Hello
I'm using Kamailio 5.0.1
With the UACREG module, I am registering to a remote provider. Register goes out, 401 back, Register goes out with nonce & co, OK
Later, when I send an invite, the provider issues an 401 Unauthorized. I guess it expects me to resubmit an INVITE with the authentication data, but I dont see how to do that.
Any help would be appreciated !
J.
On Tue, Sep 26, 2017 at 09:08:26AM -0400, Jean Cérien wrote:
With the UACREG module, I am registering to a remote provider. Register goes out, 401 back, Register goes out with nonce & co, OK
Later, when I send an invite, the provider issues an 401 Unauthorized. I guess it expects me to resubmit an INVITE with the authentication data, but I dont see how to do that.
Are you saying the 401 doesn't contain a challenge? Otherwise you should just use uac_auth() (just like you probably already do for the REGISTER), following URL contains an example for an INVITE: https://www.kamailio.org/docs/modules/stable/modules/uac.html#uac.f.uac_auth
Thanks Daniel for your usual help, it is really appreciated !
I've inserted the following block on the failure route: if (t_check_status("401|407")) { xlog("L_INFO","failure_route(ROUTEFAIL) @@ call to uac_auth()\n"); uac_auth(); t_relay(); exit; }
Logs show: Sep 26 15:29:08 kamailio /usr/sbin/kamailio[108044]: INFO: <script>: failure_route(ROUTEFAIL) @@ call to uac_auth() Sep 26 15:29:08 kamailio /usr/sbin/kamailio[108044]: ERROR: tm [t_fwd.c:1723]: t_forward_nonack(): no branches for forwarding Sep 26 15:29:08 kamailio /usr/sbin/kamailio[108044]: ERROR: tm [tm.c:1433]: _w_t_relay_to(): t_forward_noack failed
Here is the 401 received - to me, there is the challenge:
2017/09/26 15:32:16.410800 pro.vid.er.ip:5060 -> my.kam.ailio.ip:5060 SIP/2.0 401 Unauthorized Via: SIP/2.0/UDP my.kam.ailio.ip;branch=z9hG4bK2edf.049073b8bcb252b5f7b5e6fffcd8b498.0;received= my.kam.ailio.ip;rport=5060 Via: SIP/2.0/UDP 46.105.145.36:5060;branch=z9hG4bK53167350 From: sip:0600000000@46.105.145.36;tag=as6fb1c402 To: <sip:100622222222@ my.kam.ailio.ip>;tag=as61ddd570 Call-ID: 242842785528c07b7fd56dc660b8c377@my.asterisk.ip:5060 CSeq: 102 INVITE Server: OpenVoice-8 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH Supported: replaces WWW-Authenticate: Digest algorithm=MD5, realm="sip8.voip-centrex.net", nonce="6b04a972" Content-Length: 0
On Tue, Sep 26, 2017 at 9:27 AM, Daniel Tryba d.tryba@pocos.nl wrote:
On Tue, Sep 26, 2017 at 09:08:26AM -0400, Jean Cérien wrote:
With the UACREG module, I am registering to a remote provider. Register goes out, 401 back, Register goes out with nonce & co, OK
Later, when I send an invite, the provider issues an 401 Unauthorized. I guess it expects me to resubmit an INVITE with the authentication data,
but
I dont see how to do that.
