Hello,
I am trying to make a design like below to work.
X-Lite ----- OpenSER ----- Asterisk ----->(PSTN Calls)
X-Lite registers with OpenSer and PSTN calls are routed through Asterisk from OpenSER. When a call is sent to Asterisk, Asterisk tries to authenticate the user on X-Lite. I maintain same username and password for both OpenSER and Asterisk.
Now when an INVITE from X-Lite hits OpenSER, it goes through the following script and is asked for Proxy Authorization:
if (!proxy_authorize("","subscriber")) { proxy_challenge("","0"); exit; }
When I dial a PSTN number from X-Lite, X-Lite at some point, ends up sending two Digests (one for OpenSER and one for Atserisk) in same INVITE but gets stuck with Proxy Authorization failure (from OpenSER). If I take off the above proxy_authorize section from OpenSER script, everything works fine.
Can anyone suggest a solution to this.
Thanks in advance.
U 2008/04/23 13:28:42.314669 110.110.110.110:26986 -> 120.120.120.120:5060 INVITE sip:6048484848484@sip.dummydomain.com SIP/2.0. Via: SIP/2.0/UDP 172.16.40.14:26986;branch=z9hG4bK-d87543-886860777744b40e-1--d87543-;rport. Max-Forwards: 70. Contact: sip:1274229212@110.110.110.110:26986. To: "6048484848484"sip:6048484848484@sip.dummydomain.com. From: "1274229212"sip:1274229212@sip.dummydomain.com;tag=7d74b26b. Call-ID: ZjIyNDQzOWIxZTM2MWJjMTgzNmE1YWE3ZDY1M2RjZWE.. CSeq: 3 INVITE. Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO. Content-Type: application/sdp. Proxy-Authorization: Digest username="1274229212",realm="asterisk",nonce="01d3972c",uri="sip:6048484848484@sip.dummydomain.com",response="ff9058f8ea89c55d0b110d4eccf27e9c",algorithm=MD5. Proxy-Authorization: Digest username="1274229212",realm="sip.dummydomain.com",nonce="480ee655da312e1c8f977cae40a747d26f7e9c5f",uri="sip:6048484848484@sip.dummydomain.com",response="361700cce632c00ff70ede5e5126c6ac",algo rithm=MD5. User-Agent: X-Lite release 1011s stamp 41150. Content-Length: 333. . v=0. o=- 9 2 IN IP4 172.16.40.14. s=CounterPath X-Lite 3.0. c=IN IP4 172.16.40.14. t=0 0. m=audio 45136 RTP/AVP 0 101. a=alt:1 3 : gpvy8HMY JXNZYRF+ 172.16.40.14 45136. a=alt:2 2 : 8S3XPC3M 6q9Z76Pq 192.168.38.1 45136. a=alt:3 1 : rISpUdBc PRYZ7B/8 192.168.23.1 45136. a=fmtp:101 0-15. a=rtpmap:101 telephone-event/8000. a=sendrecv.
U 2008/04/23 13:28:42.314910 120.120.120.120:5060 -> 110.110.110.110:26986 SIP/2.0 407 Proxy Authentication Required. Via: SIP/2.0/UDP 172.16.40.14:26986;branch=z9hG4bK-d87543-886860777744b40e-1--d87543-;rport=26986;received=110.110.110.110. To: "6048484848484"sip:6048484848484@sip.dummydomain.com;tag=058e81974577b8ca6a831d36c0f6fe25.d85d. From: "1274229212"sip:1274229212@sip.dummydomain.com;tag=7d74b26b. Call-ID: ZjIyNDQzOWIxZTM2MWJjMTgzNmE1YWE3ZDY1M2RjZWE.. CSeq: 3 INVITE. Proxy-Authenticate: Digest realm="sip.dummydomain.com", nonce="480ee6560e7141c28e990448575d0918ce86a82d". Server: OpenSER (1.3.1-notls (i386/linux)). Content-Length: 0.
Hi Ash,
I guess you first need to decide where you want to have the authentication done - either on openser, either on asterisk. But it should be a single place.
Regards, Bogdan
Ash Rah wrote:
Hello,
I am trying to make a design like below to work.
X-Lite ----- OpenSER ----- Asterisk ----->(PSTN Calls)
X-Lite registers with OpenSer and PSTN calls are routed through Asterisk from OpenSER. When a call is sent to Asterisk, Asterisk tries to authenticate the user on X-Lite. I maintain same username and password for both OpenSER and Asterisk.
Now when an INVITE from X-Lite hits OpenSER, it goes through the following script and is asked for Proxy Authorization:
if (!proxy_authorize("","subscriber")) { proxy_challenge("","0"); exit; }
When I dial a PSTN number from X-Lite, X-Lite at some point, ends up sending two Digests (one for OpenSER and one for Atserisk) in same INVITE but gets stuck with Proxy Authorization failure (from OpenSER). If I take off the above proxy_authorize section from OpenSER script, everything works fine.
Can anyone suggest a solution to this.
Thanks in advance.
