Hi,
I've done some tests with the UAC module to authenticate to a remote proxy. I've based my config on this example: http://docs.huihoo.com/opensips/tutorials/uac/ar01s06.html (example 9)
I have found that if I send a call from a asterisk via kamailio to my remote proxy the realm the remote proxy uses is the ip-address of the asterisk-server (aaa.bbb.ccc.ddd). Like this:
WWW-Authenticate: Digest nonce="1353399363:8d2317487ee1521328d0e2237e444e2d",algorithm=MD5,realm="aaa.bbb.ccc.ddd",qop="auth",stale=false.
If I have a param like this, the auth works: modparam("uac","credential","username:aaa.bbb.ccc.ddd:password")
But as I would like to use more than one remote proxy (=more than one provider) per asterisk server this needs some more work.
Is there a way to get UAC to ignore the realm from the remote proxy and send the auth anyway?
Alternate paths I've examined: 1. Rewrite from-domain to get the provider to use another realm: modparam("uac","credential","username:example.com:password") uac_replace_from("sip:$fU@example.com");
Works, but I don't think this is a very good solution.
2. Use auth_username_avp / auth_password_avp / auth_realm_avp to feed the uac_auth()-function the right credentials.
modparam("uac","auth_username_avp","$avp(s:uac_user)") modparam("uac","auth_password_avp","$avp(s:uac_pass)") modparam("uac","auth_realm_avp","$avp(s:uac_realm)")
in the failure route: $avp(s:uac_user) = "username"; $avp(s:uac_pass) = "password"; $avp(s:uac_realm) = "aaa.bbb.ccc.ddd";
This works as well, but I would like to either get the realm the remote proxy sends and use it or make uac ignore the realm. The realm is unimportant as we already know what proxy we are talking to.
I've tried $hdr(WWW-Authenticate) but it evaluates to null.
Any ideas how to do this?
Thanks!
20 nov 2012 kl. 10:25 skrev Johan Wilfer lists@jttech.se:
Hi,
I've done some tests with the UAC module to authenticate to a remote proxy. I've based my config on this example: http://docs.huihoo.com/opensips/tutorials/uac/ar01s06.html (example 9)
I have found that if I send a call from a asterisk via kamailio to my remote proxy the realm the remote proxy uses is the ip-address of the asterisk-server (aaa.bbb.ccc.ddd). Like this:
WWW-Authenticate: Digest nonce="1353399363:8d2317487ee1521328d0e2237e444e2d",algorithm=MD5,realm="aaa.bbb.ccc.ddd",qop="auth",stale=false.
If I have a param like this, the auth works: modparam("uac","credential","username:aaa.bbb.ccc.ddd:password")
But as I would like to use more than one remote proxy (=more than one provider) per asterisk server this needs some more work.
Use the realm based authentication in Asterisk. Trying to insert authentication into a dialog will propably cause issues (as documented in the UAC module).
The other side seems to use the From: user domain as a realm. In Asterisk, you can set it with the fromdomain= variable.
/O
Is there a way to get UAC to ignore the realm from the remote proxy and send the auth anyway?
Alternate paths I've examined:
Rewrite from-domain to get the provider to use another realm: modparam("uac","credential","username:example.com:password") uac_replace_from("sip:$fU@example.com");
Works, but I don't think this is a very good solution.
Use auth_username_avp / auth_password_avp / auth_realm_avp to
feed the uac_auth()-function the right credentials.
modparam("uac","auth_username_avp","$avp(s:uac_user)") modparam("uac","auth_password_avp","$avp(s:uac_pass)") modparam("uac","auth_realm_avp","$avp(s:uac_realm)") in the failure route: $avp(s:uac_user) = "username"; $avp(s:uac_pass) = "password"; $avp(s:uac_realm) = "aaa.bbb.ccc.ddd"; This works as well, but I would like to either get the realm the remote proxy sends and use it or make uac ignore the realm. The realm is unimportant as we already know what proxy we are talking to. I've tried $hdr(WWW-Authenticate) but it evaluates to null.Any ideas how to do this?
Thanks!
-- Johan Wilfer
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
2012-11-20 10:43, Olle E. Johansson skrev:
20 nov 2012 kl. 10:25 skrev Johan Wilfer lists@jttech.se:
I've done some tests with the UAC module to authenticate to a remote proxy. I've based my config on this example: http://docs.huihoo.com/opensips/tutorials/uac/ar01s06.html (example 9) But as I would like to use more than one remote proxy (=more than one provider) per asterisk server this needs some more work.
Use the realm based authentication in Asterisk. Trying to insert authentication into a dialog will propably cause issues (as documented in the UAC module).
The other side seems to use the From: user domain as a realm. In Asterisk, you can set it with the fromdomain= variable.
Thanks Olle, I do appreciate the warning..
If I rewrite the from-domain with uac_replace_from this works, but the sip-standard forbids a proxy to do that if I recall correct?
We try to build a central point where our asterisk servers can get incoming and send outgoing calls to without having to care about number format, authentication and what gateway should we use.
The main reason of choosing kamailio was the factor of scalability as we would like to be able to add more asterisk's behind this server over time. Right now we have about 3 asterisk server communicating directly with our teleco's. Any suggestion how we should build this are very appreciated.
-- Johan Wilfer
-
Johan Wilfer -
Olle E. Johansson