29 Jun
2008
29 Jun
'08
11:07 p.m.
I've been trying to work through openser successfully authenticating a
user on an INVITE. I've tried using www_challenge and
proxy_challenge. Each time, OpenSER will respond to the INVITE with
the appropriate Authentication header depending on what I'm using, and
asterisk will resend the INVITE with the Digest credentials. I've
determined that OpenSER returns a -5 when processing either
www_authorize or proxy_authorize and the INVITE has the Digest
credentials.
The authentication seems to work just fine when asterisk Registers to
openser. Are there any known issues with asterisk authenticating
during an INVITE? I would prefer to do it this way in case the PBX
loses its primary network connectivity and is failing to a secondary
route, or some other reason that would cause the IP address to change.
I am currently using OpenSER 1.3.1
Thank You
Stagg Shelton
30 Jun
30 Jun
4:21 a.m.
Hi Stagg,
For INVITEs, use proxy_challenge() + proxy_authorize() functions and not
the www_xxxxxxx() functions.
Regards,
Bogdan
Stagg Shelton wrote:
I've been trying to work through openser
successfully authenticating a
user on an INVITE. I've tried using www_challenge and
proxy_challenge. Each time, OpenSER will respond to the INVITE with
the appropriate Authentication header depending on what I'm using, and
asterisk will resend the INVITE with the Digest credentials. I've
determined that OpenSER returns a -5 when processing either
www_authorize or proxy_authorize and the INVITE has the Digest
credentials.
The authentication seems to work just fine when asterisk Registers to
openser. Are there any known issues with asterisk authenticating
during an INVITE? I would prefer to do it this way in case the PBX
loses its primary network connectivity and is failing to a secondary
route, or some other reason that would cause the IP address to change.
I am currently using OpenSER 1.3.1
Thank You
Stagg Shelton
_______________________________________________
Users mailing list
Users(a)lists.openser.org
http://lists.openser.org/cgi-bin/mailman/listinfo/users
10:21 a.m.
I am using proxy_authorize & proxy_challenge on the invite.
if (!(method=="REGISTER"))
{
if (!allow_trusted())
{
if (!proxy_authorize("", "subscriber")) {
$var(debug) = proxy_authorize("", "subscriber");
xlog("Not Proxy Authorize: $var(debug)");
proxy_challenge("", "0");
exit;
}
if (!check_from()) {
sl_send_reply("403","Forbidden auth ID");
exit;
}
consume_credentials();
# caller authenticated
}
}
Below is the output I see in the log file when this path is executed.
Jun 30 10:10:47 rolecall /sbin/openser[15625]: Not Proxy Authorize: -4
Jun 30 10:10:47 rolecall /sbin/openser[15629]: Not Proxy Authorize: -5
Jun 30 10:10:47 rolecall /sbin/openser[15625]: Not Proxy Authorize: -5
Jun 30 10:10:47 rolecall /sbin/openser[15627]: Not Proxy Authorize: -5
As you can see on the initial invite the credentials are not found
which is to be expected. But on the subsequent invites OpenSER is
returning the generic error which doesn't tell me a whole lot. Can
you tell me how to obtain more verbose debugging.
Is it possible that OpenSER is using the From tag and not the
credentials supplied in the Proxy-Authorization header?
Thank You
Stagg Shelton
On Jun 30, 2008, at 4:21 AM, Bogdan-Andrei Iancu wrote:
Hi Stagg,
For INVITEs, use proxy_challenge() + proxy_authorize() functions and
not the www_xxxxxxx() functions.
Regards,
Bogdan
Stagg Shelton wrote:
I've been trying to work through openser
successfully
authenticating a user on an INVITE. I've tried using
www_challenge and proxy_challenge. Each time, OpenSER will
respond to the INVITE with the appropriate Authentication header
depending on what I'm using, and asterisk will resend the INVITE
with the Digest credentials. I've determined that OpenSER returns
a -5 when processing either www_authorize or proxy_authorize and
the INVITE has the Digest credentials.
The authentication seems to work just fine when asterisk Registers
to openser. Are there any known issues with asterisk
authenticating during an INVITE? I would prefer to do it this way
in case the PBX loses its primary network connectivity and is
failing to a secondary route, or some other reason that would
cause the IP address to change.