U 2008/04/23 13:28:42.314669 110.110.110.110:26986 -> 120.120.120.120:5060 INVITE sip:6048484848484@sip.dummydomain.com SIP/2.0. Via: SIP/2.0/UDP 172.16.40.14:26986;branch=z9hG4bK-d87543-886860777744b40e-1--d87543-;rport. Max-Forwards: 70. Contact: sip:1274229212@110.110.110.110:26986. To: "6048484848484"sip:6048484848484@sip.dummydomain.com. From: "1274229212"sip:1274229212@sip.dummydomain.com;tag=7d74b26b. Call-ID: ZjIyNDQzOWIxZTM2MWJjMTgzNmE1YWE3ZDY1M2RjZWE.. CSeq: 3 INVITE. Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO. Content-Type: application/sdp. Proxy-Authorization: Digest username="1274229212",realm="asterisk",nonce="01d3972c",uri="sip:6048484848484@sip.dummydomain.com",response="ff9058f8ea89c55d0b110d4eccf27e9c",algorithm=MD5. Proxy-Authorization: Digest username="1274229212",realm="sip.dummydomain.com",nonce="480ee655da312e1c8f977cae40a747d26f7e9c5f",uri="sip:6048484848484@sip.dummydomain.com",response="361700cce632c00ff70ede5e5126c6ac",algo rithm=MD5. User-Agent: X-Lite release 1011s stamp 41150. Content-Length: 333. . v=0. o=- 9 2 IN IP4 172.16.40.14. s=CounterPath X-Lite 3.0. c=IN IP4 172.16.40.14. t=0 0. m=audio 45136 RTP/AVP 0 101. a=alt:1 3 : gpvy8HMY JXNZYRF+ 172.16.40.14 45136. a=alt:2 2 : 8S3XPC3M 6q9Z76Pq 192.168.38.1 45136. a=alt:3 1 : rISpUdBc PRYZ7B/8 192.168.23.1 45136. a=fmtp:101 0-15. a=rtpmap:101 telephone-event/8000. a=sendrecv.
U 2008/04/23 13:28:42.314910 120.120.120.120:5060 -> 110.110.110.110:26986 SIP/2.0 407 Proxy Authentication Required. Via: SIP/2.0/UDP 172.16.40.14:26986;branch=z9hG4bK-d87543-886860777744b40e-1--d87543-;rport=26986;received=110.110.110.110. To: "6048484848484"sip:6048484848484@sip.dummydomain.com;tag=058e81974577b8ca6a831d36c0f6fe25.d85d. From: "1274229212"sip:1274229212@sip.dummydomain.com;tag=7d74b26b. Call-ID: ZjIyNDQzOWIxZTM2MWJjMTgzNmE1YWE3ZDY1M2RjZWE.. CSeq: 3 INVITE. Proxy-Authenticate: Digest realm="sip.dummydomain.com", nonce="480ee6560e7141c28e990448575d0918ce86a82d". Server: OpenSER (1.3.1-notls (i386/linux)). Content-Length: 0.
Users mailing list Users@lists.openser.org http://lists.openser.org/cgi-bin/mailman/listinfo/users
Unfortunately I need to authenticate in both places. Any suggestion will be greatly appreciated.
Bogdan-Andrei Iancu wrote:
Hi Ash,
I guess you first need to decide where you want to have the authentication done - either on openser, either on asterisk. But it should be a single place.
Regards, Bogdan
Ash Rah wrote:
Hello,
I am trying to make a design like below to work.
X-Lite ----- OpenSER ----- Asterisk ----->(PSTN Calls)
X-Lite registers with OpenSer and PSTN calls are routed through Asterisk from OpenSER. When a call is sent to Asterisk, Asterisk tries to authenticate the user on X-Lite. I maintain same username and password for both OpenSER and Asterisk.
Now when an INVITE from X-Lite hits OpenSER, it goes through the following script and is asked for Proxy Authorization:
if (!proxy_authorize("","subscriber")) { proxy_challenge("","0"); exit; }
When I dial a PSTN number from X-Lite, X-Lite at some point, ends up sending two Digests (one for OpenSER and one for Atserisk) in same INVITE but gets stuck with Proxy Authorization failure (from OpenSER). If I take off the above proxy_authorize section from OpenSER script, everything works fine.
Can anyone suggest a solution to this.
Thanks in advance.
U 2008/04/23 13:28:42.314669 110.110.110.110:26986 -> 120.120.120.120:5060 INVITE sip:6048484848484@sip.dummydomain.com SIP/2.0. Via: SIP/2.0/UDP 172.16.40.14:26986;branch=z9hG4bK-d87543-886860777744b40e-1--d87543-;rport.
Max-Forwards: 70. Contact: sip:1274229212@110.110.110.110:26986. To: "6048484848484"sip:6048484848484@sip.dummydomain.com. From: "1274229212"sip:1274229212@sip.dummydomain.com;tag=7d74b26b. Call-ID: ZjIyNDQzOWIxZTM2MWJjMTgzNmE1YWE3ZDY1M2RjZWE.. CSeq: 3 INVITE. Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO. Content-Type: application/sdp. Proxy-Authorization: Digest username="1274229212",realm="asterisk",nonce="01d3972c",uri="sip:6048484848484@sip.dummydomain.com",response="ff9058f8ea89c55d0b110d4eccf27e9c",algorithm=MD5.
Proxy-Authorization: Digest username="1274229212",realm="sip.dummydomain.com",nonce="480ee655da312e1c8f977cae40a747d26f7e9c5f",uri="sip:6048484848484@sip.dummydomain.com",response="361700cce632c00ff70ede5e5126c6ac",algo
rithm=MD5. User-Agent: X-Lite release 1011s stamp 41150. Content-Length: 333. . v=0. o=- 9 2 IN IP4 172.16.40.14. s=CounterPath X-Lite 3.0. c=IN IP4 172.16.40.14. t=0 0. m=audio 45136 RTP/AVP 0 101. a=alt:1 3 : gpvy8HMY JXNZYRF+ 172.16.40.14 45136. a=alt:2 2 : 8S3XPC3M 6q9Z76Pq 192.168.38.1 45136. a=alt:3 1 : rISpUdBc PRYZ7B/8 192.168.23.1 45136. a=fmtp:101 0-15. a=rtpmap:101 telephone-event/8000. a=sendrecv.
