14 Apr
2005
14 Apr
'05
8:02 a.m.
So Daniel like i understand the problem is my radius configuration,
another thing is that my ATA sending the same stuff, i mean if i will
change the sip server to different one where i installed freeradius
with ser it's working fine.
Daniel where i can start to fix that problem.?
Thank you very much for your time.
On 4/14/05, Alex <alexandergav(a)gmail.com> wrote:
So Daniel like i understand the problem is my radius
configuration,
another thing is that my ATA sending the same stuff, i mean if i will
change the sip server to different one where i installed freeradius
with ser it's working fine.
Daniel where i can start to fix that problem.?
Thank you very much for your time.
On 4/14/05, Daniel-Constantin Mierla <daniel(a)voice-system.ro> wrote:
The second REGISTER (the block 3) must contains
the response to the
authentication challenge carried by 401 reply (block 2). That means that
the block 3 must contain an Authorization header with authentication
credentials computed according to HTTP-Digest authentication mechanism
(RFC2617). Also, see the section 22.Usage of HTTP Authentication in SIP
RFC3261 for more about user authentication in SIP.
Daniel
On 04/14/05 13:16, Alex wrote:
Sorry Daniel , i didn't get that, I send here
4 blocks, 1 one is the
register request the 2 is the reply from the server, 3 is the register
request, 4 is the reply from the server. If you can please point me to
the problem. Because like i see the 2 register requests (1,3 blocks)
are the same.
On 4/14/05, Daniel-Constantin Mierla <daniel(a)voice-system.ro> wrote:
As you can see, the second REGISTER does not
contain the authentication
credentials (No Authorization header) in response to 401 reply. So,
either you didn't configure the phone to authenticate or the Grandstream
HT286 1.0.5.18 is faulty.
Daniel
On 04/14/05 12:35, Alex wrote:
>Daniel thanks
>btw it's clean installation of Red Hat Enterprise Linux AS release 3
>ser-08.14 , freeradius-1.2 , radiusclient-4.8
>
>i am sending ngrep port 5060
>i have here 2 requests of register and the replies to register.
>
>
>xxx.xxx.xxx.xxx - sipserverip
>telephoneip - ip where the call coming from
>Phonenumber - phone number
>
>--------------------------------------------------------------------------------------------------
>
>U telephoneip:10739 -> xxx.xxx.xxx.xxx:5060
> REGISTER sip:xxx.xxx.xxx.xxx SIP/2.0..Via: SIP/2.0/UDP
>telephoneip:10000;branch=z9hG4bK98514c3b052d7df6..From: "Test Alex" <
> sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone>;tag=50673f1baca1958c..To:
><sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone>..Contact: <sip
> :Phonenumber@telephoneip:10000;user=phone>..Call-ID:
>1cff1b8955b8fa5c@10.0.0.4..CSeq: 106 REGISTER..Expires:
>3600..User-Agent
> : Grandstream HT286 1.0.5.18..Max-Forwards: 70..Allow:
>INVITE,ACK,CANCEL,BYE,NOTIFY,REFER,OPTIONS,INFO,SUBSCRIBE..Content-Lengt
> h: 0....
>#
>U xxx.xxx.xxx.xxx:5060 -> telephoneip:10000
> SIP/2.0 401 Unauthorized..Via: SIP/2.0/UDP
>telephoneip:10000;branch=z9hG4bK98514c3b052d7df6..From: "Test Alex"
><sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone>;tag=50673f1baca1958c..To:
><sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone>;tag=b27e1a1d33761e85846fc9
> 8f5f3a7e58.f894..Call-ID: 1cff1b8955b8fa5c@10.0.0.4..CSeq: 106
>REGISTER..WWW-Authenticate: Digest realm="xxx.xxx.xxx.xxx", nonc
> e="425e3ac34dc9509392435c11fb260f41420049c7"..Server: Sip EXpress
>router (0.8.14 (i386/linux))..Content-Length: 0..Warning: 392
> xxx.xxx.xxx.xxx:5060 "Noisy feedback tells: pid=1912
>req_src_ip=telephoneip req_src_port=10739 in_uri=sip:xxx.xxx.xxx.xxx
> out_uri=sip:xxx.xxx.xxx.xxx via_cnt==1"....
