[Serusers] Credentials with given realm not found
Alex Mack
amack at fhm.edu
Thu Apr 14 15:38:05 CEST 2005
Hi!
SER is sending a nonce in its 401 reply. This is the challenge from the
SER to the UA.
The UA now has to calculate a reply implying his password and the given
nonce. The answer has to be added in an Authorization-Header inside the
next REGISTER.
The message flow (without RADIUS messages) would look like:
UA SER
| |
| REGISTER w/o Auth |
|-------------------->|
| |
| 401 Unauthorized (with nonce)
|<--------------------|
| |
| ACK |
|-------------------->|
| |
| REGISTER with Auth (calculated from nonce)
|-------------------->|
| |
| 200 OK |
|<--------------------|
| |
The second register has to have an "Authorization" header, otherwise
your client is misconfigured or misbehaving. Test it with another
client, e.g. X-Lite (www.xten.com)
Alex Mack
Alex schrieb:
>So Daniel like i understand the problem is my radius configuration,
>another thing is that my ATA sending the same stuff, i mean if i will
>change the sip server to different one where i installed freeradius
>with ser it's working fine.
>
>Daniel where i can start to fix that problem.?
>
>Thank you very much for your time.
>
>On 4/14/05, Alex <alexandergav at gmail.com> wrote:
>
>
>>So Daniel like i understand the problem is my radius configuration,
>>another thing is that my ATA sending the same stuff, i mean if i will
>>change the sip server to different one where i installed freeradius
>>with ser it's working fine.
>>
>>Daniel where i can start to fix that problem.?
>>
>>Thank you very much for your time.
>>
>>
>>On 4/14/05, Daniel-Constantin Mierla <daniel at voice-system.ro> wrote:
>>
>>
>>>The second REGISTER (the block 3) must contains the response to the
>>>authentication challenge carried by 401 reply (block 2). That means that
>>>the block 3 must contain an Authorization header with authentication
>>>credentials computed according to HTTP-Digest authentication mechanism
>>>(RFC2617). Also, see the section 22.Usage of HTTP Authentication in SIP
>>>RFC3261 for more about user authentication in SIP.
>>>
>>>Daniel
>>>
>>>On 04/14/05 13:16, Alex wrote:
>>>
>>>
>>>
>>>>Sorry Daniel , i didn't get that, I send here 4 blocks, 1 one is the
>>>>register request the 2 is the reply from the server, 3 is the register
>>>>request, 4 is the reply from the server. If you can please point me to
>>>>the problem. Because like i see the 2 register requests (1,3 blocks)
>>>>are the same.
>>>>
>>>>
>>>>On 4/14/05, Daniel-Constantin Mierla <daniel at voice-system.ro> wrote:
>>>>
>>>>
>>>>
>>>>
>>>>>As you can see, the second REGISTER does not contain the authentication
>>>>>credentials (No Authorization header) in response to 401 reply. So,
>>>>>either you didn't configure the phone to authenticate or the Grandstream
>>>>>HT286 1.0.5.18 is faulty.
>>>>>
>>>>>Daniel
>>>>>
>>>>>
>>>>>On 04/14/05 12:35, Alex wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>Daniel thanks
>>>>>>btw it's clean installation of Red Hat Enterprise Linux AS release 3
>>>>>>ser-08.14 , freeradius-1.2 , radiusclient-4.8
>>>>>>
>>>>>>i am sending ngrep port 5060
>>>>>>i have here 2 requests of register and the replies to register.
>>>>>>
>>>>>>
>>>>>>xxx.xxx.xxx.xxx - sipserverip
>>>>>>telephoneip - ip where the call coming from
>>>>>>Phonenumber - phone number
>>>>>>
>>>>>>--------------------------------------------------------------------------------------------------
>>>>>>
>>>>>>U telephoneip:10739 -> xxx.xxx.xxx.xxx:5060
>>>>>>REGISTER sip:xxx.xxx.xxx.xxx SIP/2.0..Via: SIP/2.0/UDP
>>>>>>telephoneip:10000;branch=z9hG4bK98514c3b052d7df6..From: "Test Alex" <
>>>>>>sip:Phonenumber at xxx.xxx.xxx.xxx;user=phone>;tag=50673f1baca1958c..To:
>>>>>><sip:Phonenumber at xxx.xxx.xxx.xxx;user=phone>..Contact: <sip
>>>>>>:Phonenumber at telephoneip:10000;user=phone>..Call-ID:
>>>>>>1cff1b8955b8fa5c at 10.0.0.4..CSeq: 106 REGISTER..Expires:
>>>>>>3600..User-Agent
>>>>>>: Grandstream HT286 1.0.5.18..Max-Forwards: 70..Allow:
>>>>>>INVITE,ACK,CANCEL,BYE,NOTIFY,REFER,OPTIONS,INFO,SUBSCRIBE..Content-Lengt
>>>>>>h: 0....