U 2008/04/23 13:28:42.314910 120.120.120.120:5060 -> 110.110.110.110:26986 SIP/2.0 407 Proxy Authentication Required. Via: SIP/2.0/UDP 172.16.40.14:26986;branch=z9hG4bK-d87543-886860777744b40e-1--d87543-;rport=26986;received=110.110.110.110.
To: "6048484848484"sip:6048484848484@sip.dummydomain.com;tag=058e81974577b8ca6a831d36c0f6fe25.d85d.
From: "1274229212"sip:1274229212@sip.dummydomain.com;tag=7d74b26b. Call-ID: ZjIyNDQzOWIxZTM2MWJjMTgzNmE1YWE3ZDY1M2RjZWE.. CSeq: 3 INVITE. Proxy-Authenticate: Digest realm="sip.dummydomain.com", nonce="480ee6560e7141c28e990448575d0918ce86a82d". Server: OpenSER (1.3.1-notls (i386/linux)). Content-Length: 0.
Users mailing list Users@lists.openser.org http://lists.openser.org/cgi-bin/mailman/listinfo/users
Hi!
I think it will work for X-lite if you replace proxy_authorize with www_authorize in openser. But X-lite was the only client that works with this setup. Asterisk as a client did not work.
You get both a Proxy-Authorization and a WWW-Authorization in this setup.
/Morten
On Thu, Apr 24, 2008 at 12:55 AM, Ash Rah ash@droshta.net wrote:
Unfortunately I need to authenticate in both places. Any suggestion will be greatly appreciated.
Bogdan-Andrei Iancu wrote:
Hi Ash,
I guess you first need to decide where you want to have the authentication done - either on openser, either on asterisk. But it should be a single place.
Regards, Bogdan
Ash Rah wrote:
Hello,
I am trying to make a design like below to work.
X-Lite ----- OpenSER ----- Asterisk ----->(PSTN Calls)
X-Lite registers with OpenSer and PSTN calls are routed through Asterisk from OpenSER. When a call is sent to Asterisk, Asterisk tries to authenticate the user on X-Lite. I maintain same username and password for both OpenSER and Asterisk.
Now when an INVITE from X-Lite hits OpenSER, it goes through the following script and is asked for Proxy Authorization:
if (!proxy_authorize("","subscriber")) { proxy_challenge("","0"); exit; }
When I dial a PSTN number from X-Lite, X-Lite at some point, ends up sending two Digests (one for OpenSER and one for Atserisk) in same INVITE but gets stuck with Proxy Authorization failure (from OpenSER). If I take off the above proxy_authorize section from OpenSER script, everything works fine.
Can anyone suggest a solution to this.
Thanks in advance.
U 2008/04/23 13:28:42.314669 110.110.110.110:26986 -> 120.120.120.120:5060 INVITE sip:6048484848484@sip.dummydomain.com SIP/2.0. Via: SIP/2.0/UDP 172.16.40.14:26986;branch=z9hG4bK-d87543-886860777744b40e-1--d87543-;rport.
Max-Forwards: 70. Contact: sip:1274229212@110.110.110.110:26986. To: "6048484848484"sip:6048484848484@sip.dummydomain.com. From: "1274229212"sip:1274229212@sip.dummydomain.com;tag=7d74b26b. Call-ID: ZjIyNDQzOWIxZTM2MWJjMTgzNmE1YWE3ZDY1M2RjZWE.. CSeq: 3 INVITE. Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO. Content-Type: application/sdp. Proxy-Authorization: Digest username="1274229212",realm="asterisk",nonce="01d3972c",uri="sip:6048484848484@sip.dummydomain.com",response="ff9058f8ea89c55d0b110d4eccf27e9c",algorithm=MD5.
Proxy-Authorization: Digest username="1274229212",realm="sip.dummydomain.com",nonce="480ee655da312e1c8f977cae40a747d26f7e9c5f",uri="sip:6048484848484@sip.dummydomain.com",response="361700cce632c00ff70ede5e5126c6ac",algo
rithm=MD5. User-Agent: X-Lite release 1011s stamp 41150. Content-Length: 333. . v=0. o=- 9 2 IN IP4 172.16.40.14. s=CounterPath X-Lite 3.0. c=IN IP4 172.16.40.14. t=0 0. m=audio 45136 RTP/AVP 0 101. a=alt:1 3 : gpvy8HMY JXNZYRF+ 172.16.40.14 45136. a=alt:2 2 : 8S3XPC3M 6q9Z76Pq 192.168.38.1 45136. a=alt:3 1 : rISpUdBc PRYZ7B/8 192.168.23.1 45136. a=fmtp:101 0-15. a=rtpmap:101 telephone-event/8000. a=sendrecv.
U 2008/04/23 13:28:42.314910 120.120.120.120:5060 -> 110.110.110.110:26986 SIP/2.0 407 Proxy Authentication Required. Via: SIP/2.0/UDP 172.16.40.14:26986;branch=z9hG4bK-d87543-886860777744b40e-1--d87543-;rport=26986;received=110.110.110.110.
To: "6048484848484"sip:6048484848484@sip.dummydomain.com;tag=058e81974577b8ca6a831d36c0f6fe25.d85d.
From: "1274229212"sip:1274229212@sip.dummydomain.com;tag=7d74b26b. Call-ID: ZjIyNDQzOWIxZTM2MWJjMTgzNmE1YWE3ZDY1M2RjZWE.. CSeq: 3 INVITE. Proxy-Authenticate: Digest realm="sip.dummydomain.com", nonce="480ee6560e7141c28e990448575d0918ce86a82d". Server: OpenSER (1.3.1-notls (i386/linux)). Content-Length: 0.
