[Serusers] Credentials with given realm not found

Alex alexandergav at gmail.com
Thu Apr 14 16:33:25 CEST 2005 

Alex hi thanks for the fast reply.

I tried to use other client and it's seems to work, very strange, if i
am changing in my client to use other server i can see the
authentication process in the radius logs, but when i swap ip to my
server i can't see anything in the radius logs.

BTW the other ip phone working great.

thanks for help.


On 4/14/05, Alex <alexandergav at gmail.com> wrote:
> Alex hi thanks for the fast reply.
> 
> I tried to use other client and it's seems to work, very strange, if i
> am changing in my client to use other server i can see the
> authentication process in the radius logs, but when i swap ip to my
> server i can't see anything in the radius logs.
> 
> BTW the other ip phone working great.
> 
> thanks for help.
> 
> 
> On 4/14/05, Alex Mack <amack at fhm.edu> wrote:
> > Hi!
> >
> > SER is sending a nonce in its 401 reply. This is the challenge from the
> > SER to the UA.
> > The UA now has to calculate a reply implying his password and the given
> > nonce. The answer has to be added in an Authorization-Header inside the
> > next REGISTER.
> >
> > The message flow (without RADIUS messages) would look like:
> >
> >  UA                   SER
> >  |                     |
> >  | REGISTER w/o Auth   |
> >  |-------------------->|
> >  |                     |
> >  | 401 Unauthorized (with nonce)
> >  |<--------------------|
> >  |                     |
> >  | ACK                 |
> >  |-------------------->|
> >  |                     |
> >  | REGISTER with Auth (calculated from nonce)
> >  |-------------------->|
> >  |                     |
> >  | 200 OK              |
> >  |<--------------------|
> >  |                     |
> >
> > The second register has to have an "Authorization" header, otherwise
> > your client is misconfigured or misbehaving. Test it with another
> > client, e.g. X-Lite (www.xten.com)
> >
> > Alex Mack
> >
> > Alex schrieb:
> >
> > >So Daniel like i understand the problem is my radius configuration,
> > >another thing is that my ATA sending the same stuff, i mean if i will
> > >change the sip server to different one where i installed freeradius
> > >with ser it's working fine.
> > >
> > >Daniel where i can start to fix that problem.?
> > >
> > >Thank you very much for your time.
> > >
> > >On 4/14/05, Alex <alexandergav at gmail.com> wrote:
> > >
> > >
> > >>So Daniel like i understand the problem is my radius configuration,
> > >>another thing is that my ATA sending the same stuff, i mean if i will
> > >>change the sip server to different one where i installed freeradius
> > >>with ser it's working fine.
> > >>
> > >>Daniel where i can start to fix that problem.?
> > >>
> > >>Thank you very much for your time.
> > >>
> > >>
> > >>On 4/14/05, Daniel-Constantin Mierla <daniel at voice-system.ro> wrote:
> > >>
> > >>
> > >>>The second REGISTER (the block 3) must contains the response to the
> > >>>authentication challenge carried by 401 reply (block 2). That means that
> > >>>the block 3 must contain an Authorization header with authentication