>>>>>>#
>>>>>>U xxx.xxx.xxx.xxx:5060 -> telephoneip:10000
>>>>>>SIP/2.0 401 Unauthorized..Via: SIP/2.0/UDP
>>>>>>telephoneip:10000;branch=z9hG4bK98514c3b052d7df6..From: "Test Alex"
>>>>>><sip:Phonenumber at xxx.xxx.xxx.xxx;user=phone>;tag=50673f1baca1958c..To:
>>>>>><sip:Phonenumber at xxx.xxx.xxx.xxx;user=phone>;tag=b27e1a1d33761e85846fc9
>>>>>>8f5f3a7e58.f894..Call-ID: 1cff1b8955b8fa5c at 10.0.0.4..CSeq: 106
>>>>>>REGISTER..WWW-Authenticate: Digest realm="xxx.xxx.xxx.xxx", nonc
>>>>>>e="425e3ac34dc9509392435c11fb260f41420049c7"..Server: Sip EXpress
>>>>>>router (0.8.14 (i386/linux))..Content-Length: 0..Warning: 392
>>>>>> xxx.xxx.xxx.xxx:5060 "Noisy feedback tells: pid=1912
>>>>>>req_src_ip=telephoneip req_src_port=10739 in_uri=sip:xxx.xxx.xxx.xxx
>>>>>>out_uri=sip:xxx.xxx.xxx.xxx via_cnt==1"....
>>>>>>#
>>>>>>
>>>>>>U telephoneip:10740 -> xxx.xxx.xxx.xxx:5060
>>>>>>REGISTER sip:xxx.xxx.xxx.xxx SIP/2.0..Via: SIP/2.0/UDP
>>>>>>telephoneip:10000;branch=z9hG4bK98514c3b052d7df6..From: "Test Alex" <
>>>>>>sip:Phonenumber at xxx.xxx.xxx.xxx;user=phone>;tag=50673f1baca1958c..To:
>>>>>><sip:Phonenumber at xxx.xxx.xxx.xxx;user=phone>..Contact: <sip
>>>>>>:Phonenumber at telephoneip:10000;user=phone>..Call-ID:
>>>>>>1cff1b8955b8fa5c at 10.0.0.4..CSeq: 106 REGISTER..Expires:
>>>>>>3600..User-Agent
>>>>>>: Grandstream HT286 1.0.5.18..Max-Forwards: 70..Allow:
>>>>>>INVITE,ACK,CANCEL,BYE,NOTIFY,REFER,OPTIONS,INFO,SUBSCRIBE..Content-Lengt
>>>>>>h: 0....
>>>>>>#
>>>>>>U xxx.xxx.xxx.xxx:5060 -> telephoneip:10000
>>>>>>SIP/2.0 401 Unauthorized..Via: SIP/2.0/UDP
>>>>>>telephoneip:10000;branch=z9hG4bK98514c3b052d7df6..From: "Test Alex"
>>>>>><sip:Phonenumber at xxx.xxx.xxx.xxx;user=phone>;tag=50673f1baca1958c..To:
>>>>>><sip:Phonenumber at xxx.xxx.xxx.xxx;user=phone>;tag=b27e1a1d33761e85846fc9
>>>>>>8f5f3a7e58.f894..Call-ID: 1cff1b8955b8fa5c at 10.0.0.4..CSeq: 106
>>>>>>REGISTER..WWW-Authenticate: Digest realm="xxx.xxx.xxx.xxx", nonc
>>>>>>e="425e3acb812b5b2e8aa023e3fcffc618dc4cf661"..Server: Sip EXpress
>>>>>>router (0.8.14 (i386/linux))..Content-Length: 0..Warning: 392
>>>>>> xxx.xxx.xxx.xxx:5060 "Noisy feedback tells: pid=1885
>>>>>>req_src_ip=telephoneip req_src_port=10740 in_uri=sip:xxx.xxx.xxx.xxx
>>>>>>out_uri=sip:xxx.xxx.xxx.xxx via_cnt==1"....
>>>>>>#
>>>>>>
>>>>>>
>>>>>>tell me if you need something else.