Users mailing list Users@lists.openser.org http://lists.openser.org/cgi-bin/mailman/listinfo/users
Users mailing list Users@lists.openser.org http://lists.openser.org/cgi-bin/mailman/listinfo/users
Hi Morten,
Changing proxy to www indeed works.
I have a separate www auth in the REGISTER section.
I have Asterisk added to trusted table and thus it is not asked for proxy/www auth. So, I guess I can use this as a solution.
Thanks.
Morten Isaksen wrote:
Hi!
I think it will work for X-lite if you replace proxy_authorize with www_authorize in openser. But X-lite was the only client that works with this setup. Asterisk as a client did not work.
You get both a Proxy-Authorization and a WWW-Authorization in this setup.
/Morten
On Thu, Apr 24, 2008 at 12:55 AM, Ash Rah ash@droshta.net wrote:
Unfortunately I need to authenticate in both places. Any suggestion will be greatly appreciated.
Bogdan-Andrei Iancu wrote:
Hi Ash,
I guess you first need to decide where you want to have the authentication done - either on openser, either on asterisk. But it should be a single place.
Regards, Bogdan
Ash Rah wrote:
Hello,
I am trying to make a design like below to work.
X-Lite ----- OpenSER ----- Asterisk ----->(PSTN Calls)
X-Lite registers with OpenSer and PSTN calls are routed through Asterisk from OpenSER. When a call is sent to Asterisk, Asterisk tries to authenticate the user on X-Lite. I maintain same username and password for both OpenSER and Asterisk.
Now when an INVITE from X-Lite hits OpenSER, it goes through the following script and is asked for Proxy Authorization:
if (!proxy_authorize("","subscriber")) { proxy_challenge("","0"); exit; }
When I dial a PSTN number from X-Lite, X-Lite at some point, ends up sending two Digests (one for OpenSER and one for Atserisk) in same INVITE but gets stuck with Proxy Authorization failure (from OpenSER). If I take off the above proxy_authorize section from OpenSER script, everything works fine.
Can anyone suggest a solution to this.
Thanks in advance.
U 2008/04/23 13:28:42.314669 110.110.110.110:26986 -> 120.120.120.120:5060 INVITE sip:6048484848484@sip.dummydomain.com SIP/2.0. Via: SIP/2.0/UDP 172.16.40.14:26986;branch=z9hG4bK-d87543-886860777744b40e-1--d87543-;rport.
Max-Forwards: 70. Contact: sip:1274229212@110.110.110.110:26986. To: "6048484848484"sip:6048484848484@sip.dummydomain.com. From: "1274229212"sip:1274229212@sip.dummydomain.com;tag=7d74b26b. Call-ID: ZjIyNDQzOWIxZTM2MWJjMTgzNmE1YWE3ZDY1M2RjZWE.. CSeq: 3 INVITE. Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO. Content-Type: application/sdp. Proxy-Authorization: Digest username="1274229212",realm="asterisk",nonce="01d3972c",uri="sip:6048484848484@sip.dummydomain.com",response="ff9058f8ea89c55d0b110d4eccf27e9c",algorithm=MD5.
Proxy-Authorization: Digest username="1274229212",realm="sip.dummydomain.com",nonce="480ee655da312e1c8f977cae40a747d26f7e9c5f",uri="sip:6048484848484@sip.dummydomain.com",response="361700cce632c00ff70ede5e5126c6ac",algo
rithm=MD5. User-Agent: X-Lite release 1011s stamp 41150. Content-Length: 333. . v=0. o=- 9 2 IN IP4 172.16.40.14. s=CounterPath X-Lite 3.0. c=IN IP4 172.16.40.14. t=0 0. m=audio 45136 RTP/AVP 0 101. a=alt:1 3 : gpvy8HMY JXNZYRF+ 172.16.40.14 45136. a=alt:2 2 : 8S3XPC3M 6q9Z76Pq 192.168.38.1 45136. a=alt:3 1 : rISpUdBc PRYZ7B/8 192.168.23.1 45136. a=fmtp:101 0-15. a=rtpmap:101 telephone-event/8000. a=sendrecv.
U 2008/04/23 13:28:42.314910 120.120.120.120:5060 -> 110.110.110.110:26986 SIP/2.0 407 Proxy Authentication Required. Via: SIP/2.0/UDP 172.16.40.14:26986;branch=z9hG4bK-d87543-886860777744b40e-1--d87543-;rport=26986;received=110.110.110.110.
To: "6048484848484"sip:6048484848484@sip.dummydomain.com;tag=058e81974577b8ca6a831d36c0f6fe25.d85d.
From: "1274229212"sip:1274229212@sip.dummydomain.com;tag=7d74b26b. Call-ID: ZjIyNDQzOWIxZTM2MWJjMTgzNmE1YWE3ZDY1M2RjZWE.. CSeq: 3 INVITE. Proxy-Authenticate: Digest realm="sip.dummydomain.com", nonce="480ee6560e7141c28e990448575d0918ce86a82d". Server: OpenSER (1.3.1-notls (i386/linux)). Content-Length: 0.
Users mailing list Users@lists.openser.org http://lists.openser.org/cgi-bin/mailman/listinfo/users
Users mailing list Users@lists.openser.org http://lists.openser.org/cgi-bin/mailman/listinfo/users
24 apr 2008 kl. 00.55 skrev Ash Rah:
Unfortunately I need to authenticate in both places. Any suggestion will be greatly appreciated.
SIP authentication is realm based and also built as a challenge- response mechanism. We're not sending username and password in clear text. The server creates a challenge, called a nonce that is the basis of the authentication scheme. If OpenSER authenticates, there's no way for Asterisk to handle the same authentication headers, since Asterisk did not create the challenge (or the 'nonce' as it is called in the header).