>#
>
>U telephoneip:10740 -> xxx.xxx.xxx.xxx:5060
> REGISTER sip:xxx.xxx.xxx.xxx SIP/2.0..Via: SIP/2.0/UDP
>telephoneip:10000;branch=z9hG4bK98514c3b052d7df6..From: "Test Alex" <
> sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone>;tag=50673f1baca1958c..To:
><sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone>..Contact: <sip
> :Phonenumber@telephoneip:10000;user=phone>..Call-ID:
>1cff1b8955b8fa5c@10.0.0.4..CSeq: 106 REGISTER..Expires:
>3600..User-Agent
> : Grandstream HT286 1.0.5.18..Max-Forwards: 70..Allow:
>INVITE,ACK,CANCEL,BYE,NOTIFY,REFER,OPTIONS,INFO,SUBSCRIBE..Content-Lengt
> h: 0....
>#
>U xxx.xxx.xxx.xxx:5060 -> telephoneip:10000
> SIP/2.0 401 Unauthorized..Via: SIP/2.0/UDP
>telephoneip:10000;branch=z9hG4bK98514c3b052d7df6..From: "Test Alex"
><sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone>;tag=50673f1baca1958c..To:
><sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone>;tag=b27e1a1d33761e85846fc9
> 8f5f3a7e58.f894..Call-ID: 1cff1b8955b8fa5c@10.0.0.4..CSeq: 106
>REGISTER..WWW-Authenticate: Digest realm="xxx.xxx.xxx.xxx", nonc
> e="425e3acb812b5b2e8aa023e3fcffc618dc4cf661"..Server: Sip EXpress
>router (0.8.14 (i386/linux))..Content-Length: 0..Warning: 392
> xxx.xxx.xxx.xxx:5060 "Noisy feedback tells: pid=1885
>req_src_ip=telephoneip req_src_port=10740 in_uri=sip:xxx.xxx.xxx.xxx
> out_uri=sip:xxx.xxx.xxx.xxx via_cnt==1"....
>#
>
>
>tell me if you need something else.
>
>
>On 4/14/05, Daniel-Constantin Mierla <daniel(a)voice-system.ro> wrote:
>
>
>
>
>>Could you post the network dump with REGISTER/401/REGISTER messages? I
>>will take a look to see if something is wrong.
>>
>>
>>On 04/14/05 12:16, Alex wrote:
>>
>>
>>
>>
>>
>>>Digest realm is the same for the register requests.
>>>furthermore the realm in To tag is correct.
>>>
>>>
>>>
>>>
>>>
>>>
>>Did you mean To URI instead of To tag?
>>
>>Daniel
>>
>>
>>
>>
>>
>>>what else it can be.
>>>Thanks for any help.
>>>
>>>On 4/14/05, Daniel-Constantin Mierla <daniel(a)voice-system.ro> wrote:
>>>
>>>
>>>
>>>
>>>
>>>
>>>>Watch the network traffic (ngrep or ethereal on port 5060) and check the
>>>>realm from 401 is the same as the one from next REGISTER. Also, when
>>>>you use the empty realm parameter to radius_ww_authorize() and
>>>>www_challenge(), the realm is taken from To URI.
>>>>
>>>>Daniel
>>>>
>>>>
>>>>On 04/14/05 08:08, Alex wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>Hi guys maybe someone can find the problem, i still can't see
anything
>>>>>going to radius authentication. (the radius logs are empty)
>>>>>
>>>>>the register request is coming but it's not going to authenticate
>>>>>through the radius.
>>>>>Any help will be appreciated.
>>>>>
>>>>>here is the debug from ser :
>>>>>---------------------------------------------------------------------------------------------
>>>>>14(1036) parse_headers: flags=-1
>>>>>14(1036) check_via_address(62.219.158.191, 62.219.158.191, 1)
>>>>>14(1036) DEBUG:destroy_avp_list: destroing list (nil)
>>>>>14(1036) receive_msg: cleaning up
>>>>>9(1012) SIP Request:
>>>>>9(1012) method: <REGISTER>
>>>>>9(1012) uri: <sip:xxx.xxx.xxx.xxx>
>>>>>9(1012) version: <SIP/2.0>
>>>>>9(1012) parse_headers: flags=1
>>>>>9(1012) Found param type 232, <branch> =
<z9hG4bKfc5751413c832e6d>; state=16
>>>>>9(1012) end of header reached, state=5
>>>>>9(1012) parse_headers: Via found, flags=1
>>>>>9(1012) parse_headers: this is the first via
>>>>>9(1012) After parse_msg...
>>>>>9(1012) preparing to run routing scripts...
