[Users] Problems with digest authentication

List overview All Threads
Download

newer

older

[Users] current calls

[Serusers] Xlite not working with...

aimable

2 Aug 2005 2 Aug '05

7:57 a.m.

I have been using various versions of SER from last year without any problem but recently I made a new installation of OpenSER 0.9.5. Since then I am having problems with digest authentication from some of the phones. I have a bunch of 186 ATAs and Cisco 7940 phones but they cannot register to the server, while all the soft phones can register successfully. The server says Credentials with given realm not found. I tried to change the realm to localhost and to the the IP address of the server, with no luck.

And below is the result of ngrep

I tried to grep the messages from the phones and here below is one message from a Cisco 186 ATA which has failed to register

########### Beginning of the capture ##################

U PHONEIP:5060 -> SERVERIP:5060 REGISTER sip:SERVERIP SIP/2.0. Via: SIP/2.0/UDP PHONEIP:5060. From: sip:06090003@SERVERIP;user=phone;tag=500808430. To: sip:06090003@SERVERIP;user=phone. Call-ID: 704382462@PHONEIP. CSeq: 1 REGISTER. Contact: sip:06090003@PHONEIP:5060;user=phone;transport=udp;expires=3600. User-Agent: Cisco ATA 186 v2.16.2 ata18x (030829a). Content-Length: 0.

# U SERVERIP:5060 -> PHONEIP:5060 SIP/2.0 100 Trying. Via: SIP/2.0/UDP PHONEIP:5060. From: sip:06090003@SERVERIP;user=phone;tag=500808430. To: sip:06090003@SERVERIP;user=phone. Call-ID: 704382462@PHONEIP. CSeq: 1 REGISTER. Server: OpenSer (0.9.5 (i386/linux)). Content-Length: 0. Warning: 392 SERVERIP:5060 "Noisy feedback tells: pid=4490 req_src_ip=PHONEIP req_src_port=5060 in_uri=sip:SERVERIP out_uri=sip:SERVERIP via_cnt==1".

# U SERVERIP:5060 -> PHONEIP:5060 SIP/2.0 401 Unauthorized. Via: SIP/2.0/UDP PHONEIP:5060. From: sip:06090003@SERVERIP;user=phone;tag=500808430. To: sip:06090003@SERVERIP;user=phone;tag=329cfeaa6ded039da25ff8cbb8668bd2.8af0 . Call-ID: 704382462@PHONEIP. CSeq: 1 REGISTER. WWW-Authenticate: Digest realm="talk.artel.rw", nonce="42edb29e1dbcc6fa814dd3396634ed7be68eea56". Server: OpenSer (0.9.5 (i386/linux)). Content-Length: 0. Warning: 392 SERVERIP:5060 "Noisy feedback tells: pid=4490 req_src_ip=PHONEIP req_src_port=5060 in_uri=sip:SERVERIP out_uri=sip:SERVERIP via_cnt==1".

Any idea?

Aimable

Attachments:

attachment.html (text/html — 11.4 KB)

Show replies by date

Bogdan-Andrei Iancu

2 Aug 2 Aug

8:50 a.m.

Hello Aimable,

if you get the "pre_auth(): Credentials with given realm not found" message means the realm to be used in auth is not found in the [WWW-]Authenticate header. Now depends of how you have in script: if you use www_authorize("my_realm",""), then the "my_relam" will be searched in WWW-Authenticate header; if you use www_authorize("",""), then the realn will be extracted as the domain part of the TO uri.

so you may try: www_authorize("talk.artel.rw",""); - it will match the credential or www_authorize("",""), but configure your UAs to use "talk.artel.rw" in as domain part in FROM/URI.

depends which case fits you better...my guess? go for option 1. :)

regards, bogdan

aimable wrote:

...