If you have different realms on the servers, then X-lite would have to handle that situation. THis is perfectly valid but very few clients support realm based authentication, where you basically set up a list with several sets of credentials, one set per realm (username, secret). Asterisk does support this as a client.
Sorry that I could not come up with a solution, but I hope this explanation helps to understand why it's hard. The usual setup is that you use OpenSER as the authenticating host and set up Asterisk to only trust SIP from OpenSER - by ACL or other means.
/O
Bogdan-Andrei Iancu wrote:
Hi Ash,
I guess you first need to decide where you want to have the authentication done - either on openser, either on asterisk. But it should be a single place.
Regards, Bogdan
Ash Rah wrote:
Hello,
I am trying to make a design like below to work.
X-Lite ----- OpenSER ----- Asterisk ----->(PSTN Calls)
X-Lite registers with OpenSer and PSTN calls are routed through Asterisk from OpenSER. When a call is sent to Asterisk, Asterisk tries to authenticate the user on X-Lite. I maintain same username and password for both OpenSER and Asterisk.
Now when an INVITE from X-Lite hits OpenSER, it goes through the following script and is asked for Proxy Authorization:
if (!proxy_authorize("","subscriber")) { proxy_challenge("","0"); exit; }
When I dial a PSTN number from X-Lite, X-Lite at some point, ends up sending two Digests (one for OpenSER and one for Atserisk) in same INVITE but gets stuck with Proxy Authorization failure (from OpenSER). If I take off the above proxy_authorize section from OpenSER script, everything works fine.
Can anyone suggest a solution to this.
Thanks in advance.
U 2008/04/23 13:28:42.314669 110.110.110.110:26986 -> 120.120.120.120:5060 INVITE sip:6048484848484@sip.dummydomain.com SIP/2.0. Via: SIP/2.0/UDP 172.16.40.14:26986;branch=z9hG4bK-d87543-886860777744b40e-1-- d87543-;rport.
Max-Forwards: 70. Contact: sip:1274229212@110.110.110.110:26986. To: "6048484848484"sip:6048484848484@sip.dummydomain.com. From: "1274229212"sip:1274229212@sip.dummydomain.com;tag=7d74b26b. Call-ID: ZjIyNDQzOWIxZTM2MWJjMTgzNmE1YWE3ZDY1M2RjZWE.. CSeq: 3 INVITE. Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO. Content-Type: application/sdp. Proxy-Authorization: Digest username="1274229212",realm="asterisk",nonce="01d3972c",uri="sip:6048484848484@sip.dummydomain.com ",response="ff9058f8ea89c55d0b110d4eccf27e9c",algorithm=MD5.
Proxy-Authorization: Digest username = "1274229212 ",realm = "sip .dummydomain .com",nonce="480ee655da312e1c8f977cae40a747d26f7e9c5f",uri="sip:6048484848484@sip.dummydomain.com ",response="361700cce632c00ff70ede5e5126c6ac",algo
rithm=MD5. User-Agent: X-Lite release 1011s stamp 41150. Content-Length: 333. . v=0. o=- 9 2 IN IP4 172.16.40.14. s=CounterPath X-Lite 3.0. c=IN IP4 172.16.40.14. t=0 0. m=audio 45136 RTP/AVP 0 101. a=alt:1 3 : gpvy8HMY JXNZYRF+ 172.16.40.14 45136. a=alt:2 2 : 8S3XPC3M 6q9Z76Pq 192.168.38.1 45136. a=alt:3 1 : rISpUdBc PRYZ7B/8 192.168.23.1 45136. a=fmtp:101 0-15. a=rtpmap:101 telephone-event/8000. a=sendrecv.
U 2008/04/23 13:28:42.314910 120.120.120.120:5060 -> 110.110.110.110:26986 SIP/2.0 407 Proxy Authentication Required. Via: SIP/2.0/UDP 172.16.40.14:26986;branch=z9hG4bK-d87543-886860777744b40e-1-- d87543-;rport=26986;received=110.110.110.110.
To: "6048484848484"<sip: 6048484848484 @sip.dummydomain.com>;tag=058e81974577b8ca6a831d36c0f6fe25.d85d.
From: "1274229212"sip:1274229212@sip.dummydomain.com;tag=7d74b26b. Call-ID: ZjIyNDQzOWIxZTM2MWJjMTgzNmE1YWE3ZDY1M2RjZWE.. CSeq: 3 INVITE. Proxy-Authenticate: Digest realm="sip.dummydomain.com", nonce="480ee6560e7141c28e990448575d0918ce86a82d". Server: OpenSER (1.3.1-notls (i386/linux)). Content-Length: 0.
Users mailing list Users@lists.openser.org http://lists.openser.org/cgi-bin/mailman/listinfo/users
Users mailing list Users@lists.openser.org http://lists.openser.org/cgi-bin/mailman/listinfo/users
--- * Olle E Johansson - oej@edvina.net * Cell phone +46 70 593 68 51, Office +46 8 96 40 20, Sweden
Hi,
On initial INVITEs, both OpenSER and Asterisk send separate nonce and X-Lite then sends back two different digests in a single following INVITE :
Proxy-Authorization: Digest username="1274229212",realm="asterisk",nonce="01d3972c",uri="sip:6048484848484@sip.dummydomain.com",response="ff9058f8ea89c55d0b110d4eccf27e9c",algorithm=MD5.