>>>>>9(1012) REGISTER: Authenticating user
>>>>>9(1012) parse_headers: flags=4
>>>>>9(1012) end of header reached, state=9
>>>>>9(1012) DEBUG: get_hdr_field: <To> [45];
>>>>>uri=[sip:phonenumber@xxx.xxx.xxx.xxx;user=phone]
>>>>>9(1012) DEBUG: to body
[<sip:phonenumber@xxx.xxx.xxx.xxx;user=phone>
>>>>>]
>>>>>
>>>>>9(1012) parse_headers: flags=4096
>>>>>9(1012) get_hdr_field: cseq <CSeq>: <103>
<REGISTER>
>>>>>9(1012) DEBUG: get_hdr_body : content_length=0
>>>>>9(1012) found end of header
>>>>>9(1012) pre_auth(): Credentials with given realm not found
>>>>>9(1012) REGISTER: challenging user
>>>>>9(1012) build_auth_hf(): 'WWW-Authenticate: Digest
>>>>>realm="xxx.xxx.xxx.xxx",
>>>>>nonce="425e063022afc1142ed6730d46da41692ff3ed57"
>>>>>
>>>>>_______________________________________________
>>>>>Serusers mailing list
>>>>>serusers(a)lists.iptel.org
>>>>>http://lists.iptel.org/mailman/listinfo/serusers
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>
>>>
>>>
>
>
>
14 Apr
14 Apr
9:38 a.m.
New subject: [Serusers] Credentials with given realm not found
Hi!
SER is sending a nonce in its 401 reply. This is the challenge from the
SER to the UA.
The UA now has to calculate a reply implying his password and the given
nonce. The answer has to be added in an Authorization-Header inside the
next REGISTER.
The message flow (without RADIUS messages) would look like:
UA SER
| |
| REGISTER w/o Auth |
|-------------------->|
| |
| 401 Unauthorized (with nonce)
|<--------------------|
| |
| ACK |
|-------------------->|
| |
| REGISTER with Auth (calculated from nonce)
|-------------------->|
| |
| 200 OK |
|<--------------------|
| |
The second register has to have an "Authorization" header, otherwise
your client is misconfigured or misbehaving. Test it with another
client, e.g. X-Lite (www.xten.com)
Alex Mack
Alex schrieb:
So Daniel like i understand the problem is my radius
configuration,
another thing is that my ATA sending the same stuff, i mean if i will
change the sip server to different one where i installed freeradius
with ser it's working fine.
Daniel where i can start to fix that problem.?
Thank you very much for your time.
On 4/14/05, Alex <alexandergav(a)gmail.com> wrote:
So Daniel like i understand the problem is my
radius configuration,
another thing is that my ATA sending the same stuff, i mean if i will
change the sip server to different one where i installed freeradius
with ser it's working fine.
Daniel where i can start to fix that problem.?
Thank you very much for your time.
On 4/14/05, Daniel-Constantin Mierla <daniel(a)voice-system.ro> wrote:
>The second REGISTER (the block 3) must contains the response to the
>authentication challenge carried by 401 reply (block 2). That means that
>the block 3 must contain an Authorization header with authentication
>credentials computed according to HTTP-Digest authentication mechanism
>(RFC2617). Also, see the section 22.Usage of HTTP Authentication in SIP
>RFC3261 for more about user authentication in SIP.
>
>Daniel
>
>On 04/14/05 13:16, Alex wrote:
>
>
>
>>Sorry Daniel , i didn't get that, I send here 4 blocks, 1 one is the
>>register request the 2 is the reply from the server, 3 is the register
>>request, 4 is the reply from the server. If you can please point me to
>>the problem. Because like i see the 2 register requests (1,3 blocks)
>>are the same.
>>
>>
>>On 4/14/05, Daniel-Constantin Mierla <daniel(a)voice-system.ro> wrote:
>>
>>
>>
>>
>>>As you can see, the second REGISTER does not contain the authentication
>>>credentials (No Authorization header) in response to 401 reply. So,
>>>either you didn't configure the phone to authenticate or the Grandstream
>>>HT286 1.0.5.18 is faulty.
>>>
>>>Daniel
>>>
>>>
>>>On 04/14/05 12:35, Alex wrote:
>>>
>>>
>>>
>>>
>>>
>>>>Daniel thanks
>>>>btw it's clean installation of Red Hat Enterprise Linux AS release 3
>>>>ser-08.14 , freeradius-1.2 , radiusclient-4.8
>>>>
>>>>i am sending ngrep port 5060
>>>>i have here 2 requests of register and the replies to register.