I have been using various versions of SER from last year without any problem but recently I made a new installation of OpenSER 0.9.5. Since then I am having problems with digest authentication from some of the phones. I have a bunch of 186 ATAs and Cisco 7940 phones but they cannot register to the server, while all the soft phones can register successfully. The server says Credentials with given realm not found. I tried to change the realm to localhost and to the the IP address of the server, with no luck.

And below is the result of ngrep

I tried to grep the messages from the phones and here below is one message from a Cisco 186 ATA which has failed to register

########### Beginning of the capture ##################

U PHONEIP:5060 -> SERVERIP:5060

REGISTER sip:SERVERIP SIP/2.0.

Via: SIP/2.0/UDP PHONEIP:5060.

From: sip:06090003@SERVERIP;user=phone;tag=500808430.

To: sip:06090003@SERVERIP;user=phone.

Call-ID: 704382462@PHONEIP.

CSeq: 1 REGISTER.

Contact: sip:06090003@PHONEIP:5060;user=phone;transport=udp;expires=3600.

User-Agent: Cisco ATA 186 v2.16.2 ata18x (030829a).

Content-Length: 0.

#

U SERVERIP:5060 -> PHONEIP:5060

SIP/2.0 100 Trying.

Via: SIP/2.0/UDP PHONEIP:5060.

From: sip:06090003@SERVERIP;user=phone;tag=500808430.

To: sip:06090003@SERVERIP;user=phone.

Call-ID: 704382462@PHONEIP.

CSeq: 1 REGISTER.

Server: OpenSer (0.9.5 (i386/linux)).

Content-Length: 0.

Warning: 392 SERVERIP:5060 "Noisy feedback tells: pid=4490 req_src_ip=PHONEIP req_src_port=5060 in_uri=sip:SERVERIP out_uri=sip:SERVERIP via_cnt==1".

#

U SERVERIP:5060 -> PHONEIP:5060

SIP/2.0 401 Unauthorized.

Via: SIP/2.0/UDP PHONEIP:5060.

From: sip:06090003@SERVERIP;user=phone;tag=500808430.

To: sip:06090003@SERVERIP;user=phone;tag=329cfeaa6ded039da25ff8cbb8668bd2.8af0.

Call-ID: 704382462@PHONEIP.

CSeq: 1 REGISTER.

WWW-Authenticate: Digest realm="talk.artel.rw", nonce="42edb29e1dbcc6fa814dd3396634ed7be68eea56".

Server: OpenSer (0.9.5 (i386/linux)).

Content-Length: 0.

Warning: 392 SERVERIP:5060 "Noisy feedback tells: pid=4490 req_src_ip=PHONEIP req_src_port=5060 in_uri=sip:SERVERIP out_uri=sip:SERVERIP via_cnt==1".

Any idea?

Aimable

Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users

aimable

11:22 a.m.

I tried both of these configurations and none of them worked . Here below is my configuration

debug=7 fork=yes log_stderror=yes listen=193.XXX.XX4.XXX port=5060 children=4

alias=193.XXX.XX4.XXX alias=sip.mydomain.tld

dns=yes rev_dns=no

fifo="/tmp/openser_fifo" fifo_db_url="mysql://USER:PASSWORD@localhost/openser"

loadmodule "/usr/local/lib/openser/modules/mysql.so" loadmodule "/usr/local/lib/openser/modules/sl.so" loadmodule "/usr/local/lib/openser/modules/tm.so" loadmodule "/usr/local/lib/openser/modules/rr.so" loadmodule "/usr/local/lib/openser/modules/maxfwd.so" loadmodule "/usr/local/lib/openser/modules/usrloc.so" loadmodule "/usr/local/lib/openser/modules/registrar.so" loadmodule "/usr/local/lib/openser/modules/auth.so" loadmodule "/usr/local/lib/openser/modules/auth_db.so" loadmodule "/usr/local/lib/openser/modules/uri.so" loadmodule "/usr/local/lib/openser/modules/uri_db.so" loadmodule "/usr/local/lib/openser/modules/mediaproxy.so" loadmodule "/usr/local/lib/openser/modules/nathelper.so" loadmodule "/usr/local/lib/openser/modules/textops.so" loadmodule "/usr/local/lib/openser/modules/domain.so" loadmodule "/usr/local/lib/openser/modules/acc.so"