Proxy-Authorization: Digest username="1274229212",realm="sip.dummydomain.com",nonce="480ee655da312e1c8f977cae40a747d26f7e9c5f",uri="sip:6048484848484@sip.dummydomain.com",response="361700cce632c00ff70ede5e5126c6ac",algo
The first one is for asterisk, (realm="asterisk") and the second one is for OpenSER. But unfortunately OpenSER probably examines the first digest which causes failed Proxy Authorization.
Is it possible to instruct OpenSER to inspect both of the digests before it makes a decision?
Thanks.
Johansson Olle E wrote:
24 apr 2008 kl. 00.55 skrev Ash Rah:
Unfortunately I need to authenticate in both places. Any suggestion will be greatly appreciated.
SIP authentication is realm based and also built as a challenge-response mechanism. We're not sending username and password in clear text. The server creates a challenge, called a nonce that is the basis of the authentication scheme. If OpenSER authenticates, there's no way for Asterisk to handle the same authentication headers, since Asterisk did not create the challenge (or the 'nonce' as it is called in the header).
If you have different realms on the servers, then X-lite would have to handle that situation. THis is perfectly valid but very few clients support realm based authentication, where you basically set up a list with several sets of credentials, one set per realm (username, secret). Asterisk does support this as a client.
Sorry that I could not come up with a solution, but I hope this explanation helps to understand why it's hard. The usual setup is that you use OpenSER as the authenticating host and set up Asterisk to only trust SIP from OpenSER - by ACL or other means.
/O
Bogdan-Andrei Iancu wrote:
Hi Ash,
I guess you first need to decide where you want to have the authentication done - either on openser, either on asterisk. But it should be a single place.
Regards, Bogdan
Ash Rah wrote:
Hello,
I am trying to make a design like below to work.
X-Lite ----- OpenSER ----- Asterisk ----->(PSTN Calls)
X-Lite registers with OpenSer and PSTN calls are routed through Asterisk from OpenSER. When a call is sent to Asterisk, Asterisk tries to authenticate the user on X-Lite. I maintain same username and password for both OpenSER and Asterisk.
Now when an INVITE from X-Lite hits OpenSER, it goes through the following script and is asked for Proxy Authorization:
if (!proxy_authorize("","subscriber")) { proxy_challenge("","0"); exit; }
When I dial a PSTN number from X-Lite, X-Lite at some point, ends up sending two Digests (one for OpenSER and one for Atserisk) in same INVITE but gets stuck with Proxy Authorization failure (from OpenSER). If I take off the above proxy_authorize section from OpenSER script, everything works fine.
Can anyone suggest a solution to this.
Thanks in advance.
U 2008/04/23 13:28:42.314669 110.110.110.110:26986 -> 120.120.120.120:5060 INVITE sip:6048484848484@sip.dummydomain.com SIP/2.0. Via: SIP/2.0/UDP 172.16.40.14:26986;branch=z9hG4bK-d87543-886860777744b40e-1--d87543-;rport.
Max-Forwards: 70. Contact: sip:1274229212@110.110.110.110:26986. To: "6048484848484"sip:6048484848484@sip.dummydomain.com. From: "1274229212"sip:1274229212@sip.dummydomain.com;tag=7d74b26b. Call-ID: ZjIyNDQzOWIxZTM2MWJjMTgzNmE1YWE3ZDY1M2RjZWE.. CSeq: 3 INVITE. Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO. Content-Type: application/sdp. Proxy-Authorization: Digest username="1274229212",realm="asterisk",nonce="01d3972c",uri="sip:6048484848484@sip.dummydomain.com",response="ff9058f8ea89c55d0b110d4eccf27e9c",algorithm=MD5.
Proxy-Authorization: Digest username="1274229212",realm="sip.dummydomain.com",nonce="480ee655da312e1c8f977cae40a747d26f7e9c5f",uri="sip:6048484848484@sip.dummydomain.com",response="361700cce632c00ff70ede5e5126c6ac",algo
rithm=MD5. User-Agent: X-Lite release 1011s stamp 41150. Content-Length: 333. . v=0. o=- 9 2 IN IP4 172.16.40.14. s=CounterPath X-Lite 3.0. c=IN IP4 172.16.40.14. t=0 0. m=audio 45136 RTP/AVP 0 101. a=alt:1 3 : gpvy8HMY JXNZYRF+ 172.16.40.14 45136. a=alt:2 2 : 8S3XPC3M 6q9Z76Pq 192.168.38.1 45136. a=alt:3 1 : rISpUdBc PRYZ7B/8 192.168.23.1 45136. a=fmtp:101 0-15. a=rtpmap:101 telephone-event/8000. a=sendrecv.
U 2008/04/23 13:28:42.314910 120.120.120.120:5060 -> 110.110.110.110:26986 SIP/2.0 407 Proxy Authentication Required. Via: SIP/2.0/UDP 172.16.40.14:26986;branch=z9hG4bK-d87543-886860777744b40e-1--d87543-;rport=26986;received=110.110.110.110.
To: "6048484848484"sip:6048484848484@sip.dummydomain.com;tag=058e81974577b8ca6a831d36c0f6fe25.d85d.
From: "1274229212"sip:1274229212@sip.dummydomain.com;tag=7d74b26b. Call-ID: ZjIyNDQzOWIxZTM2MWJjMTgzNmE1YWE3ZDY1M2RjZWE.. CSeq: 3 INVITE. Proxy-Authenticate: Digest realm="sip.dummydomain.com", nonce="480ee6560e7141c28e990448575d0918ce86a82d". Server: OpenSER (1.3.1-notls (i386/linux)). Content-Length: 0.
