># >U xxx.xxx.xxx.xxx:5060 -> telephoneip:10000 >SIP/2.0 401 Unauthorized..Via: SIP/2.0/UDP >telephoneip:10000;branch=z9hG4bK98514c3b052d7df6..From: "Test Alex" >sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone;tag=50673f1baca1958c..To: >sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone;tag=b27e1a1d33761e85846fc9 >8f5f3a7e58.f894..Call-ID: 1cff1b8955b8fa5c@10.0.0.4..CSeq: 106 >REGISTER..WWW-Authenticate: Digest realm="xxx.xxx.xxx.xxx", nonc >e="425e3acb812b5b2e8aa023e3fcffc618dc4cf661"..Server: Sip EXpress >router (0.8.14 (i386/linux))..Content-Length: 0..Warning: 392 > xxx.xxx.xxx.xxx:5060 "Noisy feedback tells: pid=1885 >req_src_ip=telephoneip req_src_port=10740 in_uri=sip:xxx.xxx.xxx.xxx >out_uri=sip:xxx.xxx.xxx.xxx via_cnt==1".... ># > > >tell me if you need something else. > > >On 4/14/05, Daniel-Constantin Mierla daniel@voice-system.ro wrote: > > > > > > >>Could you post the network dump with REGISTER/401/REGISTER messages? I >>will take a look to see if something is wrong. >> >> >>On 04/14/05 12:16, Alex wrote: >> >> >> >> >> >> >> >>>Digest realm is the same for the register requests. >>>furthermore the realm in To tag is correct. >>> >>> >>> >>> >>> >>> >>> >>> >>Did you mean To URI instead of To tag? >> >>Daniel >> >> >> >> >> >> >> >>>what else it can be. >>>Thanks for any help. >>> >>>On 4/14/05, Daniel-Constantin Mierla daniel@voice-system.ro wrote: >>> >>> >>> >>> >>> >>> >>> >>> >>>>Watch the network traffic (ngrep or ethereal on port 5060) and check the >>>>realm from 401 is the same as the one from next REGISTER. Also, when >>>>you use the empty realm parameter to radius_ww_authorize() and >>>>www_challenge(), the realm is taken from To URI. >>>> >>>>Daniel >>>> >>>> >>>>On 04/14/05 08:08, Alex wrote: >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>>Hi guys maybe someone can find the problem, i still can't see anything >>>>>going to radius authentication. (the radius logs are empty) >>>>> >>>>>the register request is coming but it's not going to authenticate >>>>>through the radius. >>>>>Any help will be appreciated. >>>>> >>>>>here is the debug from ser : >>>>>--------------------------------------------------------------------------------------------- >>>>>14(1036) parse_headers: flags=-1 >>>>>14(1036) check_via_address(62.219.158.191, 62.219.158.191, 1) >>>>>14(1036) DEBUG:destroy_avp_list: destroing list (nil) >>>>>14(1036) receive_msg: cleaning up >>>>>9(1012) SIP Request: >>>>>9(1012) method: <REGISTER> >>>>>9(1012) uri: sip:xxx.xxx.xxx.xxx >>>>>9(1012) version: <SIP/2.0> >>>>>9(1012) parse_headers: flags=1 >>>>>9(1012) Found param type 232, <branch> = <z9hG4bKfc5751413c832e6d>; state=16 >>>>>9(1012) end of header reached, state=5 >>>>>9(1012) parse_headers: Via found, flags=1 >>>>>9(1012) parse_headers: this is the first via >>>>>9(1012) After parse_msg... >>>>>9(1012) preparing to run routing scripts... >>>>>9(1012) REGISTER: Authenticating user >>>>>9(1012) parse_headers: flags=4 >>>>>9(1012) end of header reached, state=9 >>>>>9(1012) DEBUG: get_hdr_field: <To> [45]; >>>>>uri=[sip:phonenumber@xxx.xxx.xxx.xxx;user=phone] >>>>>9(1012) DEBUG: to body [sip:phonenumber@xxx.xxx.xxx.xxx;user=phone >>>>>] >>>>> >>>>>9(1012) parse_headers: flags=4096 >>>>>9(1012) get_hdr_field: cseq <CSeq>: <103> <REGISTER> >>>>>9(1012) DEBUG: get_hdr_body : content_length=0 >>>>>9(1012) found end of header >>>>>9(1012) pre_auth(): Credentials with given realm not found >>>>>9(1012) REGISTER: challenging user >>>>>9(1012) build_auth_hf(): 'WWW-Authenticate: Digest >>>>>realm="xxx.xxx.xxx.xxx", >>>>>nonce="425e063022afc1142ed6730d46da41692ff3ed57" >>>>> >>>>>_______________________________________________ >>>>>Serusers mailing list >>>>>serusers@lists.iptel.org >>>>>http://lists.iptel.org/mailman/listinfo/serusers >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>> >>> >>> > > >
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
one reason for the UAC to fail to add the Authorization in the second REGISTER is because it's not able to respond to the authentication challenge (for example, the realm in challenge doesn't match the one set on the phone).
bogdan
Alex wrote:
so if the 2-nd register has to have Authorization header , how i can fix it so it will have it, because if i change the client to use different server it's working fine. If there any thing i can do on the server side to fix it ??
Thanks for any help.
-
Alex -
Alex Mack -
Bogdan-Andrei Iancu