I am currently using OpenSER 1.3.1
Thank You
Stagg Shelton
_______________________________________________
Users mailing list
Users(a)lists.openser.org
http://lists.openser.org/cgi-bin/mailman/listinfo/users
12:07 p.m.
Hi Stagg,
Check the UAC module, if you want to send credentials to Asterisk (I have
tested OpenSER 1.3.2 and Asterisk 1.4, it works). Another way is to
integrate Asterisk and OpenSER using realtime (there is a tutorial in the
www.openser.org website), with this integration, the same user existing in
OpenSER will be valid in the Asterisk Server. There is the ugly way too
(autocreatepeer=yes or insecure =invite in the peer) in the Asterisk Server,
but make sure that only OpenSER can send SIP requests to your Asterisk
Server or you can get into big security problems.
Cheers,
Flavio
----- Original Message -----
From: "Stagg Shelton" <stagg(a)sheltonjohns.com>
To: <users(a)lists.openser.org>
Sent: Monday, June 30, 2008 11:21 AM
Subject: Re: [OpenSER-Users] Problem with asterisk authenticating on invite
I am using proxy_authorize & proxy_challenge on the
invite.
if (!(method=="REGISTER"))
{
if (!allow_trusted())
{
if (!proxy_authorize("", "subscriber")) {
$var(debug) = proxy_authorize("", "subscriber");
xlog("Not Proxy Authorize: $var(debug)");
proxy_challenge("", "0");
exit;
}
if (!check_from()) {
sl_send_reply("403","Forbidden auth ID");
exit;
}
consume_credentials();
# caller authenticated
}
}
Below is the output I see in the log file when this path is executed.
Jun 30 10:10:47 rolecall /sbin/openser[15625]: Not Proxy Authorize: -4
Jun 30 10:10:47 rolecall /sbin/openser[15629]: Not Proxy Authorize: -5
Jun 30 10:10:47 rolecall /sbin/openser[15625]: Not Proxy Authorize: -5
Jun 30 10:10:47 rolecall /sbin/openser[15627]: Not Proxy Authorize: -5
As you can see on the initial invite the credentials are not found
which is to be expected. But on the subsequent invites OpenSER is
returning the generic error which doesn't tell me a whole lot. Can
you tell me how to obtain more verbose debugging.
Is it possible that OpenSER is using the From tag and not the
credentials supplied in the Proxy-Authorization header?
Thank You
Stagg Shelton
On Jun 30, 2008, at 4:21 AM, Bogdan-Andrei Iancu wrote:
Hi Stagg,
For INVITEs, use proxy_challenge() + proxy_authorize() functions and
not the www_xxxxxxx() functions.
Regards,
Bogdan
Stagg Shelton wrote:
_______________________________________________
Users mailing list
Users(a)lists.openser.org
http://lists.openser.org/cgi-bin/mailman/listinfo/users I've been trying to work through openser
successfully
authenticating a user on an INVITE. I've tried using
www_challenge and proxy_challenge. Each time, OpenSER will
respond to the INVITE with the appropriate Authentication header
depending on what I'm using, and asterisk will resend the INVITE
with the Digest credentials. I've determined that OpenSER returns
a -5 when processing either www_authorize or proxy_authorize and
the INVITE has the Digest credentials.
The authentication seems to work just fine when asterisk Registers
to openser. Are there any known issues with asterisk
authenticating during an INVITE? I would prefer to do it this way
in case the PBX loses its primary network connectivity and is
failing to a secondary route, or some other reason that would
cause the IP address to change.
I am currently using OpenSER 1.3.1
Thank You
Stagg Shelton
_______________________________________________
Users mailing list
Users(a)lists.openser.org
http://lists.openser.org/cgi-bin/mailman/listinfo/users
3:04 p.m.
Thanks for the info. I downloaded 1.3.2-notls and was able to make it
work after it returned a -2 instead of the -5 I was receiving from the
1.3.1. I think that the 1.3.1 version that I was testing with was
probably a trunk version. Anyways now that both sides are configured
properly it is working the way I intended.
