I've been trying to work through openser successfully authenticating a user on an INVITE. I've tried using www_challenge and proxy_challenge. Each time, OpenSER will respond to the INVITE with the appropriate Authentication header depending on what I'm using, and asterisk will resend the INVITE with the Digest credentials. I've determined that OpenSER returns a -5 when processing either www_authorize or proxy_authorize and the INVITE has the Digest credentials.
The authentication seems to work just fine when asterisk Registers to openser. Are there any known issues with asterisk authenticating during an INVITE? I would prefer to do it this way in case the PBX loses its primary network connectivity and is failing to a secondary route, or some other reason that would cause the IP address to change.
I am currently using OpenSER 1.3.1
Thank You Stagg Shelton
Hi Stagg,
For INVITEs, use proxy_challenge() + proxy_authorize() functions and not the www_xxxxxxx() functions.
Regards, Bogdan
Stagg Shelton wrote:
I've been trying to work through openser successfully authenticating a user on an INVITE. I've tried using www_challenge and proxy_challenge. Each time, OpenSER will respond to the INVITE with the appropriate Authentication header depending on what I'm using, and asterisk will resend the INVITE with the Digest credentials. I've determined that OpenSER returns a -5 when processing either www_authorize or proxy_authorize and the INVITE has the Digest credentials.
The authentication seems to work just fine when asterisk Registers to openser. Are there any known issues with asterisk authenticating during an INVITE? I would prefer to do it this way in case the PBX loses its primary network connectivity and is failing to a secondary route, or some other reason that would cause the IP address to change.
I am currently using OpenSER 1.3.1
Thank You Stagg Shelton
Users mailing list Users@lists.openser.org http://lists.openser.org/cgi-bin/mailman/listinfo/users
I am using proxy_authorize & proxy_challenge on the invite.
if (!(method=="REGISTER")) { if (!allow_trusted()) { if (!proxy_authorize("", "subscriber")) { $var(debug) = proxy_authorize("", "subscriber"); xlog("Not Proxy Authorize: $var(debug)"); proxy_challenge("", "0"); exit; } if (!check_from()) { sl_send_reply("403","Forbidden auth ID"); exit; }
consume_credentials(); # caller authenticated } }
Below is the output I see in the log file when this path is executed.
Jun 30 10:10:47 rolecall /sbin/openser[15625]: Not Proxy Authorize: -4 Jun 30 10:10:47 rolecall /sbin/openser[15629]: Not Proxy Authorize: -5 Jun 30 10:10:47 rolecall /sbin/openser[15625]: Not Proxy Authorize: -5 Jun 30 10:10:47 rolecall /sbin/openser[15627]: Not Proxy Authorize: -5
As you can see on the initial invite the credentials are not found which is to be expected. But on the subsequent invites OpenSER is returning the generic error which doesn't tell me a whole lot. Can you tell me how to obtain more verbose debugging.
Is it possible that OpenSER is using the From tag and not the credentials supplied in the Proxy-Authorization header?
Thank You Stagg Shelton
On Jun 30, 2008, at 4:21 AM, Bogdan-Andrei Iancu wrote:
Hi Stagg,
For INVITEs, use proxy_challenge() + proxy_authorize() functions and not the www_xxxxxxx() functions.
Regards, Bogdan
Stagg Shelton wrote:
I've been trying to work through openser successfully authenticating a user on an INVITE. I've tried using www_challenge and proxy_challenge. Each time, OpenSER will respond to the INVITE with the appropriate Authentication header depending on what I'm using, and asterisk will resend the INVITE with the Digest credentials. I've determined that OpenSER returns a -5 when processing either www_authorize or proxy_authorize and the INVITE has the Digest credentials.
The authentication seems to work just fine when asterisk Registers to openser. Are there any known issues with asterisk authenticating during an INVITE? I would prefer to do it this way in case the PBX loses its primary network connectivity and is failing to a secondary route, or some other reason that would cause the IP address to change.
I am currently using OpenSER 1.3.1
Thank You Stagg Shelton _______________________________________________ Users mailing list Users@lists.openser.org http://lists.openser.org/cgi-bin/mailman/listinfo/users
Hi Stagg,
Check the UAC module, if you want to send credentials to Asterisk (I have tested OpenSER 1.3.2 and Asterisk 1.4, it works). Another way is to integrate Asterisk and OpenSER using realtime (there is a tutorial in the www.openser.org website), with this integration, the same user existing in OpenSER will be valid in the Asterisk Server. There is the ugly way too (autocreatepeer=yes or insecure =invite in the peer) in the Asterisk Server, but make sure that only OpenSER can send SIP requests to your Asterisk Server or you can get into big security problems.
Cheers,
Flavio
----- Original Message ----- From: "Stagg Shelton" stagg@sheltonjohns.com To: users@lists.openser.org Sent: Monday, June 30, 2008 11:21 AM Subject: Re: [OpenSER-Users] Problem with asterisk authenticating on invite
I am using proxy_authorize & proxy_challenge on the invite.
if (!(method=="REGISTER")) { if (!allow_trusted()) { if (!proxy_authorize("", "subscriber")) { $var(debug) = proxy_authorize("", "subscriber"); xlog("Not Proxy Authorize: $var(debug)"); proxy_challenge("", "0"); exit; } if (!check_from()) { sl_send_reply("403","Forbidden auth ID"); exit; } consume_credentials(); # caller authenticated } }Below is the output I see in the log file when this path is executed.