>>>>
>>>>
>>>>xxx.xxx.xxx.xxx - sipserverip
>>>>telephoneip - ip where the call coming from
>>>>Phonenumber - phone number
>>>>
>>>>--------------------------------------------------------------------------------------------------
>>>>
>>>>U telephoneip:10739 -> xxx.xxx.xxx.xxx:5060
>>>>REGISTER sip:xxx.xxx.xxx.xxx SIP/2.0..Via: SIP/2.0/UDP
>>>>telephoneip:10000;branch=z9hG4bK98514c3b052d7df6..From: "Test
Alex" <
>>>>sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone>;tag=50673f1baca1958c..To:
>>>><sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone>..Contact: <sip
>>>>:Phonenumber@telephoneip:10000;user=phone>..Call-ID:
>>>>1cff1b8955b8fa5c@10.0.0.4..CSeq: 106 REGISTER..Expires:
>>>>3600..User-Agent
>>>>: Grandstream HT286 1.0.5.18..Max-Forwards: 70..Allow:
>>>>INVITE,ACK,CANCEL,BYE,NOTIFY,REFER,OPTIONS,INFO,SUBSCRIBE..Content-Lengt
>>>>h: 0....
>>>>#
>>>>U xxx.xxx.xxx.xxx:5060 -> telephoneip:10000
>>>>SIP/2.0 401 Unauthorized..Via: SIP/2.0/UDP
>>>>telephoneip:10000;branch=z9hG4bK98514c3b052d7df6..From: "Test
Alex"
>>>><sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone>;tag=50673f1baca1958c..To:
>>>><sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone>;tag=b27e1a1d33761e85846fc9
>>>>8f5f3a7e58.f894..Call-ID: 1cff1b8955b8fa5c@10.0.0.4..CSeq: 106
>>>>REGISTER..WWW-Authenticate: Digest realm="xxx.xxx.xxx.xxx",
nonc
>>>>e="425e3ac34dc9509392435c11fb260f41420049c7"..Server: Sip
EXpress
>>>>router (0.8.14 (i386/linux))..Content-Length: 0..Warning: 392
>>>> xxx.xxx.xxx.xxx:5060 "Noisy feedback tells: pid=1912
>>>>req_src_ip=telephoneip req_src_port=10739 in_uri=sip:xxx.xxx.xxx.xxx
>>>>out_uri=sip:xxx.xxx.xxx.xxx via_cnt==1"....
>>>>#
>>>>
>>>>U telephoneip:10740 -> xxx.xxx.xxx.xxx:5060
>>>>REGISTER sip:xxx.xxx.xxx.xxx SIP/2.0..Via: SIP/2.0/UDP
>>>>telephoneip:10000;branch=z9hG4bK98514c3b052d7df6..From: "Test
Alex" <
>>>>sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone>;tag=50673f1baca1958c..To:
>>>><sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone>..Contact: <sip
>>>>:Phonenumber@telephoneip:10000;user=phone>..Call-ID:
>>>>1cff1b8955b8fa5c@10.0.0.4..CSeq: 106 REGISTER..Expires:
>>>>3600..User-Agent
>>>>: Grandstream HT286 1.0.5.18..Max-Forwards: 70..Allow:
>>>>INVITE,ACK,CANCEL,BYE,NOTIFY,REFER,OPTIONS,INFO,SUBSCRIBE..Content-Lengt
>>>>h: 0....
>>>>#
>>>>U xxx.xxx.xxx.xxx:5060 -> telephoneip:10000
>>>>SIP/2.0 401 Unauthorized..Via: SIP/2.0/UDP
>>>>telephoneip:10000;branch=z9hG4bK98514c3b052d7df6..From: "Test
Alex"
>>>><sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone>;tag=50673f1baca1958c..To:
>>>><sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone>;tag=b27e1a1d33761e85846fc9
>>>>8f5f3a7e58.f894..Call-ID: 1cff1b8955b8fa5c@10.0.0.4..CSeq: 106
>>>>REGISTER..WWW-Authenticate: Digest realm="xxx.xxx.xxx.xxx",
nonc
>>>>e="425e3acb812b5b2e8aa023e3fcffc618dc4cf661"..Server: Sip
EXpress
>>>>router (0.8.14 (i386/linux))..Content-Length: 0..Warning: 392
>>>> xxx.xxx.xxx.xxx:5060 "Noisy feedback tells: pid=1885
>>>>req_src_ip=telephoneip req_src_port=10740 in_uri=sip:xxx.xxx.xxx.xxx
>>>>out_uri=sip:xxx.xxx.xxx.xxx via_cnt==1"....