Stagg
On Jun 30, 2008, at 12:07 PM, flavio wrote:
Hi Stagg,
Check the UAC module, if you want to send credentials to Asterisk (I
have tested OpenSER 1.3.2 and Asterisk 1.4, it works). Another way
is to integrate Asterisk and OpenSER using realtime (there is a
tutorial in the www.openser.org website), with this integration, the
same user existing in OpenSER will be valid in the Asterisk Server.
There is the ugly way too (autocreatepeer=yes or insecure =invite in
the peer) in the Asterisk Server, but make sure that only OpenSER
can send SIP requests to your Asterisk Server or you can get into
big security problems.
Cheers,
Flavio
----- Original Message ----- From: "Stagg Shelton" <stagg(a)sheltonjohns.com
To: <users(a)lists.openser.org>
Sent: Monday, June 30, 2008 11:21 AM
Subject: Re: [OpenSER-Users] Problem with asterisk authenticating on
invite
I am using proxy_authorize & proxy_challenge
on the invite.
if (!(method=="REGISTER"))
{
if (!allow_trusted())
{
if (!proxy_authorize("", "subscriber")) {
$var(debug) = proxy_authorize("", "subscriber");
xlog("Not Proxy Authorize: $var(debug)");
proxy_challenge("", "0");
exit;
}
if (!check_from()) {
sl_send_reply("403","Forbidden auth ID");
exit;
}
consume_credentials();
# caller authenticated
}
}
Below is the output I see in the log file when this path is executed.
Jun 30 10:10:47 rolecall /sbin/openser[15625]: Not Proxy Authorize:
-4
Jun 30 10:10:47 rolecall /sbin/openser[15629]: Not Proxy Authorize:
-5
Jun 30 10:10:47 rolecall /sbin/openser[15625]: Not Proxy Authorize:
-5
Jun 30 10:10:47 rolecall /sbin/openser[15627]: Not Proxy Authorize:
-5
As you can see on the initial invite the credentials are not found
which is to be expected. But on the subsequent invites OpenSER is
returning the generic error which doesn't tell me a whole lot. Can
you tell me how to obtain more verbose debugging.
Is it possible that OpenSER is using the From tag and not the
credentials supplied in the Proxy-Authorization header?
Thank You
Stagg Shelton
On Jun 30, 2008, at 4:21 AM, Bogdan-Andrei Iancu wrote:
Hi Stagg,
For INVITEs, use proxy_challenge() + proxy_authorize() functions and
not the www_xxxxxxx() functions.
Regards,
Bogdan
Stagg Shelton wrote:
_______________________________________________
Users mailing list
Users(a)lists.openser.org
http://lists.openser.org/cgi-bin/mailman/listinfo/users I've been trying to work through openser
successfully
authenticating a user on an INVITE. I've tried using
www_challenge and proxy_challenge. Each time, OpenSER will
respond to the INVITE with the appropriate Authentication header
depending on what I'm using, and asterisk will resend the INVITE
with the Digest credentials. I've determined that OpenSER returns
a -5 when processing either www_authorize or proxy_authorize and
the INVITE has the Digest credentials.
The authentication seems to work just fine when asterisk Registers
to openser. Are there any known issues with asterisk
authenticating during an INVITE? I would prefer to do it this way
in case the PBX loses its primary network connectivity and is
failing to a secondary route, or some other reason that would
cause the IP address to change.
I am currently using OpenSER 1.3.1
Thank You
Stagg Shelton
_______________________________________________
Users mailing list
Users(a)lists.openser.org
http://lists.openser.org/cgi-bin/mailman/listinfo/users
12:25 p.m.
Hi Stagg,
set the debug level to 6 and you will get the logs from openser - this
will help you identify why the auth is rejected.
Regards,
Bogdan
PS: you can send the logs to me if you do not manage to read them (also
attach the SIP trace)
Stagg Shelton wrote:
I am using proxy_authorize & proxy_challenge on
the invite.
if (!(method=="REGISTER"))
{
if (!allow_trusted())
{
if (!proxy_authorize("", "subscriber")) {
$var(debug) = proxy_authorize("", "subscriber");
xlog("Not Proxy Authorize: $var(debug)");
proxy_challenge("", "0");
exit;
}
if (!check_from()) {
sl_send_reply("403","Forbidden auth ID");
exit;
}
consume_credentials();
# caller authenticated
}
}
Below is the output I see in the log file when this path is executed.