> > >>>credentials computed according to HTTP-Digest authentication mechanism
> > >>>(RFC2617). Also, see the section 22.Usage of HTTP Authentication in SIP
> > >>>RFC3261 for more about user authentication in SIP.
> > >>>
> > >>>Daniel
> > >>>
> > >>>On 04/14/05 13:16, Alex wrote:
> > >>>
> > >>>
> > >>>
> > >>>>Sorry Daniel , i didn't get that, I send here 4 blocks, 1 one is the
> > >>>>register request the 2 is the reply from the server, 3 is the register
> > >>>>request, 4 is the reply from the server. If you can please point me to
> > >>>>the problem. Because like i see the 2 register requests (1,3 blocks)
> > >>>>are the same.
> > >>>>
> > >>>>
> > >>>>On 4/14/05, Daniel-Constantin Mierla <daniel at voice-system.ro> wrote:
> > >>>>
> > >>>>
> > >>>>
> > >>>>
> > >>>>>As you can see, the second REGISTER does not contain the authentication
> > >>>>>credentials (No Authorization header) in response to 401 reply. So,
> > >>>>>either you didn't configure the phone to authenticate or the Grandstream
> > >>>>>HT286 1.0.5.18 is faulty.
> > >>>>>
> > >>>>>Daniel
> > >>>>>
> > >>>>>
> > >>>>>On 04/14/05 12:35, Alex wrote:
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>>>Daniel thanks
> > >>>>>>btw it's clean installation of Red Hat Enterprise Linux AS release 3
> > >>>>>>ser-08.14 , freeradius-1.2  , radiusclient-4.8
> > >>>>>>
> > >>>>>>i am sending ngrep port 5060
> > >>>>>>i have here 2 requests of register and the replies to register.
> > >>>>>>
> > >>>>>>
> > >>>>>>xxx.xxx.xxx.xxx  - sipserverip
> > >>>>>>telephoneip - ip where the call coming from
> > >>>>>>Phonenumber - phone number
> > >>>>>>
> > >>>>>>--------------------------------------------------------------------------------------------------
> > >>>>>>
> > >>>>>>U telephoneip:10739 -> xxx.xxx.xxx.xxx:5060
> > >>>>>>REGISTER sip:xxx.xxx.xxx.xxx SIP/2.0..Via: SIP/2.0/UDP
> > >>>>>>telephoneip:10000;branch=z9hG4bK98514c3b052d7df6..From: "Test Alex" <
> > >>>>>>sip:Phonenumber at xxx.xxx.xxx.xxx;user=phone>;tag=50673f1baca1958c..To:
> > >>>>>><sip:Phonenumber at xxx.xxx.xxx.xxx;user=phone>..Contact: <sip
> > >>>>>>:Phonenumber at telephoneip:10000;user=phone>..Call-ID:
> > >>>>>>1cff1b8955b8fa5c at 10.0.0.4..CSeq: 106 REGISTER..Expires:
> > >>>>>>3600..User-Agent
> > >>>>>>: Grandstream HT286 1.0.5.18..Max-Forwards: 70..Allow:
> > >>>>>>INVITE,ACK,CANCEL,BYE,NOTIFY,REFER,OPTIONS,INFO,SUBSCRIBE..Content-Lengt
> > >>>>>>h: 0....
> > >>>>>>#
> > >>>>>>U xxx.xxx.xxx.xxx:5060 -> telephoneip:10000
> > >>>>>>SIP/2.0 401 Unauthorized..Via: SIP/2.0/UDP
> > >>>>>>telephoneip:10000;branch=z9hG4bK98514c3b052d7df6..From: "Test Alex"
> > >>>>>><sip:Phonenumber at xxx.xxx.xxx.xxx;user=phone>;tag=50673f1baca1958c..To:
> > >>>>>><sip:Phonenumber at xxx.xxx.xxx.xxx;user=phone>;tag=b27e1a1d33761e85846fc9
> > >>>>>>8f5f3a7e58.f894..Call-ID: 1cff1b8955b8fa5c at 10.0.0.4..CSeq: 106
> > >>>>>>REGISTER..WWW-Authenticate: Digest realm="xxx.xxx.xxx.xxx", nonc
> > >>>>>>e="425e3ac34dc9509392435c11fb260f41420049c7"..Server: Sip EXpress
> > >>>>>>router (0.8.14 (i386/linux))..Content-Length: 0..Warning: 392
> > >>>>>> xxx.xxx.xxx.xxx:5060 "Noisy feedback tells:  pid=1912