modparam("auth_db", "calculate_ha1", 1) modparam("auth_db", "password_column", "password") modparam("auth_db", "use_domain", 1)

modparam("domain", "db_mode", 1)

modparam("nathelper", "rtpproxy_disable", 1) modparam("nathelper", "natping_interval", 180)

modparam("mediaproxy","natping_interval", 30) modparam("mediaproxy","mediaproxy_socket", "/var/run/mediaproxy.sock") modparam("mediaproxy","sip_asymmetrics","/usr/local/etc/openser/sip-asymmetr ic-clients") modparam("mediaproxy","rtp_asymmetrics","/usr/local/etc/openser/rtp-asymmetr ic-clients")

modparam("usrloc", "db_mode", 2) modparam("usrloc", "use_domain", 1)

modparam("registrar", "default_expires", 60) modparam("registrar", "min_expires", 30) modparam("registrar", "nat_flag", 6) modparam("registrar", "use_domain", 1)

modparam("rr", "enable_full_lr", 1)

modparam("auth_db|uri_db|usrloc", "db_url", "mysql://USER:PASSWORD@localhost/openser") modparam("acc", "db_url", "mysql://USER:PASSWORD@localhost/openser") modparam("acc", "failed_transactions", 1) modparam("acc", "log_level", 1) modparam("acc", "log_flag", 1) modparam("acc", "db_flag", 1)

route {

# ----------------------------------------------------------------- # Sanity Check Section # ----------------------------------------------------------------- if (!mf_process_maxfwd_header("10")) { sl_send_reply("483", "Too Many Hops"); break; };

if (msg:len > max_len) { sl_send_reply("513", "Message Overflow"); break; };

# ----------------------------------------------------------------- # Record Route Section and Acc section # ----------------------------------------------------------------- if (method=="INVITE" && client_nat_test("3")) { record_route_preset("193.XXX.XX4.XXX:5060;nat=yes"); } else if (method!="REGISTER") { if!(uri=~"^sip:833[0-9]*@") { record_route(); setflag(1); } };

# ----------------------------------------------------------------- # Call Tear Down Section # ----------------------------------------------------------------- if (method=="BYE" || method=="CANCEL") { end_media_session(); };

# ----------------------------------------------------------------- # Loose Route Section # ----------------------------------------------------------------- if (loose_route()) {

if (has_totag() && (method=="INVITE" || method=="ACK")) {

if (client_nat_test("3") || search("^Route:.*;nat=yes")) { setflag(6); use_media_proxy(); }; };

route(1); break; };

# ----------------------------------------------------------------- # Call Type Processing Section # -----------------------------------------------------------------

if (uri!=myself) { route(1); break; };

if (uri==myself) {

if (method=="CANCEL") { route(3); break; } else if (method=="INVITE") { route(3); break; } else if (method=="REGISTER") { route(2); break; };

lookup("aliases"); if (uri!=myself) { route(1); break; };

if (!lookup("location")) { sl_send_reply("404", "User Not Found"); break; }; };

route(1); }

route[1] {

# ----------------------------------------------------------------- # Default Message Handler # -----------------------------------------------------------------

t_on_reply("1");

if (!t_relay()) {

if (method=="INVITE" || method=="ACK") { end_media_session(); };

sl_reply_error(); }; }

route[2] {

# ----------------------------------------------------------------- # REGISTER Message Handler # ----------------------------------------------------------------

if (!search("^Contact:\ +*") && client_nat_test("7")) { setflag(6); fix_nated_register(); force_rport(); };

sl_send_reply("100", "Trying");

if (!www_authorize("","subscriber")) { www_challenge("","0"); break; };

if (!check_to()) { sl_send_reply("401", "Unauthorized"); break; };

consume_credentials();