Jun 30 10:10:47 rolecall /sbin/openser[15625]: Not Proxy Authorize: -4
Jun 30 10:10:47 rolecall /sbin/openser[15629]: Not Proxy Authorize: -5
Jun 30 10:10:47 rolecall /sbin/openser[15625]: Not Proxy Authorize: -5
Jun 30 10:10:47 rolecall /sbin/openser[15627]: Not Proxy Authorize: -5
As you can see on the initial invite the credentials are not found
which is to be expected. But on the subsequent invites OpenSER is
returning the generic error which doesn't tell me a whole lot. Can
you tell me how to obtain more verbose debugging.
Is it possible that OpenSER is using the From tag and not the
credentials supplied in the Proxy-Authorization header?
Thank You
Stagg Shelton
On Jun 30, 2008, at 4:21 AM, Bogdan-Andrei Iancu wrote:
Hi Stagg,
For INVITEs, use proxy_challenge() + proxy_authorize() functions and
not the www_xxxxxxx() functions.
Regards,
Bogdan
Stagg Shelton wrote:
> I've been trying to work through openser successfully
> authenticating a user on an INVITE. I've tried using
> www_challenge and proxy_challenge. Each time, OpenSER will
> respond to the INVITE with the appropriate Authentication header
> depending on what I'm using, and asterisk will resend the INVITE
> with the Digest credentials. I've determined that OpenSER returns
> a -5 when processing either www_authorize or proxy_authorize and
> the INVITE has the Digest credentials.
>
> The authentication seems to work just fine when asterisk Registers
> to openser. Are there any known issues with asterisk
> authenticating during an INVITE? I would prefer to do it this way
> in case the PBX loses its primary network connectivity and is
> failing to a secondary route, or some other reason that would
> cause the IP address to change.
>
> I am currently using OpenSER 1.3.1
>
> Thank You
> Stagg Shelton
> _______________________________________________
> Users mailing list
> Users(a)lists.openser.org
> http://lists.openser.org/cgi-bin/mailman/listinfo/users
>
>
>
_______________________________________________
Users mailing list
Users(a)lists.openser.org
http://lists.openser.org/cgi-bin/mailman/listinfo/users
1 Jul
1 Jul
7:50 a.m.
how about add asterisk ip into trusted table and then
if ( is_trusted() ) {
....
}
Bogdan-Andrei Iancu wrote:
Hi Stagg,
For INVITEs, use proxy_challenge() + proxy_authorize() functions and not
the www_xxxxxxx() functions.
Regards,
Bogdan
Stagg Shelton wrote:
--
View this message in context:
http://www.nabble.com/Problem-with-asterisk-authenticating-on-invite-tp1818…
Sent from the OpenSER Users Mailing List mailing list archive at Nabble.com.
I've been trying to work through openser
successfully authenticating a
user on an INVITE. I've tried using www_challenge and
proxy_challenge. Each time, OpenSER will respond to the INVITE with
the appropriate Authentication header depending on what I'm using, and
asterisk will resend the INVITE with the Digest credentials. I've
determined that OpenSER returns a -5 when processing either
www_authorize or proxy_authorize and the INVITE has the Digest
credentials.
The authentication seems to work just fine when asterisk Registers to
openser. Are there any known issues with asterisk authenticating
during an INVITE? I would prefer to do it this way in case the PBX
loses its primary network connectivity and is failing to a secondary
route, or some other reason that would cause the IP address to change.
I am currently using OpenSER 1.3.1
Thank You
Stagg Shelton
_______________________________________________
Users mailing list
Users(a)lists.openser.org
http://lists.openser.org/cgi-bin/mailman/listinfo/users
_______________________________________________
Users mailing list
Users(a)lists.openser.org
http://lists.openser.org/cgi-bin/mailman/listinfo/users
6075
days inactive
6076
days old
6 comments
4 participants
participants (4)
-
Bogdan-Andrei Iancu -
flavio -
Stagg Shelton -
toly