Jun 30 10:10:47 rolecall /sbin/openser[15625]: Not Proxy Authorize: -4 Jun 30 10:10:47 rolecall /sbin/openser[15629]: Not Proxy Authorize: -5 Jun 30 10:10:47 rolecall /sbin/openser[15625]: Not Proxy Authorize: -5 Jun 30 10:10:47 rolecall /sbin/openser[15627]: Not Proxy Authorize: -5
As you can see on the initial invite the credentials are not found which is to be expected. But on the subsequent invites OpenSER is returning the generic error which doesn't tell me a whole lot. Can you tell me how to obtain more verbose debugging.
Is it possible that OpenSER is using the From tag and not the credentials supplied in the Proxy-Authorization header?
Thank You Stagg Shelton
On Jun 30, 2008, at 4:21 AM, Bogdan-Andrei Iancu wrote:
Hi Stagg,
For INVITEs, use proxy_challenge() + proxy_authorize() functions and not the www_xxxxxxx() functions.
Regards, Bogdan
Stagg Shelton wrote:
I've been trying to work through openser successfully authenticating a user on an INVITE. I've tried using www_challenge and proxy_challenge. Each time, OpenSER will respond to the INVITE with the appropriate Authentication header depending on what I'm using, and asterisk will resend the INVITE with the Digest credentials. I've determined that OpenSER returns a -5 when processing either www_authorize or proxy_authorize and the INVITE has the Digest credentials.
The authentication seems to work just fine when asterisk Registers to openser. Are there any known issues with asterisk authenticating during an INVITE? I would prefer to do it this way in case the PBX loses its primary network connectivity and is failing to a secondary route, or some other reason that would cause the IP address to change.
I am currently using OpenSER 1.3.1
Thank You Stagg Shelton _______________________________________________ Users mailing list Users@lists.openser.org http://lists.openser.org/cgi-bin/mailman/listinfo/users
Users mailing list Users@lists.openser.org http://lists.openser.org/cgi-bin/mailman/listinfo/users
Thanks for the info. I downloaded 1.3.2-notls and was able to make it work after it returned a -2 instead of the -5 I was receiving from the 1.3.1. I think that the 1.3.1 version that I was testing with was probably a trunk version. Anyways now that both sides are configured properly it is working the way I intended.
Stagg
On Jun 30, 2008, at 12:07 PM, flavio wrote:
Hi Stagg,
Check the UAC module, if you want to send credentials to Asterisk (I have tested OpenSER 1.3.2 and Asterisk 1.4, it works). Another way is to integrate Asterisk and OpenSER using realtime (there is a tutorial in the www.openser.org website), with this integration, the same user existing in OpenSER will be valid in the Asterisk Server. There is the ugly way too (autocreatepeer=yes or insecure =invite in the peer) in the Asterisk Server, but make sure that only OpenSER can send SIP requests to your Asterisk Server or you can get into big security problems.
Cheers,
Flavio
----- Original Message ----- From: "Stagg Shelton" <stagg@sheltonjohns.com
To: users@lists.openser.org Sent: Monday, June 30, 2008 11:21 AM Subject: Re: [OpenSER-Users] Problem with asterisk authenticating on invite
I am using proxy_authorize & proxy_challenge on the invite.
if (!(method=="REGISTER")) { if (!allow_trusted()) { if (!proxy_authorize("", "subscriber")) { $var(debug) = proxy_authorize("", "subscriber"); xlog("Not Proxy Authorize: $var(debug)"); proxy_challenge("", "0"); exit; } if (!check_from()) { sl_send_reply("403","Forbidden auth ID"); exit; } consume_credentials(); # caller authenticated } }Below is the output I see in the log file when this path is executed.
Jun 30 10:10:47 rolecall /sbin/openser[15625]: Not Proxy Authorize: -4 Jun 30 10:10:47 rolecall /sbin/openser[15629]: Not Proxy Authorize: -5 Jun 30 10:10:47 rolecall /sbin/openser[15625]: Not Proxy Authorize: -5 Jun 30 10:10:47 rolecall /sbin/openser[15627]: Not Proxy Authorize: -5
As you can see on the initial invite the credentials are not found which is to be expected. But on the subsequent invites OpenSER is returning the generic error which doesn't tell me a whole lot. Can you tell me how to obtain more verbose debugging.
Is it possible that OpenSER is using the From tag and not the credentials supplied in the Proxy-Authorization header?
Thank You Stagg Shelton
On Jun 30, 2008, at 4:21 AM, Bogdan-Andrei Iancu wrote:
Hi Stagg,
For INVITEs, use proxy_challenge() + proxy_authorize() functions and not the www_xxxxxxx() functions.