if (!save("location")) { sl_reply_error(); }; }

route[3] {

# ----------------------------------------------------------------- # CANCEL and INVITE Message Handler # -----------------------------------------------------------------

if (client_nat_test("3")) { setflag(7); force_rport(); fix_nated_contact(); };

lookup("aliases"); if (uri!=myself) { route(1); break; };

if (!lookup("location")) { sl_send_reply("404", "User Not Found"); break; };

if (method=="CANCEL") { route(1); break; };

if (!proxy_authorize("","subscriber")) { proxy_challenge("","0"); break; } else if (!check_from()) { sl_send_reply("403", "Use From=ID"); break; };

consume_credentials();

if (isflagset(6) || isflagset(7)) { use_media_proxy(); };

route(1); }

onreply_route[1] {

if ((isflagset(6) || isflagset(7)) && (status=~"(180)|(183)|2[0-9][0-9]")) {

if (!search("^Content-Length:\ +0")) { use_media_proxy(); }; };

if (client_nat_test("1")) { fix_nated_contact(); }; }

-----Original Message----- From: Bogdan-Andrei Iancu [mailto:bogdan@voice-system.ro] Sent: Tuesday, August 02, 2005 10:50 AM To: aimable Cc: users@openser.org Subject: Re: [Users] Problems with digest authentication

Hello Aimable,

so you may try: www_authorize("talk.artel.rw",""); - it will match the credential or www_authorize("",""), but configure your UAs to use "talk.artel.rw" in as domain part in FROM/URI.

depends which case fits you better...my guess? go for option 1. :)

regards, bogdan

aimable wrote:

...

I have been using various versions of SER from last year without any problem but recently I made a new installation of OpenSER 0.9.5. Since then I am having problems with digest authentication from some of the phones. I have a bunch of 186 ATAs and Cisco 7940 phones but they cannot register to the server, while all the soft phones can register successfully. The server says Credentials with given realm not found. I tried to change the realm to localhost and to the the IP address of the server, with no luck.

And below is the result of ngrep

I tried to grep the messages from the phones and here below is one message from a Cisco 186 ATA which has failed to register

########### Beginning of the capture ##################

U PHONEIP:5060 -> SERVERIP:5060

REGISTER sip:SERVERIP SIP/2.0.

Via: SIP/2.0/UDP PHONEIP:5060.

From: sip:06090003@SERVERIP;user=phone;tag=500808430.

To: sip:06090003@SERVERIP;user=phone.

Call-ID: 704382462@PHONEIP.

CSeq: 1 REGISTER.

Contact: sip:06090003@PHONEIP:5060;user=phone;transport=udp;expires=3600.

User-Agent: Cisco ATA 186 v2.16.2 ata18x (030829a).

Content-Length: 0.

#

U SERVERIP:5060 -> PHONEIP:5060

SIP/2.0 100 Trying.

Via: SIP/2.0/UDP PHONEIP:5060.

From: sip:06090003@SERVERIP;user=phone;tag=500808430.

To: sip:06090003@SERVERIP;user=phone.

Call-ID: 704382462@PHONEIP.

CSeq: 1 REGISTER.

Server: OpenSer (0.9.5 (i386/linux)).

Content-Length: 0.

Warning: 392 SERVERIP:5060 "Noisy feedback tells: pid=4490 req_src_ip=PHONEIP req_src_port=5060 in_uri=sip:SERVERIP out_uri=sip:SERVERIP via_cnt==1".

#

U SERVERIP:5060 -> PHONEIP:5060

SIP/2.0 401 Unauthorized.

Via: SIP/2.0/UDP PHONEIP:5060.

From: sip:06090003@SERVERIP;user=phone;tag=500808430.

To:

sip:06090003@SERVERIP;user=phone;tag=329cfeaa6ded039da25ff8cbb8668bd2.8af0 .

...

Call-ID: 704382462@PHONEIP.

CSeq: 1 REGISTER.