> > >>>>>>req_src_ip=telephoneip req_src_port=10739 in_uri=sip:xxx.xxx.xxx.xxx
> > >>>>>>out_uri=sip:xxx.xxx.xxx.xxx via_cnt==1"....
> > >>>>>>#
> > >>>>>>
> > >>>>>>U telephoneip:10740 -> xxx.xxx.xxx.xxx:5060
> > >>>>>>REGISTER sip:xxx.xxx.xxx.xxx SIP/2.0..Via: SIP/2.0/UDP
> > >>>>>>telephoneip:10000;branch=z9hG4bK98514c3b052d7df6..From: "Test Alex" <
> > >>>>>>sip:Phonenumber at xxx.xxx.xxx.xxx;user=phone>;tag=50673f1baca1958c..To:
> > >>>>>><sip:Phonenumber at xxx.xxx.xxx.xxx;user=phone>..Contact: <sip
> > >>>>>>:Phonenumber at telephoneip:10000;user=phone>..Call-ID:
> > >>>>>>1cff1b8955b8fa5c at 10.0.0.4..CSeq: 106 REGISTER..Expires:
> > >>>>>>3600..User-Agent
> > >>>>>>: Grandstream HT286 1.0.5.18..Max-Forwards: 70..Allow:
> > >>>>>>INVITE,ACK,CANCEL,BYE,NOTIFY,REFER,OPTIONS,INFO,SUBSCRIBE..Content-Lengt
> > >>>>>>h: 0....
> > >>>>>>#
> > >>>>>>U xxx.xxx.xxx.xxx:5060 -> telephoneip:10000
> > >>>>>>SIP/2.0 401 Unauthorized..Via: SIP/2.0/UDP
> > >>>>>>telephoneip:10000;branch=z9hG4bK98514c3b052d7df6..From: "Test Alex"
> > >>>>>><sip:Phonenumber at xxx.xxx.xxx.xxx;user=phone>;tag=50673f1baca1958c..To:
> > >>>>>><sip:Phonenumber at xxx.xxx.xxx.xxx;user=phone>;tag=b27e1a1d33761e85846fc9
> > >>>>>>8f5f3a7e58.f894..Call-ID: 1cff1b8955b8fa5c at 10.0.0.4..CSeq: 106
> > >>>>>>REGISTER..WWW-Authenticate: Digest realm="xxx.xxx.xxx.xxx", nonc
> > >>>>>>e="425e3acb812b5b2e8aa023e3fcffc618dc4cf661"..Server: Sip EXpress
> > >>>>>>router (0.8.14 (i386/linux))..Content-Length: 0..Warning: 392
> > >>>>>> xxx.xxx.xxx.xxx:5060 "Noisy feedback tells:  pid=1885
> > >>>>>>req_src_ip=telephoneip req_src_port=10740 in_uri=sip:xxx.xxx.xxx.xxx
> > >>>>>>out_uri=sip:xxx.xxx.xxx.xxx via_cnt==1"....
> > >>>>>>#
> > >>>>>>
> > >>>>>>
> > >>>>>>tell me if you need something else.
> > >>>>>>
> > >>>>>>
> > >>>>>>On 4/14/05, Daniel-Constantin Mierla <daniel at voice-system.ro> wrote:
> > >>>>>>
> > >>>>>>
> > >>>>>>
> > >>>>>>
> > >>>>>>
> > >>>>>>
> > >>>>>>>Could you post the network dump with REGISTER/401/REGISTER messages? I
> > >>>>>>>will take a look to see if something is wrong.
> > >>>>>>>
> > >>>>>>>
> > >>>>>>>On 04/14/05 12:16, Alex wrote:
> > >>>>>>>
> > >>>>>>>
> > >>>>>>>
> > >>>>>>>
> > >>>>>>>
> > >>>>>>>
> > >>>>>>>
> > >>>>>>>>Digest realm is the same for the register requests.
> > >>>>>>>>furthermore the realm in To tag is correct.
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>>Did you mean To URI instead of To tag?
> > >>>>>>>
> > >>>>>>>Daniel
> > >>>>>>>
> > >>>>>>>
> > >>>>>>>
> > >>>>>>>
> > >>>>>>>
> > >>>>>>>
> > >>>>>>>
> > >>>>>>>>what else it can be.
> > >>>>>>>>Thanks for any help.
> > >>>>>>>>
> > >>>>>>>>On 4/14/05, Daniel-Constantin Mierla <daniel at voice-system.ro> wrote:
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>>>>Watch the network traffic (ngrep or ethereal on port 5060) and check the
> > >>>>>>>>>realm from 401 is the same as the one from next REGISTER.  Also, when
> > >>>>>>>>>you use the empty realm parameter to radius_ww_authorize() and
> > >>>>>>>>>www_challenge(), the realm is taken from To URI.
> > >>>>>>>>>
> > >>>>>>>>>Daniel