>>>>#
>>>>
>>>>
>>>>tell me if you need something else.
>>>>
>>>>
>>>>On 4/14/05, Daniel-Constantin Mierla <daniel(a)voice-system.ro>
wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>Could you post the network dump with REGISTER/401/REGISTER messages?
I
>>>>>will take a look to see if something is wrong.
>>>>>
>>>>>
>>>>>On 04/14/05 12:16, Alex wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>Digest realm is the same for the register requests.
>>>>>>furthermore the realm in To tag is correct.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>Did you mean To URI instead of To tag?
>>>>>
>>>>>Daniel
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>what else it can be.
>>>>>>Thanks for any help.
>>>>>>
>>>>>>On 4/14/05, Daniel-Constantin Mierla
<daniel(a)voice-system.ro> wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>Watch the network traffic (ngrep or ethereal on port 5060) and
check the
>>>>>>>realm from 401 is the same as the one from next REGISTER.
Also, when
>>>>>>>you use the empty realm parameter to radius_ww_authorize()
and
>>>>>>>www_challenge(), the realm is taken from To URI.
>>>>>>>
>>>>>>>Daniel
>>>>>>>
>>>>>>>
>>>>>>>On 04/14/05 08:08, Alex wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>Hi guys maybe someone can find the problem, i still
can't see anything
>>>>>>>>going to radius authentication. (the radius logs are
empty)
>>>>>>>>
>>>>>>>>the register request is coming but it's not going to
authenticate
>>>>>>>>through the radius.
>>>>>>>>Any help will be appreciated.
>>>>>>>>
>>>>>>>>here is the debug from ser :
>>>>>>>>---------------------------------------------------------------------------------------------
>>>>>>>>14(1036) parse_headers: flags=-1
>>>>>>>>14(1036) check_via_address(62.219.158.191, 62.219.158.191,
1)
>>>>>>>>14(1036) DEBUG:destroy_avp_list: destroing list (nil)
>>>>>>>>14(1036) receive_msg: cleaning up
>>>>>>>>9(1012) SIP Request:
>>>>>>>>9(1012) method: <REGISTER>
>>>>>>>>9(1012) uri: <sip:xxx.xxx.xxx.xxx>
>>>>>>>>9(1012) version: <SIP/2.0>
>>>>>>>>9(1012) parse_headers: flags=1
>>>>>>>>9(1012) Found param type 232, <branch> =
<z9hG4bKfc5751413c832e6d>; state=16
>>>>>>>>9(1012) end of header reached, state=5
>>>>>>>>9(1012) parse_headers: Via found, flags=1
>>>>>>>>9(1012) parse_headers: this is the first via
>>>>>>>>9(1012) After parse_msg...
>>>>>>>>9(1012) preparing to run routing scripts...
>>>>>>>>9(1012) REGISTER: Authenticating user
>>>>>>>>9(1012) parse_headers: flags=4
>>>>>>>>9(1012) end of header reached, state=9
>>>>>>>>9(1012) DEBUG: get_hdr_field: <To> [45];
>>>>>>>>uri=[sip:phonenumber@xxx.xxx.xxx.xxx;user=phone]
>>>>>>>>9(1012) DEBUG: to body
[<sip:phonenumber@xxx.xxx.xxx.xxx;user=phone>
>>>>>>>>]
>>>>>>>>
>>>>>>>>9(1012) parse_headers: flags=4096
>>>>>>>>9(1012) get_hdr_field: cseq <CSeq>: <103>
<REGISTER>
>>>>>>>>9(1012) DEBUG: get_hdr_body : content_length=0
>>>>>>>>9(1012) found end of header
>>>>>>>>9(1012) pre_auth(): Credentials with given realm not
found
>>>>>>>>9(1012) REGISTER: challenging user
>>>>>>>>9(1012) build_auth_hf(): 'WWW-Authenticate: Digest
>>>>>>>>realm="xxx.xxx.xxx.xxx",
>>>>>>>>nonce="425e063022afc1142ed6730d46da41692ff3ed57"
>>>>>>>>
>>>>>>>>_______________________________________________
>>>>>>>>Serusers mailing list
>>>>>>>>serusers(a)lists.iptel.org
>>>>>>>>http://lists.iptel.org/mailman/listinfo/serusers
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>
>>>>
>>>>
>>
>>
>>
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers
16 Apr
16 Apr
3:23 a.m.