WWW-Authenticate: Digest realm="talk.artel.rw", nonce="42edb29e1dbcc6fa814dd3396634ed7be68eea56".

Server: OpenSer (0.9.5 (i386/linux)).

Content-Length: 0.

Warning: 392 SERVERIP:5060 "Noisy feedback tells: pid=4490 req_src_ip=PHONEIP req_src_port=5060 in_uri=sip:SERVERIP out_uri=sip:SERVERIP via_cnt==1".

Any idea?

Aimable

Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users

Bogdan-Andrei Iancu

12:15 p.m.

Hi Aimable,

have you tried with www_authorize("talk.artel.rw","subscriber") in the REGISTER block? just asking because I don't see this in your cfg.

if your did, but still doesn't work, please send the net traffic capture and the OpenSER log (in full debug mode) for the failed REGISTER. For sure, there is a config problem somewhere....

regards, bogdan

aimable wrote:

...

I tried both of these configurations and none of them worked . Here below is my configuration

debug=7 fork=yes log_stderror=yes listen=193.XXX.XX4.XXX port=5060 children=4

alias=193.XXX.XX4.XXX alias=sip.mydomain.tld

dns=yes rev_dns=no

fifo="/tmp/openser_fifo" fifo_db_url="mysql://USER:PASSWORD@localhost/openser"

loadmodule "/usr/local/lib/openser/modules/mysql.so" loadmodule "/usr/local/lib/openser/modules/sl.so" loadmodule "/usr/local/lib/openser/modules/tm.so" loadmodule "/usr/local/lib/openser/modules/rr.so" loadmodule "/usr/local/lib/openser/modules/maxfwd.so" loadmodule "/usr/local/lib/openser/modules/usrloc.so" loadmodule "/usr/local/lib/openser/modules/registrar.so" loadmodule "/usr/local/lib/openser/modules/auth.so" loadmodule "/usr/local/lib/openser/modules/auth_db.so" loadmodule "/usr/local/lib/openser/modules/uri.so" loadmodule "/usr/local/lib/openser/modules/uri_db.so" loadmodule "/usr/local/lib/openser/modules/mediaproxy.so" loadmodule "/usr/local/lib/openser/modules/nathelper.so" loadmodule "/usr/local/lib/openser/modules/textops.so" loadmodule "/usr/local/lib/openser/modules/domain.so" loadmodule "/usr/local/lib/openser/modules/acc.so"

modparam("auth_db", "calculate_ha1", 1) modparam("auth_db", "password_column", "password") modparam("auth_db", "use_domain", 1)

modparam("domain", "db_mode", 1)

modparam("nathelper", "rtpproxy_disable", 1) modparam("nathelper", "natping_interval", 180)

modparam("mediaproxy","natping_interval", 30) modparam("mediaproxy","mediaproxy_socket", "/var/run/mediaproxy.sock") modparam("mediaproxy","sip_asymmetrics","/usr/local/etc/openser/sip-asymmetr ic-clients") modparam("mediaproxy","rtp_asymmetrics","/usr/local/etc/openser/rtp-asymmetr ic-clients")

modparam("usrloc", "db_mode", 2) modparam("usrloc", "use_domain", 1)

modparam("registrar", "default_expires", 60) modparam("registrar", "min_expires", 30) modparam("registrar", "nat_flag", 6) modparam("registrar", "use_domain", 1)

modparam("rr", "enable_full_lr", 1)

modparam("auth_db|uri_db|usrloc", "db_url", "mysql://USER:PASSWORD@localhost/openser") modparam("acc", "db_url", "mysql://USER:PASSWORD@localhost/openser") modparam("acc", "failed_transactions", 1) modparam("acc", "log_level", 1) modparam("acc", "log_flag", 1) modparam("acc", "db_flag", 1)

route {
   # -----------------------------------------------------------------
   # Sanity Check Section
   # -----------------------------------------------------------------
   if (!mf_process_maxfwd_header("10")) {
           sl_send_reply("483", "Too Many Hops");
           break;
   };

   if (msg:len > max_len) {
           sl_send_reply("513", "Message Overflow");
           break;
   };