Users mailing list Users@lists.openser.org http://lists.openser.org/cgi-bin/mailman/listinfo/users
Users mailing list Users@lists.openser.org http://lists.openser.org/cgi-bin/mailman/listinfo/users
- Olle E Johansson - oej@edvina.net
- Cell phone +46 70 593 68 51, Office +46 8 96 40 20, Sweden
El Viernes, 25 de Abril de 2008, Ash Rah escribió:
Hi,
On initial INVITEs, both OpenSER and Asterisk send separate nonce and X-Lite then sends back two different digests in a single following INVITE :
Proxy-Authorization: Digest username="1274229212",realm="asterisk",nonce="01d3972c",uri="sip:6048484848 484@sip.dummydomain.com",response="ff9058f8ea89c55d0b110d4eccf27e9c",algorit hm=MD5.
Proxy-Authorization: Digest username="1274229212",realm="sip.dummydomain.com",nonce="480ee655da312e1c8f 977cae40a747d26f7e9c5f",uri="sip:6048484848484@sip.dummydomain.com",response ="361700cce632c00ff70ede5e5126c6ac",algo
The first one is for asterisk, (realm="asterisk") and the second one is for OpenSER. But unfortunately OpenSER probably examines the first digest which causes failed Proxy Authorization.
Is it possible to instruct OpenSER to inspect both of the digests before it makes a decision?
Yes, but you must specify it, try this:
if (!proxy_authorize("sip.dummydomain.com","subscriber")) { proxy_challenge("","0"); exit; }
Do you understand? if "proxy_authorize" has an empty first parameter then OpenSer tries to authenticate against a realm paramenter that the client sends in the first "Proxy-Authorization" header.
Anyway I've never tryed it so I'm not sure but hope theorically it should work XD
Regards.
I passed the domain string as first parameter in proxy_authorize (also in REGISTER's www_authorize in a separate test) - but I still get Proxy Auth Failed.
Getting the same result, two copies of digest response are being sent from X-Lite. OpenSER (most likely) denying Auth based on the Digest issued for Asterisk.
Proxy-Authorization: Digest username="1274229212",realm="asterisk",nonce="1780f1c0",uri="sip:6099999999999@sip.dummydomain",response="bb7a713ee1d85608390ec8adbcc6bda4",algorithm=MD5. Proxy-Authorization: Digest username="1274229212",realm="sip.dummydomain",nonce="48114cd64a57df739fc9d6131eb3057c3afc3eac",uri="sip:6099999999999@sip.dummydomain",response="89a293207ff00c3bf2d3ec483aa0838d",algo rithm=MD5.
Iñaki Baz Castillo wrote:
El Viernes, 25 de Abril de 2008, Ash Rah escribió:
Hi,
On initial INVITEs, both OpenSER and Asterisk send separate nonce and X-Lite then sends back two different digests in a single following INVITE :
Proxy-Authorization: Digest username="1274229212",realm="asterisk",nonce="01d3972c",uri="sip:6048484848 484@sip.dummydomain.com",response="ff9058f8ea89c55d0b110d4eccf27e9c",algorit hm=MD5.
Proxy-Authorization: Digest username="1274229212",realm="sip.dummydomain.com",nonce="480ee655da312e1c8f 977cae40a747d26f7e9c5f",uri="sip:6048484848484@sip.dummydomain.com",response ="361700cce632c00ff70ede5e5126c6ac",algo
The first one is for asterisk, (realm="asterisk") and the second one is for OpenSER. But unfortunately OpenSER probably examines the first digest which causes failed Proxy Authorization.
Is it possible to instruct OpenSER to inspect both of the digests before it makes a decision?
Yes, but you must specify it, try this:
if (!proxy_authorize("sip.dummydomain.com","subscriber")) { proxy_challenge("","0"); exit; }
Do you understand? if "proxy_authorize" has an empty first parameter then OpenSer tries to authenticate against a realm paramenter that the client sends in the first "Proxy-Authorization" header.
Anyway I've never tryed it so I'm not sure but hope theorically it should work XD
Regards.
El Friday 25 April 2008 03:18:08 Ash Rah escribió:
I passed the domain string as first parameter in proxy_authorize (also in REGISTER's www_authorize in a separate test) - but I still get Proxy Auth Failed.
Getting the same result, two copies of digest response are being sent from X-Lite. OpenSER (most likely) denying Auth based on the Digest issued for Asterisk.
Proxy-Authorization: Digest username="1274229212",realm="asterisk",nonce="1780f1c0",uri="sip:6099999999 999@sip.dummydomain",response="bb7a713ee1d85608390ec8adbcc6bda4",algorithm=M D5. Proxy-Authorization: Digest username="1274229212",realm="sip.dummydomain",nonce="48114cd64a57df739fc9d6 131eb3057c3afc3eac",uri="sip:6099999999999@sip.dummydomain",response="89a293 207ff00c3bf2d3ec483aa0838d",algo rithm=MD5.
IMHO that should work. If I remember correctly, I set that scenario some time ago (dobe authentication OpenSer - Asterisk), but I can't confirm it now :(
Yes, it should work but it doesn't. I remember trying this long time ago (using openser 1.0 and chaining several openser proxies) and I hit the same issue: openser is not able to deal properly with multiple Proxy-Authorization headers.
Regards, Ovidiu Sas
On Fri, Apr 25, 2008 at 5:52 AM, Iñaki Baz Castillo ibc@in.ilimit.es wrote:
El Friday 25 April 2008 03:18:08 Ash Rah escribió:
I passed the domain string as first parameter in proxy_authorize (also in REGISTER's www_authorize in a separate test) - but I still get Proxy Auth Failed.
Getting the same result, two copies of digest response are being sent from X-Lite. OpenSER (most likely) denying Auth based on the Digest issued for Asterisk.