New subject: [Serusers] Credentials with given realm not found
so if the 2-nd register has to have Authorization header , how i can
fix it so it will have it, because if i change the client to use
different server it's working fine.
If there any thing i can do on the server side to fix it ??
Thanks for any help.
On 4/14/05, Alex Mack <amack(a)fhm.edu> wrote:
Hi!
SER is sending a nonce in its 401 reply. This is the challenge from the
SER to the UA.
The UA now has to calculate a reply implying his password and the given
nonce. The answer has to be added in an Authorization-Header inside the
next REGISTER.
The message flow (without RADIUS messages) would look like:
UA SER
| |
| REGISTER w/o Auth |
|-------------------->|
| |
| 401 Unauthorized (with nonce)
|<--------------------|
| |
| ACK |
|-------------------->|
| |
| REGISTER with Auth (calculated from nonce)
|-------------------->|
| |
| 200 OK |
|<--------------------|
| |
The second register has to have an "Authorization" header, otherwise
your client is misconfigured or misbehaving. Test it with another
client, e.g. X-Lite (www.xten.com)
Alex Mack
Alex schrieb:
So Daniel like i understand the problem is my
radius configuration,
another thing is that my ATA sending the same stuff, i mean if i will
change the sip server to different one where i installed freeradius
with ser it's working fine.
Daniel where i can start to fix that problem.?
Thank you very much for your time.
On 4/14/05, Alex <alexandergav(a)gmail.com> wrote:
So Daniel like i understand the problem is my
radius configuration,
another thing is that my ATA sending the same stuff, i mean if i will
change the sip server to different one where i installed freeradius
with ser it's working fine.
Daniel where i can start to fix that problem.?
Thank you very much for your time.
On 4/14/05, Daniel-Constantin Mierla <daniel(a)voice-system.ro> wrote:
>The second REGISTER (the block 3) must contains the response to the
>authentication challenge carried by 401 reply (block 2). That means that
>the block 3 must contain an Authorization header with authentication
>credentials computed according to HTTP-Digest authentication mechanism
>(RFC2617). Also, see the section 22.Usage of HTTP Authentication in SIP
>RFC3261 for more about user authentication in SIP.
>
>Daniel
>
>On 04/14/05 13:16, Alex wrote:
>
>
>
>>Sorry Daniel , i didn't get that, I send here 4 blocks, 1 one is the
>>register request the 2 is the reply from the server, 3 is the register
>>request, 4 is the reply from the server. If you can please point me to
>>the problem. Because like i see the 2 register requests (1,3 blocks)
>>are the same.
>>
>>
>>On 4/14/05, Daniel-Constantin Mierla <daniel(a)voice-system.ro> wrote:
>>
>>
>>
>>
>>>As you can see, the second REGISTER does not contain the authentication
>>>credentials (No Authorization header) in response to 401 reply. So,
>>>either you didn't configure the phone to authenticate or the Grandstream
>>>HT286 1.0.5.18 is faulty.
>>>
>>>Daniel
>>>
>>>
>>>On 04/14/05 12:35, Alex wrote:
>>>
>>>
>>>
>>>
>>>
>>>>Daniel thanks
>>>>btw it's clean installation of Red Hat Enterprise Linux AS release 3
>>>>ser-08.14 , freeradius-1.2 , radiusclient-4.8
>>>>
>>>>i am sending ngrep port 5060
>>>>i have here 2 requests of register and the replies to register.
>>>>
>>>>
>>>>xxx.xxx.xxx.xxx - sipserverip
>>>>telephoneip - ip where the call coming from
>>>>Phonenumber - phone number
>>>>
>>>>--------------------------------------------------------------------------------------------------
>>>>
>>>>U telephoneip:10739 -> xxx.xxx.xxx.xxx:5060
>>>>REGISTER sip:xxx.xxx.xxx.xxx SIP/2.0..Via: SIP/2.0/UDP
>>>>telephoneip:10000;branch=z9hG4bK98514c3b052d7df6..From: "Test
Alex" <
>>>>sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone>;tag=50673f1baca1958c..To:
>>>><sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone>..Contact: <sip
>>>>:Phonenumber@telephoneip:10000;user=phone>..Call-ID:
>>>>1cff1b8955b8fa5c@10.0.0.4..CSeq: 106 REGISTER..Expires:
>>>>3600..User-Agent
>>>>: Grandstream HT286 1.0.5.18..Max-Forwards: 70..Allow:
>>>>INVITE,ACK,CANCEL,BYE,NOTIFY,REFER,OPTIONS,INFO,SUBSCRIBE..Content-Lengt
>>>>h: 0....