> > >>>>>>>>>
> > >>>>>>>>>
> > >>>>>>>>>On 04/14/05 08:08, Alex wrote:
> > >>>>>>>>>
> > >>>>>>>>>
> > >>>>>>>>>
> > >>>>>>>>>
> > >>>>>>>>>
> > >>>>>>>>>
> > >>>>>>>>>
> > >>>>>>>>>
> > >>>>>>>>>
> > >>>>>>>>>>Hi guys maybe someone can find the problem, i still can't see anything
> > >>>>>>>>>>going to radius authentication. (the radius logs are empty)
> > >>>>>>>>>>
> > >>>>>>>>>>the register request is coming but it's not going to authenticate
> > >>>>>>>>>>through the radius.
> > >>>>>>>>>>Any help will be appreciated.
> > >>>>>>>>>>
> > >>>>>>>>>>here is the debug from ser :
> > >>>>>>>>>>---------------------------------------------------------------------------------------------
> > >>>>>>>>>>14(1036) parse_headers: flags=-1
> > >>>>>>>>>>14(1036) check_via_address(62.219.158.191, 62.219.158.191, 1)
> > >>>>>>>>>>14(1036) DEBUG:destroy_avp_list: destroing list (nil)
> > >>>>>>>>>>14(1036) receive_msg: cleaning up
> > >>>>>>>>>>9(1012) SIP Request:
> > >>>>>>>>>>9(1012)  method:  <REGISTER>
> > >>>>>>>>>>9(1012)  uri:     <sip:xxx.xxx.xxx.xxx>
> > >>>>>>>>>>9(1012)  version: <SIP/2.0>
> > >>>>>>>>>>9(1012) parse_headers: flags=1
> > >>>>>>>>>>9(1012) Found param type 232, <branch> = <z9hG4bKfc5751413c832e6d>; state=16
> > >>>>>>>>>>9(1012) end of header reached, state=5
> > >>>>>>>>>>9(1012) parse_headers: Via found, flags=1
> > >>>>>>>>>>9(1012) parse_headers: this is the first via
> > >>>>>>>>>>9(1012) After parse_msg...
> > >>>>>>>>>>9(1012) preparing to run routing scripts...
> > >>>>>>>>>>9(1012) REGISTER: Authenticating user
> > >>>>>>>>>>9(1012) parse_headers: flags=4
> > >>>>>>>>>>9(1012) end of header reached, state=9
> > >>>>>>>>>>9(1012) DEBUG: get_hdr_field: <To> [45];
> > >>>>>>>>>>uri=[sip:phonenumber at xxx.xxx.xxx.xxx;user=phone]
> > >>>>>>>>>>9(1012) DEBUG: to body [<sip:phonenumber at xxx.xxx.xxx.xxx;user=phone>
> > >>>>>>>>>>]
> > >>>>>>>>>>
> > >>>>>>>>>>9(1012) parse_headers: flags=4096
> > >>>>>>>>>>9(1012) get_hdr_field: cseq <CSeq>: <103> <REGISTER>
> > >>>>>>>>>>9(1012) DEBUG: get_hdr_body : content_length=0
> > >>>>>>>>>>9(1012) found end of header
> > >>>>>>>>>>9(1012) pre_auth(): Credentials with given realm not found
> > >>>>>>>>>>9(1012) REGISTER: challenging user
> > >>>>>>>>>>9(1012) build_auth_hf(): 'WWW-Authenticate: Digest
> > >>>>>>>>>>realm="xxx.xxx.xxx.xxx",
> > >>>>>>>>>>nonce="425e063022afc1142ed6730d46da41692ff3ed57"
> > >>>>>>>>>>
> > >>>>>>>>>>_______________________________________________
> > >>>>>>>>>>Serusers mailing list
> > >>>>>>>>>>serusers at lists.iptel.org
> > >>>>>>>>>>http://lists.iptel.org/mailman/listinfo/serusers
> > >>>>>>>>>>
> > >>>>>>>>>>
> > >>>>>>>>>>
> > >>>>>>>>>>
> > >>>>>>>>>>
> > >>>>>>>>>>
> > >>>>>>>>>>
> > >>>>>>>>>>
> > >>>>>>>>>>
> > >>>>>>>>>>
> > >>>>>>>>>>
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>
> > >>>>>>
> > >>>>>>
> > >>>>
> > >>>>
> > >>>>
> > >
> > >_______________________________________________
> > >Serusers mailing list
> > >serusers at lists.iptel.org
> > >http://lists.iptel.org/mailman/listinfo/serusers
> > >
> > >
> > >
> > >
> >
> >
>

More information about the sr-users mailing list