   # -----------------------------------------------------------------
   # Record Route Section and Acc section
   # -----------------------------------------------------------------
   if (method=="INVITE" && client_nat_test("3")) {
           record_route_preset("193.XXX.XX4.XXX:5060;nat=yes");
   } else if (method!="REGISTER") {
   if!(uri=~"^sip:833[0-9]*@") {
           record_route();
           setflag(1);
       }
   };

   # -----------------------------------------------------------------
   # Call Tear Down Section
   # -----------------------------------------------------------------
   if (method=="BYE" || method=="CANCEL") {
           end_media_session();
   };

   # -----------------------------------------------------------------
   # Loose Route Section
   # -----------------------------------------------------------------
   if (loose_route()) {

           if (has_totag() && (method=="INVITE" || method=="ACK")) {

                   if (client_nat_test("3") ||
search("^Route:.*;nat=yes")) { setflag(6); use_media_proxy(); }; };
           route(1);
           break;
   };

   # -----------------------------------------------------------------
   # Call Type Processing Section
   # -----------------------------------------------------------------

   if (uri!=myself) {
           route(1);
           break;
   };

   if (uri==myself) {

           if (method=="CANCEL") {
                   route(3);
                   break;
           } else if (method=="INVITE") {
                   route(3);
                   break;
           } else  if (method=="REGISTER") {
                   route(2);
                   break;
           };

           lookup("aliases");
           if (uri!=myself) {
                   route(1);
                   break;
           };

           if (!lookup("location")) {
                   sl_send_reply("404", "User Not Found");
                   break;
           };
   };

   route(1);
}

route[1] {
   # -----------------------------------------------------------------
   # Default Message Handler
   # -----------------------------------------------------------------

   t_on_reply("1");

   if (!t_relay()) {

           if (method=="INVITE" || method=="ACK") {
                   end_media_session();
           };

           sl_reply_error();
   };
}

route[2] {
   # -----------------------------------------------------------------
   # REGISTER Message Handler
   # ----------------------------------------------------------------

   if (!search("^Contact:\ +\*") && client_nat_test("7")) {
           setflag(6);
           fix_nated_register();
           force_rport();
   };

   sl_send_reply("100", "Trying");

   if (!www_authorize("","subscriber")) {
           www_challenge("","0");
           break;
   };

   if (!check_to()) {
           sl_send_reply("401", "Unauthorized");
           break;
   };

   consume_credentials();

   if (!save("location")) {
           sl_reply_error();
   };
}

route[3] {
   # -----------------------------------------------------------------
   # CANCEL and INVITE Message Handler
   # -----------------------------------------------------------------

   if (client_nat_test("3")) {
           setflag(7);
           force_rport();
           fix_nated_contact();
   };

   lookup("aliases");
   if (uri!=myself) {
           route(1);
           break;
   };


   if (!lookup("location")) {
           sl_send_reply("404", "User Not Found");
           break;
   };

   if (method=="CANCEL") {
           route(1);
           break;
   };

   if (!proxy_authorize("","subscriber")) {
           proxy_challenge("","0");
           break;
   } else if (!check_from()) {
           sl_send_reply("403", "Use From=ID");
           break;
   };

   consume_credentials();

   if (isflagset(6) || isflagset(7)) {
           use_media_proxy();
   };

   route(1);
}

onreply_route[1] {
   if ((isflagset(6) || isflagset(7)) &&
(status=~"(180)|(183)|2[0-9][0-9]")) {
           if (!search("^Content-Length:\ +0")) {
                   use_media_proxy();
           };
   };

   if (client_nat_test("1")) {
           fix_nated_contact();
   };
}

7144

Age (days ago)

7144

Last active (days ago)

sr-users@lists.kamailio.org

3 comments

2 participants

tags (0)

participants (2)

aimable
Bogdan-Andrei Iancu