>>>>>>
>>>>>>
>>>>>>On 4/14/05, Daniel-Constantin Mierla <daniel at voice-system.ro> wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>Could you post the network dump with REGISTER/401/REGISTER messages? I
>>>>>>>will take a look to see if something is wrong.
>>>>>>>
>>>>>>>
>>>>>>>On 04/14/05 12:16, Alex wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>Digest realm is the same for the register requests.
>>>>>>>>furthermore the realm in To tag is correct.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>Did you mean To URI instead of To tag?
>>>>>>>
>>>>>>>Daniel
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>what else it can be.
>>>>>>>>Thanks for any help.
>>>>>>>>
>>>>>>>>On 4/14/05, Daniel-Constantin Mierla <daniel at voice-system.ro> wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>Watch the network traffic (ngrep or ethereal on port 5060) and check the
>>>>>>>>>realm from 401 is the same as the one from next REGISTER. Also, when
>>>>>>>>>you use the empty realm parameter to radius_ww_authorize() and
>>>>>>>>>www_challenge(), the realm is taken from To URI.
>>>>>>>>>
>>>>>>>>>Daniel
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>On 04/14/05 08:08, Alex wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>>Hi guys maybe someone can find the problem, i still can't see anything
>>>>>>>>>>going to radius authentication. (the radius logs are empty)
>>>>>>>>>>
>>>>>>>>>>the register request is coming but it's not going to authenticate
>>>>>>>>>>through the radius.
>>>>>>>>>>Any help will be appreciated.
>>>>>>>>>>
>>>>>>>>>>here is the debug from ser :
>>>>>>>>>>---------------------------------------------------------------------------------------------
>>>>>>>>>>14(1036) parse_headers: flags=-1
>>>>>>>>>>14(1036) check_via_address(62.219.158.191, 62.219.158.191, 1)
>>>>>>>>>>14(1036) DEBUG:destroy_avp_list: destroing list (nil)
>>>>>>>>>>14(1036) receive_msg: cleaning up
>>>>>>>>>>9(1012) SIP Request:
>>>>>>>>>>9(1012) method: <REGISTER>
>>>>>>>>>>9(1012) uri: <sip:xxx.xxx.xxx.xxx>
>>>>>>>>>>9(1012) version: <SIP/2.0>
>>>>>>>>>>9(1012) parse_headers: flags=1
>>>>>>>>>>9(1012) Found param type 232, <branch> = <z9hG4bKfc5751413c832e6d>; state=16
>>>>>>>>>>9(1012) end of header reached, state=5
>>>>>>>>>>9(1012) parse_headers: Via found, flags=1
>>>>>>>>>>9(1012) parse_headers: this is the first via
>>>>>>>>>>9(1012) After parse_msg...
>>>>>>>>>>9(1012) preparing to run routing scripts...
>>>>>>>>>>9(1012) REGISTER: Authenticating user
>>>>>>>>>>9(1012) parse_headers: flags=4
>>>>>>>>>>9(1012) end of header reached, state=9
>>>>>>>>>>9(1012) DEBUG: get_hdr_field: <To> [45];
>>>>>>>>>>uri=[sip:phonenumber at xxx.xxx.xxx.xxx;user=phone]
>>>>>>>>>>9(1012) DEBUG: to body [<sip:phonenumber at xxx.xxx.xxx.xxx;user=phone>
>>>>>>>>>>]
>>>>>>>>>>
>>>>>>>>>>9(1012) parse_headers: flags=4096
>>>>>>>>>>9(1012) get_hdr_field: cseq <CSeq>: <103> <REGISTER>
>>>>>>>>>>9(1012) DEBUG: get_hdr_body : content_length=0
>>>>>>>>>>9(1012) found end of header
>>>>>>>>>>9(1012) pre_auth(): Credentials with given realm not found
>>>>>>>>>>9(1012) REGISTER: challenging user
>>>>>>>>>>9(1012) build_auth_hf(): 'WWW-Authenticate: Digest
>>>>>>>>>>realm="xxx.xxx.xxx.xxx",
>>>>>>>>>>nonce="425e063022afc1142ed6730d46da41692ff3ed57"
>>>>>>>>>>
>>>>>>>>>>_______________________________________________
>>>>>>>>>>Serusers mailing list
>>>>>>>>>>serusers at lists.iptel.org
>>>>>>>>>>http://lists.iptel.org/mailman/listinfo/serusers
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>
>>>>
>>>>
>
>_______________________________________________
>Serusers mailing list
>serusers at lists.iptel.org
>http://lists.iptel.org/mailman/listinfo/serusers
>
>
>
>
More information about the sr-users
mailing list