>>>>#
>>>>U xxx.xxx.xxx.xxx:5060 -> telephoneip:10000
>>>>SIP/2.0 401 Unauthorized..Via: SIP/2.0/UDP
>>>>telephoneip:10000;branch=z9hG4bK98514c3b052d7df6..From: "Test
Alex"
>>>><sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone>;tag=50673f1baca1958c..To:
>>>><sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone>;tag=b27e1a1d33761e85846fc9
>>>>8f5f3a7e58.f894..Call-ID: 1cff1b8955b8fa5c@10.0.0.4..CSeq: 106
>>>>REGISTER..WWW-Authenticate: Digest realm="xxx.xxx.xxx.xxx",
nonc
>>>>e="425e3ac34dc9509392435c11fb260f41420049c7"..Server: Sip
EXpress
>>>>router (0.8.14 (i386/linux))..Content-Length: 0..Warning: 392
>>>> xxx.xxx.xxx.xxx:5060 "Noisy feedback tells: pid=1912
>>>>req_src_ip=telephoneip req_src_port=10739 in_uri=sip:xxx.xxx.xxx.xxx
>>>>out_uri=sip:xxx.xxx.xxx.xxx via_cnt==1"....
>>>>#
>>>>
>>>>U telephoneip:10740 -> xxx.xxx.xxx.xxx:5060
>>>>REGISTER sip:xxx.xxx.xxx.xxx SIP/2.0..Via: SIP/2.0/UDP
>>>>telephoneip:10000;branch=z9hG4bK98514c3b052d7df6..From: "Test
Alex" <
>>>>sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone>;tag=50673f1baca1958c..To:
>>>><sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone>..Contact: <sip
>>>>:Phonenumber@telephoneip:10000;user=phone>..Call-ID:
>>>>1cff1b8955b8fa5c@10.0.0.4..CSeq: 106 REGISTER..Expires:
>>>>3600..User-Agent
>>>>: Grandstream HT286 1.0.5.18..Max-Forwards: 70..Allow:
>>>>INVITE,ACK,CANCEL,BYE,NOTIFY,REFER,OPTIONS,INFO,SUBSCRIBE..Content-Lengt
>>>>h: 0....
>>>>#
>>>>U xxx.xxx.xxx.xxx:5060 -> telephoneip:10000
>>>>SIP/2.0 401 Unauthorized..Via: SIP/2.0/UDP
>>>>telephoneip:10000;branch=z9hG4bK98514c3b052d7df6..From: "Test
Alex"
>>>><sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone>;tag=50673f1baca1958c..To:
>>>><sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone>;tag=b27e1a1d33761e85846fc9
>>>>8f5f3a7e58.f894..Call-ID: 1cff1b8955b8fa5c@10.0.0.4..CSeq: 106
>>>>REGISTER..WWW-Authenticate: Digest realm="xxx.xxx.xxx.xxx",
nonc
>>>>e="425e3acb812b5b2e8aa023e3fcffc618dc4cf661"..Server: Sip
EXpress
>>>>router (0.8.14 (i386/linux))..Content-Length: 0..Warning: 392
>>>> xxx.xxx.xxx.xxx:5060 "Noisy feedback tells: pid=1885
>>>>req_src_ip=telephoneip req_src_port=10740 in_uri=sip:xxx.xxx.xxx.xxx
>>>>out_uri=sip:xxx.xxx.xxx.xxx via_cnt==1"....
>>>>#
>>>>
>>>>
>>>>tell me if you need something else.
>>>>
>>>>
>>>>On 4/14/05, Daniel-Constantin Mierla <daniel(a)voice-system.ro>
wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>Could you post the network dump with REGISTER/401/REGISTER messages?
I
>>>>>will take a look to see if something is wrong.
>>>>>
>>>>>
>>>>>On 04/14/05 12:16, Alex wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>Digest realm is the same for the register requests.
>>>>>>furthermore the realm in To tag is correct.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>Did you mean To URI instead of To tag?