Proxy-Authorization: Digest username="1274229212",realm="asterisk",nonce="1780f1c0",uri="sip:6099999999 999@sip.dummydomain",response="bb7a713ee1d85608390ec8adbcc6bda4",algorithm=M D5. Proxy-Authorization: Digest
username="1274229212",realm="sip.dummydomain",nonce="48114cd64a57df739fc9d6 131eb3057c3afc3eac",uri="sip:6099999999999@sip.dummydomain",response="89a293 207ff00c3bf2d3ec483aa0838d",algo rithm=MD5.
IMHO that should work. If I remember correctly, I set that scenario some time ago (dobe authentication OpenSer - Asterisk), but I can't confirm it now :(
-- Iñaki Baz Castillo ibc@in.ilimit.es
Users mailing list Users@lists.openser.org http://lists.openser.org/cgi-bin/mailman/listinfo/users
El Friday 25 April 2008 09:57:09 Ovidiu Sas escribió:
Yes, it should work but it doesn't. I remember trying this long time ago (using openser 1.0 and chaining several openser proxies) and I hit the same issue: openser is not able to deal properly with multiple Proxy-Authorization headers.
So this is a bug (IMHO an important bug), isn't? is it reported?
I don't think it is reported.
On Fri, Apr 25, 2008 at 6:36 AM, Iñaki Baz Castillo ibc@in.ilimit.es wrote:
El Friday 25 April 2008 09:57:09 Ovidiu Sas escribió:
Yes, it should work but it doesn't. I remember trying this long time ago (using openser 1.0 and chaining several openser proxies) and I hit the same issue: openser is not able to deal properly with multiple Proxy-Authorization headers.
So this is a bug (IMHO an important bug), isn't? is it reported?
--
Iñaki Baz Castillo ibc@in.ilimit.es
Users mailing list Users@lists.openser.org http://lists.openser.org/cgi-bin/mailman/listinfo/users
We are having a separate issue now with our ATA - the ATA (a cheap generic brand) we use as our CPE, won't issue two digest authentication response unlike X-Lite. Seems like we will be forced to use authentication at B2BUA level only after all.
Anyone knows any ATA positively supports sending two separate authentication digests for two separate nonce in same INVITE?
Ovidiu Sas wrote:
I don't think it is reported.
On Fri, Apr 25, 2008 at 6:36 AM, Iñaki Baz Castillo ibc@in.ilimit.es wrote:
El Friday 25 April 2008 09:57:09 Ovidiu Sas escribió:
Yes, it should work but it doesn't.
I remember trying this long time ago (using openser 1.0 and chaining several openser proxies) and I hit the same issue: openser is not able to deal properly with multiple Proxy-Authorization headers.
So this is a bug (IMHO an important bug), isn't? is it reported?
--
Iñaki Baz Castillo ibc@in.ilimit.es
Users mailing list Users@lists.openser.org http://lists.openser.org/cgi-bin/mailman/listinfo/users
Users mailing list Users@lists.openser.org http://lists.openser.org/cgi-bin/mailman/listinfo/users
Iñaki Baz Castillo schrieb:
El Viernes, 25 de Abril de 2008, Ash Rah escribió:
Hi,
On initial INVITEs, both OpenSER and Asterisk send separate nonce and X-Lite then sends back two different digests in a single following INVITE :
Proxy-Authorization: Digest username="1274229212",realm="asterisk",nonce="01d3972c",uri="sip:6048484848 484@sip.dummydomain.com",response="ff9058f8ea89c55d0b110d4eccf27e9c",algorit hm=MD5.
Proxy-Authorization: Digest username="1274229212",realm="sip.dummydomain.com",nonce="480ee655da312e1c8f 977cae40a747d26f7e9c5f",uri="sip:6048484848484@sip.dummydomain.com",response ="361700cce632c00ff70ede5e5126c6ac",algo
The first one is for asterisk, (realm="asterisk") and the second one is for OpenSER. But unfortunately OpenSER probably examines the first digest which causes failed Proxy Authorization.
Is it possible to instruct OpenSER to inspect both of the digests before it makes a decision?
Yes, but you must specify it, try this:
if (!proxy_authorize("sip.dummydomain.com","subscriber")) { proxy_challenge("","0"); exit; }
Do you understand? if "proxy_authorize" has an empty first parameter then OpenSer tries to authenticate against a realm paramenter that the client sends in the first "Proxy-Authorization" header.
Shouldn't the realm be derived from the To/From header?
regards klaus
El Friday 25 April 2008 07:41:09 Klaus Darilion escribió:
Shouldn't the realm be derived from the To/From header?
Except if it's specified in the 401/407 response. Note that some sip providers force the clients to configure a "realm" different than the domain, for example:
REGISTER sip:carpo.net SIP/2.0 To: "ibc" sip:ibc@carpo.net From: "ibc" sip:ibc@carpo.net;tag=kyhoq
SIP/2.0 401 Unauthorized WWW-Authenticate: Digest realm="carpo", nonce="4811a871ab94af719b4fcc7e01b491f69aab22d3"
REGISTER sip:carpo.net SIP/2.0 To: "ibc" sip:ibc@carpo.net From: "ibc" sip:ibc@carpo.net;tag=kyhoq Authorization: Digest username="ibc", realm="carpo", nonce="4811a871ab94af719b4fcc7e01b491f69aab22d3", uri="sip:carpo.net", response="5cd9163c8ee5eb2aa7979725f45ed80e",algorithm=MD5
Regards.
-
Ash Rah -
Bogdan-Andrei Iancu -
Iñaki Baz Castillo -
Iñaki Baz Castillo -
Johansson Olle E -
Klaus Darilion -
Morten Isaksen -
Ovidiu Sas