Regards, Bogdan
Stagg Shelton wrote:
I've been trying to work through openser successfully authenticating a user on an INVITE. I've tried using www_challenge and proxy_challenge. Each time, OpenSER will respond to the INVITE with the appropriate Authentication header depending on what I'm using, and asterisk will resend the INVITE with the Digest credentials. I've determined that OpenSER returns a -5 when processing either www_authorize or proxy_authorize and the INVITE has the Digest credentials.
The authentication seems to work just fine when asterisk Registers to openser. Are there any known issues with asterisk authenticating during an INVITE? I would prefer to do it this way in case the PBX loses its primary network connectivity and is failing to a secondary route, or some other reason that would cause the IP address to change.
I am currently using OpenSER 1.3.1
Thank You Stagg Shelton _______________________________________________ Users mailing list Users@lists.openser.org http://lists.openser.org/cgi-bin/mailman/listinfo/users
Users mailing list Users@lists.openser.org http://lists.openser.org/cgi-bin/mailman/listinfo/users
Hi Stagg,
set the debug level to 6 and you will get the logs from openser - this will help you identify why the auth is rejected.
Regards, Bogdan
PS: you can send the logs to me if you do not manage to read them (also attach the SIP trace)
Stagg Shelton wrote:
I am using proxy_authorize & proxy_challenge on the invite.
if (!(method=="REGISTER")) { if (!allow_trusted()) { if (!proxy_authorize("", "subscriber")) { $var(debug) = proxy_authorize("", "subscriber"); xlog("Not Proxy Authorize: $var(debug)"); proxy_challenge("", "0"); exit; } if (!check_from()) { sl_send_reply("403","Forbidden auth ID"); exit; } consume_credentials(); # caller authenticated } }Below is the output I see in the log file when this path is executed.
Jun 30 10:10:47 rolecall /sbin/openser[15625]: Not Proxy Authorize: -4 Jun 30 10:10:47 rolecall /sbin/openser[15629]: Not Proxy Authorize: -5 Jun 30 10:10:47 rolecall /sbin/openser[15625]: Not Proxy Authorize: -5 Jun 30 10:10:47 rolecall /sbin/openser[15627]: Not Proxy Authorize: -5
As you can see on the initial invite the credentials are not found which is to be expected. But on the subsequent invites OpenSER is returning the generic error which doesn't tell me a whole lot. Can you tell me how to obtain more verbose debugging.
Is it possible that OpenSER is using the From tag and not the credentials supplied in the Proxy-Authorization header?
Thank You Stagg Shelton
On Jun 30, 2008, at 4:21 AM, Bogdan-Andrei Iancu wrote:
Hi Stagg,
For INVITEs, use proxy_challenge() + proxy_authorize() functions and not the www_xxxxxxx() functions.
Regards, Bogdan
Stagg Shelton wrote:
I've been trying to work through openser successfully authenticating a user on an INVITE. I've tried using www_challenge and proxy_challenge. Each time, OpenSER will respond to the INVITE with the appropriate Authentication header depending on what I'm using, and asterisk will resend the INVITE with the Digest credentials. I've determined that OpenSER returns a -5 when processing either www_authorize or proxy_authorize and the INVITE has the Digest credentials.
The authentication seems to work just fine when asterisk Registers to openser. Are there any known issues with asterisk authenticating during an INVITE? I would prefer to do it this way in case the PBX loses its primary network connectivity and is failing to a secondary route, or some other reason that would cause the IP address to change.
I am currently using OpenSER 1.3.1
Thank You Stagg Shelton _______________________________________________ Users mailing list Users@lists.openser.org http://lists.openser.org/cgi-bin/mailman/listinfo/users
Users mailing list Users@lists.openser.org http://lists.openser.org/cgi-bin/mailman/listinfo/users
how about add asterisk ip into trusted table and then
if ( is_trusted() ) { .... }
Bogdan-Andrei Iancu wrote:
Hi Stagg,
For INVITEs, use proxy_challenge() + proxy_authorize() functions and not the www_xxxxxxx() functions.
Regards, Bogdan
Stagg Shelton wrote:
I've been trying to work through openser successfully authenticating a user on an INVITE. I've tried using www_challenge and proxy_challenge. Each time, OpenSER will respond to the INVITE with the appropriate Authentication header depending on what I'm using, and asterisk will resend the INVITE with the Digest credentials. I've determined that OpenSER returns a -5 when processing either www_authorize or proxy_authorize and the INVITE has the Digest credentials.
The authentication seems to work just fine when asterisk Registers to openser. Are there any known issues with asterisk authenticating during an INVITE? I would prefer to do it this way in case the PBX loses its primary network connectivity and is failing to a secondary route, or some other reason that would cause the IP address to change.
I am currently using OpenSER 1.3.1
Thank You Stagg Shelton
Users mailing list Users@lists.openser.org http://lists.openser.org/cgi-bin/mailman/listinfo/users
Users mailing list Users@lists.openser.org http://lists.openser.org/cgi-bin/mailman/listinfo/users
-
Bogdan-Andrei Iancu -
flavio -
Stagg Shelton -
toly