Are you saying the 401 doesn't contain a challenge? Otherwise you should just use uac_auth() (just like you probably already do for the REGISTER), following URL contains an example for an INVITE: https://www.kamailio.org/docs/modules/stable/modules/uac. html#uac.f.uac_auth
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
On Tue, Sep 26, 2017 at 09:36:19AM -0400, Jean Cérien wrote:
I've inserted the following block on the failure route: if (t_check_status("401|407")) { xlog("L_INFO","failure_route(ROUTEFAIL) @@ call to uac_auth()\n"); uac_auth(); t_relay(); exit; }
Unlike when calling uac_reg_request_to, you'll have to fill the auth_*_avp pvs yourself. So in the example you have to fill $avp(auser) and $avp(apass).
modparam("uac","auth_username_avp","$avp(auser)") modparam("uac","auth_password_avp","$avp(apass)") modparam("uac","auth_realm_avp","$avp(arealm)")
...
if(t_check_status("401|407")) { $avp(auser) = "test"; $avp(apass) = "test"; uac_auth(); t_relay(); exit; }
So next problem is how to get those credentials. You already know the user making the call. So either have a custom query to a custom table (sqlops/avpops) to retrieve the external user/pass for current user, or try to store that information with the subscriber data (saw some suggestions for this a while back on the list).
Thanks - I've done some progress - I've hard coded temporarily the user, pass & realm, and authentication goes out now.
However, the provider is answering with a 401 & a new nonce.
here is what I have
INVITE ---> <---- 401 (with nonce) ACK ---> INVITE ---> with correct nonce & response, I've recalculated the response, it is ok <--- 401 (with new nonce) ACK -->
When I configure another box with a plain asterisk and same credentials, the call goes through fine - so it is not because my ip is wrong or not whitelisted.
Why would the remote send me a 401 ??? I've tried to contact them but no answer
J.
On Tue, Sep 26, 2017 at 10:03 AM, Daniel Tryba d.tryba@pocos.nl wrote:
On Tue, Sep 26, 2017 at 09:36:19AM -0400, Jean Cérien wrote:
I've inserted the following block on the failure route: if (t_check_status("401|407")) { xlog("L_INFO","failure_route(ROUTEFAIL) @@ call to uac_auth()\n"); uac_auth(); t_relay(); exit; }
Unlike when calling uac_reg_request_to, you'll have to fill the auth_*_avp pvs yourself. So in the example you have to fill $avp(auser) and $avp(apass).
modparam("uac","auth_username_avp","$avp(auser)") modparam("uac","auth_password_avp","$avp(apass)") modparam("uac","auth_realm_avp","$avp(arealm)")
...
if(t_check_status("401|407")) { $avp(auser) = "test"; $avp(apass) = "test"; uac_auth(); t_relay(); exit; }
So next problem is how to get those credentials. You already know the user making the call. So either have a custom query to a custom table (sqlops/avpops) to retrieve the external user/pass for current user, or try to store that information with the subscriber data (saw some suggestions for this a while back on the list).
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Hi
Still searching on that one. My guess now is that I am receiving another 401 because the CSEQ does not get incremented.
INVITE cseq 102---> <---- 401 (with nonce) cseq 102 ACK cseq 102 --->
INVITE ---> with correct nonce & response, I've recalculated the response, it is ok -- cseq 102 <--- 401 (with new nonce) cseq 102 ACK -->cseq 102
I think the 2nd exchange should have a cseq of 103 or higher.
How can I increase it ?
J.
// Here is the section generating the reply with the wrong cseq
if(t_check_status("401|407")) { $avp(auser) = "test"; $avp(apass) = "test"; uac_auth(); t_relay(); exit; }
On Tue, Sep 26, 2017 at 11:02 AM, Jean Cérien cerien.jean@gmail.com wrote:
Thanks - I've done some progress - I've hard coded temporarily the user, pass & realm, and authentication goes out now.
However, the provider is answering with a 401 & a new nonce.
here is what I have
INVITE ---> <---- 401 (with nonce) ACK ---> INVITE ---> with correct nonce & response, I've recalculated the response, it is ok <--- 401 (with new nonce) ACK -->
When I configure another box with a plain asterisk and same credentials, the call goes through fine - so it is not because my ip is wrong or not whitelisted.
Why would the remote send me a 401 ??? I've tried to contact them but no answer
J.