>>>>>
>>>>>Daniel
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>what else it can be.
>>>>>>Thanks for any help.
>>>>>>
>>>>>>On 4/14/05, Daniel-Constantin Mierla
<daniel(a)voice-system.ro> wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>Watch the network traffic (ngrep or ethereal on port 5060) and
check the
>>>>>>>realm from 401 is the same as the one from next REGISTER.
Also, when
>>>>>>>you use the empty realm parameter to radius_ww_authorize()
and
>>>>>>>www_challenge(), the realm is taken from To URI.
>>>>>>>
>>>>>>>Daniel
>>>>>>>
>>>>>>>
>>>>>>>On 04/14/05 08:08, Alex wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>Hi guys maybe someone can find the problem, i still
can't see anything
>>>>>>>>going to radius authentication. (the radius logs are
empty)
>>>>>>>>
>>>>>>>>the register request is coming but it's not going to
authenticate
>>>>>>>>through the radius.
>>>>>>>>Any help will be appreciated.
>>>>>>>>
>>>>>>>>here is the debug from ser :
>>>>>>>>---------------------------------------------------------------------------------------------
>>>>>>>>14(1036) parse_headers: flags=-1
>>>>>>>>14(1036) check_via_address(62.219.158.191, 62.219.158.191,
1)
>>>>>>>>14(1036) DEBUG:destroy_avp_list: destroing list (nil)
>>>>>>>>14(1036) receive_msg: cleaning up
>>>>>>>>9(1012) SIP Request:
>>>>>>>>9(1012) method: <REGISTER>
>>>>>>>>9(1012) uri: <sip:xxx.xxx.xxx.xxx>
>>>>>>>>9(1012) version: <SIP/2.0>
>>>>>>>>9(1012) parse_headers: flags=1
>>>>>>>>9(1012) Found param type 232, <branch> =
<z9hG4bKfc5751413c832e6d>; state=16
>>>>>>>>9(1012) end of header reached, state=5
>>>>>>>>9(1012) parse_headers: Via found, flags=1
>>>>>>>>9(1012) parse_headers: this is the first via
>>>>>>>>9(1012) After parse_msg...
>>>>>>>>9(1012) preparing to run routing scripts...
>>>>>>>>9(1012) REGISTER: Authenticating user
>>>>>>>>9(1012) parse_headers: flags=4
>>>>>>>>9(1012) end of header reached, state=9
>>>>>>>>9(1012) DEBUG: get_hdr_field: <To> [45];
>>>>>>>>uri=[sip:phonenumber@xxx.xxx.xxx.xxx;user=phone]
>>>>>>>>9(1012) DEBUG: to body
[<sip:phonenumber@xxx.xxx.xxx.xxx;user=phone>
>>>>>>>>]
>>>>>>>>
>>>>>>>>9(1012) parse_headers: flags=4096
>>>>>>>>9(1012) get_hdr_field: cseq <CSeq>: <103>
<REGISTER>
>>>>>>>>9(1012) DEBUG: get_hdr_body : content_length=0
>>>>>>>>9(1012) found end of header
>>>>>>>>9(1012) pre_auth(): Credentials with given realm not
found
>>>>>>>>9(1012) REGISTER: challenging user
>>>>>>>>9(1012) build_auth_hf(): 'WWW-Authenticate: Digest
>>>>>>>>realm="xxx.xxx.xxx.xxx",
>>>>>>>>nonce="425e063022afc1142ed6730d46da41692ff3ed57"
>>>>>>>>
>>>>>>>>_______________________________________________
>>>>>>>>Serusers mailing list
>>>>>>>>serusers(a)lists.iptel.org
>>>>>>>>http://lists.iptel.org/mailman/listinfo/serusers
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>
>>>>
>>>>
>>
>>
>>
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers
19 Apr
19 Apr
3:58 a.m.
New subject: [Serusers] Credentials with given realm not found
one reason for the UAC to fail to add the Authorization in the second
REGISTER is because it's not able to respond to the authentication
challenge (for example, the realm in challenge doesn't match the one set
on the phone).
bogdan
Alex wrote:
so if the 2-nd register has to have Authorization
header , how i can
fix it so it will have it, because if i change the client to use
different server it's working fine.
If there any thing i can do on the server side to fix it ??
Thanks for any help.
7094
days inactive
7099
days old
3 comments
3 participants
participants (3)
-
Alex -
Alex Mack -
Bogdan-Andrei Iancu