9 Oct
2019
9 Oct
'19
11:48 p.m.
I have a Boghe (v2.0.153.836) working fine with Kamailio with MD5 algorithm however fails
to authenticate if I configure S-CSCF to use AKAv1-MD5. We have the same configuration on
private user identity in FHoSS on both the succ MD5 run and failed AKAv1-MD5 run.
I wonder if anyone has faced this issue before. Here are some details on message
exchanges:
* S-CSCF included the challenge in 401 Unauthorized – Challenging the UE:
WWW-Authenticate: Digest realm="example.example.org",
nonce="rzGnTBGPw3hE+mDPHrZ1PAAAAAAApAAAmfftHqYUuUA=", algorithm=AKAv1-MD5,
ck="629d6d9a6a6befa509b1a9bb17a9c2a3",
ik="32fcd14a102279de2e38200a2257efcb", qop="auth,auth-int"\r\n
* The same header was seen when 401 Unauth travelled through I-CSCF and P-CSCF
(shouldn’t P-CSCF strips out the ck and ik fields before sending to UE?)
* UE responded with another register with response:
Authorization: Digest
username="bob@example.example.org",realm="example.example.org",nonce="rzGnTBGPw3hE+mDPHrZ1PAAAAAAApAAAmfftHqYUuUA=",uri="sip:example.example.org",response="6445f9df2b785eab3fa461849880b48d",algorithm=AKAv1-MD5,cnonce="34baf441e99a23e0fcb2bc001355c4bf",qop=auth-int,nc=00000001\r\n
* S-CSCF failed the calculation and sent back 403 Authentication Failed
I tried AKAv2-MD5 setting as default algorithm on S-CSCF and the result is the same as
above. It seems that only MD5 works on my setup.
What are the different configs in HSS (or other places) AKAv1-MD5 need? I checked the
AMF/OP on both HSS and Boghe and they match. Boghe does not have SQN setting but I set HSS
to start with 0.
Any pointers are appreciated!
Yin
18 Oct
18 Oct
10:24 a.m.
Hello,
try to set debug=3 in kamailio config files, restart, reproduce and see
if you get any hints about why it fails via the syslog debug messages.
Cheers,
Daniel
On 09.10.19 22:48, Bao, Yin wrote:
I have a Boghe (v2.0.153.836) working fine with Kamailio with MD5
algorithm however fails to authenticate if I configure S-CSCF to use
AKAv1-MD5. We have the same configuration on private user identity in
FHoSS on both the succ MD5 run and failed AKAv1-MD5 run.
I wonder if anyone has faced this issue before. Here are some details
on message exchanges:
* S-CSCF included the challenge in 401 Unauthorized – Challenging
the UE:
/WWW-Authenticate: Digest realm="example.example.org",
nonce="rzGnTBGPw3hE+mDPHrZ1PAAAAAAApAAAmfftHqYUuUA=",
algorithm=AKAv1-MD5, ck="629d6d9a6a6befa509b1a9bb17a9c2a3",
ik="32fcd14a102279de2e38200a2257efcb", qop="auth,auth-int"\r\n/
* The same header was seen when 401 Unauth travelled through I-CSCF
and P-CSCF (shouldn’t P-CSCF strips out the ck and ik fields
before sending to UE?)
* UE responded with another register with response:
/Authorization: Digest
username="bob@example.example.org",realm="example.example.org",nonce="rzGnTBGPw3hE+mDPHrZ1PAAAAAAApAAAmfftHqYUuUA=",uri="sip:example.example.org",response="6445f9df2b785eab3fa461849880b48d",algorithm=AKAv1-MD5,cnonce="34baf441e99a23e0fcb2bc001355c4bf",qop=auth-int,nc=00000001\r\n/
/ /
* S-CSCF failed the calculation and sent back 403 Authentication Failed
I tried AKAv2-MD5 setting as default algorithm on S-CSCF and the
result is the same as above. It seems that only MD5 works on my setup.
What are the different configs in HSS (or other places) AKAv1-MD5
need? I checked the AMF/OP on both HSS and Boghe and they match. Boghe
does not have SQN setting but I set HSS to start with 0.
Any pointers are appreciated!
Yin
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio Advanced Training, Oct 21-23, 2019, Berlin, Germany -- https://asipto.com/u/kat
1868
days inactive
1877
days old
1 comments
2 participants
participants (2)
-
Bao, Yin -
Daniel-Constantin Mierla