On Tue, Sep 26, 2017 at 10:03 AM, Daniel Tryba d.tryba@pocos.nl wrote:
On Tue, Sep 26, 2017 at 09:36:19AM -0400, Jean Cérien wrote:
I've inserted the following block on the failure route: if (t_check_status("401|407")) { xlog("L_INFO","failure_route(ROUTEFAIL) @@ call to uac_auth()\n"); uac_auth(); t_relay(); exit; }
Unlike when calling uac_reg_request_to, you'll have to fill the auth_*_avp pvs yourself. So in the example you have to fill $avp(auser) and $avp(apass).
modparam("uac","auth_username_avp","$avp(auser)") modparam("uac","auth_password_avp","$avp(apass)") modparam("uac","auth_realm_avp","$avp(arealm)")
...
if(t_check_status("401|407")) { $avp(auser) = "test"; $avp(apass) = "test"; uac_auth(); t_relay(); exit; }
So next problem is how to get those credentials. You already know the user making the call. So either have a custom query to a custom table (sqlops/avpops) to retrieve the external user/pass for current user, or try to store that information with the subscriber data (saw some suggestions for this a while back on the list).
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Ok - found it !!
I've managed to get the cseq incremented following the info in this post: https://github.com/kamailio/kamailio/issues/679
Many thanks for your help,
J.
On Tue, Sep 26, 2017 at 3:34 PM, Jean Cérien cerien.jean@gmail.com wrote:
Hi
Still searching on that one. My guess now is that I am receiving another 401 because the CSEQ does not get incremented.
INVITE cseq 102---> <---- 401 (with nonce) cseq 102 ACK cseq 102 --->
INVITE ---> with correct nonce & response, I've recalculated the response, it is ok -- cseq 102 <--- 401 (with new nonce) cseq 102 ACK -->cseq 102
I think the 2nd exchange should have a cseq of 103 or higher.
How can I increase it ?
J.
// Here is the section generating the reply with the wrong cseq
if(t_check_status("401|407")) { $avp(auser) = "test"; $avp(apass) = "test"; uac_auth(); t_relay(); exit; }
On Tue, Sep 26, 2017 at 11:02 AM, Jean Cérien cerien.jean@gmail.com wrote:
Thanks - I've done some progress - I've hard coded temporarily the user, pass & realm, and authentication goes out now.
However, the provider is answering with a 401 & a new nonce.
here is what I have
INVITE ---> <---- 401 (with nonce) ACK ---> INVITE ---> with correct nonce & response, I've recalculated the response, it is ok <--- 401 (with new nonce) ACK -->
When I configure another box with a plain asterisk and same credentials, the call goes through fine - so it is not because my ip is wrong or not whitelisted.
Why would the remote send me a 401 ??? I've tried to contact them but no answer
J.
On Tue, Sep 26, 2017 at 10:03 AM, Daniel Tryba d.tryba@pocos.nl wrote:
On Tue, Sep 26, 2017 at 09:36:19AM -0400, Jean Cérien wrote:
I've inserted the following block on the failure route: if (t_check_status("401|407")) { xlog("L_INFO","failure_route(ROUTEFAIL) @@ call to uac_auth()\n"); uac_auth(); t_relay(); exit; }
Unlike when calling uac_reg_request_to, you'll have to fill the auth_*_avp pvs yourself. So in the example you have to fill $avp(auser) and $avp(apass).
modparam("uac","auth_username_avp","$avp(auser)") modparam("uac","auth_password_avp","$avp(apass)") modparam("uac","auth_realm_avp","$avp(arealm)")
...
if(t_check_status("401|407")) { $avp(auser) = "test"; $avp(apass) = "test"; uac_auth(); t_relay(); exit; }
So next problem is how to get those credentials. You already know the user making the call. So either have a custom query to a custom table (sqlops/avpops) to retrieve the external user/pass for current user, or try to store that information with the subscriber data (saw some suggestions for this a while back on the list).
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-
Daniel Tryba -
Jean Cérien