Hello,
Is there any way to authenticate requests when using Kamailio as an outbound proxy?
For example, if all the phones are configured to use Kamailio as an outbound proxy for NAT traversal, the credentials on the phone authenticate against the destination SIP proxy and not the outbound SIP proxy (Kamailio). Is there a way to have the credentials on the phone authenticate to BOTH the outbound proxy and the destination SIP proxy?
Thanks,
Isaac
17 sep 2013 kl. 21:37 skrev Isaac McDonald imcdona@suscall.com:
Hello,
Is there any way to authenticate requests when using Kamailio as an outbound proxy?
For example, if all the phones are configured to use Kamailio as an outbound proxy for NAT traversal, the credentials on the phone authenticate against the destination SIP proxy and not the outbound SIP proxy (Kamailio). Is there a way to have the credentials on the phone authenticate to BOTH the outbound proxy and the destination SIP proxy?
In theory a SIP request can have multiple proxy authentications and one www authentication. In practise very few phones support it.
This means that you will have to have the same realm and same credentials (username/password) on both servers.
/O
It sounds like I should take a different approach. I'd like to avoid any comparability issues. I'm thinking I could filter the traffic in Kamailio based on destination SIP proxy. This would at least lock down Kamailio to only proxy "whitelisted" destinations.
Are there any best practices for a setup like this?
On 9/17/2013 12:59 PM, Olle E. Johansson wrote:
17 sep 2013 kl. 21:37 skrev Isaac McDonald imcdona@suscall.com:
Hello,
Is there any way to authenticate requests when using Kamailio as an outbound proxy?
For example, if all the phones are configured to use Kamailio as an outbound proxy for NAT traversal, the credentials on the phone authenticate against the destination SIP proxy and not the outbound SIP proxy (Kamailio). Is there a way to have the credentials on the phone authenticate to BOTH the outbound proxy and the destination SIP proxy?
In theory a SIP request can have multiple proxy authentications and one www authentication. In practise very few phones support it.
This means that you will have to have the same realm and same credentials (username/password) on both servers.
/O _______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
On 17 September 2013 21:59, Olle E. Johansson oej@edvina.net wrote:
In theory a SIP request can have multiple proxy authentications and one www authentication. In practise very few phones support it.
Interesting that in my testing / experiments I saw Bria do this correctly. I had both Kamailio and my final destination authenticate Bria's invite. I used different realms and Bria dutifully answered both and offered the final invite with both authentications included.
I did wonder whether other clients were likely to do it right. (And I did "fix" the double authentication in the meantime)
Steve
17 sep 2013 kl. 23:04 skrev Steve Davies steve-lists-srusers@connection-telecom.com:
On 17 September 2013 21:59, Olle E. Johansson oej@edvina.net wrote:
In theory a SIP request can have multiple proxy authentications and one www authentication. In practise very few phones support it.
Interesting that in my testing / experiments I saw Bria do this correctly. I had both Kamailio and my final destination authenticate Bria's invite. I used different realms and Bria dutifully answered both and offered the final invite with both authentications included.
In Asterisk I have implemented realm-based authentication so that we can pick a set of credentials based on the realm in the challenge. Can Bria have one set of credentials for the outbound proxy and one for the end service in different realms?
I did wonder whether other clients were likely to do it right. (And I did "fix" the double authentication in the meantime)
Early SNOM firmware did this right, but they have removed it since.
/O