[Serusers] Credentials with given realm not found

Alex alexandergav at gmail.com
Sat Apr 16 09:23:22 CEST 2005 

so if the 2-nd register has to have Authorization header , how i can
fix it so it will have it, because if i change the client to use
different server it's working fine.
If there any thing i can do on the server side to fix it ??

Thanks for any help.

On 4/14/05, Alex Mack <amack at fhm.edu> wrote:
> Hi!
> 
> SER is sending a nonce in its 401 reply. This is the challenge from the
> SER to the UA.
> The UA now has to calculate a reply implying his password and the given
> nonce. The answer has to be added in an Authorization-Header inside the
> next REGISTER.
> 
> The message flow (without RADIUS messages) would look like:
> 
>  UA                   SER
>  |                     |
>  | REGISTER w/o Auth   |
>  |-------------------->|
>  |                     |
>  | 401 Unauthorized (with nonce)
>  |<--------------------|
>  |                     |
>  | ACK                 |
>  |-------------------->|
>  |                     |
>  | REGISTER with Auth (calculated from nonce)
>  |-------------------->|
>  |                     |
>  | 200 OK              |
>  |<--------------------|
>  |                     |
> 
> The second register has to have an "Authorization" header, otherwise
> your client is misconfigured or misbehaving. Test it with another
> client, e.g. X-Lite (www.xten.com)
> 
> Alex Mack
> 
> Alex schrieb:
> 
> >So Daniel like i understand the problem is my radius configuration,
> >another thing is that my ATA sending the same stuff, i mean if i will
> >change the sip server to different one where i installed freeradius
> >with ser it's working fine.
> >
> >Daniel where i can start to fix that problem.?
> >
> >Thank you very much for your time.
> >
> >On 4/14/05, Alex <alexandergav at gmail.com> wrote:
> >
> >
> >>So Daniel like i understand the problem is my radius configuration,
> >>another thing is that my ATA sending the same stuff, i mean if i will
> >>change the sip server to different one where i installed freeradius
> >>with ser it's working fine.
> >>
> >>Daniel where i can start to fix that problem.?
> >>
> >>Thank you very much for your time.
> >>
> >>
> >>On 4/14/05, Daniel-Constantin Mierla <daniel at voice-system.ro> wrote:
> >>
> >>
> >>>The second REGISTER (the block 3) must contains the response to the
> >>>authentication challenge carried by 401 reply (block 2). That means that
> >>>the block 3 must contain an Authorization header with authentication
> >>>credentials computed according to HTTP-Digest authentication mechanism
> >>>(RFC2617). Also, see the section 22.Usage of HTTP Authentication in SIP
> >>>RFC3261 for more about user authentication in SIP.
> >>>
> >>>Daniel
> >>>
> >>>On 04/14/05 13:16, Alex wrote:
> >>>
> >>>
> >>>
> >>>>Sorry Daniel , i didn't get that, I send here 4 blocks, 1 one is the
> >>>>register request the 2 is the reply from the server, 3 is the register
> >>>>request, 4 is the reply from the server. If you can please point me to
> >>>>the problem. Because like i see the 2 register requests (1,3 blocks)
> >>>>are the same.
> >>>>
> >>>>
> >>>>On 4/14/05, Daniel-Constantin Mierla <daniel at voice-system.ro> wrote:
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>>As you can see, the second REGISTER does not contain the authentication
> >>>>>credentials (No Authorization header) in response to 401 reply. So,
> >>>>>either you didn't configure the phone to authenticate or the Grandstream
> >>>>>HT286 1.0.5.18 is faulty.
> >>>>>
> >>>>>Daniel
> >>>>>
> >>>>>
> >>>>>On 04/14/05 12:35, Alex wrote:
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>>Daniel thanks
> >>>>>>btw it's clean installation of Red Hat Enterprise Linux AS release 3
> >>>>>>ser-08.14 , freeradius-1.2  , radiusclient-4.8
> >>>>>>
> >>>>>>i am sending ngrep port 5060
> >>>>>>i have here 2 requests of register and the replies to register.
> >>>>>>
> >>>>>>
> >>>>>>xxx.xxx.xxx.xxx  - sipserverip
> >>>>>>telephoneip - ip where the call coming from
> >>>>>>Phonenumber - phone number
> >>>>>>
> >>>>>>--------------------------------------------------------------------------------------------------
> >>>>>>
> >>>>>>U telephoneip:10739 -> xxx.xxx.xxx.xxx:5060
> >>>>>>REGISTER sip:xxx.xxx.xxx.xxx SIP/2.0..Via: SIP/2.0/UDP
> >>>>>>telephoneip:10000;branch=z9hG4bK98514c3b052d7df6..From: "Test Alex" <
> >>>>>>sip:Phonenumber at xxx.xxx.xxx.xxx;user=phone>;tag=50673f1baca1958c..To:
> >>>>>><sip:Phonenumber at xxx.xxx.xxx.xxx;user=phone>..Contact: <sip
> >>>>>>:Phonenumber at telephoneip:10000;user=phone>..Call-ID:
> >>>>>>1cff1b8955b8fa5c at 10.0.0.4..CSeq: 106 REGISTER..Expires:
> >>>>>>3600..User-Agent
> >>>>>>: Grandstream HT286 1.0.5.18..Max-Forwards: 70..Allow:
> >>>>>>INVITE,ACK,CANCEL,BYE,NOTIFY,REFER,OPTIONS,INFO,SUBSCRIBE..Content-Lengt
> >>>>>>h: 0....
> >>>>>>#
> >>>>>>U xxx.xxx.xxx.xxx:5060 -> telephoneip:10000
> >>>>>>SIP/2.0 401 Unauthorized..Via: SIP/2.0/UDP
> >>>>>>telephoneip:10000;branch=z9hG4bK98514c3b052d7df6..From: "Test Alex"
> >>>>>><sip:Phonenumber at xxx.xxx.xxx.xxx;user=phone>;tag=50673f1baca1958c..To:
> >>>>>><sip:Phonenumber at xxx.xxx.xxx.xxx;user=phone>;tag=b27e1a1d33761e85846fc9
> >>>>>>8f5f3a7e58.f894..Call-ID: 1cff1b8955b8fa5c at 10.0.0.4..CSeq: 106
> >>>>>>REGISTER..WWW-Authenticate: Digest realm="xxx.xxx.xxx.xxx", nonc
> >>>>>>e="425e3ac34dc9509392435c11fb260f41420049c7"..Server: Sip EXpress
> >>>>>>router (0.8.14 (i386/linux))..Content-Length: 0..Warning: 392
> >>>>>> xxx.xxx.xxx.xxx:5060 "Noisy feedback tells:  pid=1912
> >>>>>>req_src_ip=telephoneip req_src_port=10739 in_uri=sip:xxx.xxx.xxx.xxx
> >>>>>>out_uri=sip:xxx.xxx.xxx.xxx via_cnt==1"....
> >>>>>>#
> >>>>>>
> >>>>>>U telephoneip:10740 -> xxx.xxx.xxx.xxx:5060
> >>>>>>REGISTER sip:xxx.xxx.xxx.xxx SIP/2.0..Via: SIP/2.0/UDP
> >>>>>>telephoneip:10000;branch=z9hG4bK98514c3b052d7df6..From: "Test Alex" <
> >>>>>>sip:Phonenumber at xxx.xxx.xxx.xxx;user=phone>;tag=50673f1baca1958c..To:
> >>>>>><sip:Phonenumber at xxx.xxx.xxx.xxx;user=phone>..Contact: <sip
> >>>>>>:Phonenumber at telephoneip:10000;user=phone>..Call-ID:
> >>>>>>1cff1b8955b8fa5c at 10.0.0.4..CSeq: 106 REGISTER..Expires:
> >>>>>>3600..User-Agent
> >>>>>>: Grandstream HT286 1.0.5.18..Max-Forwards: 70..Allow:
> >>>>>>INVITE,ACK,CANCEL,BYE,NOTIFY,REFER,OPTIONS,INFO,SUBSCRIBE..Content-Lengt
> >>>>>>h: 0....
> >>>>>>#
> >>>>>>U xxx.xxx.xxx.xxx:5060 -> telephoneip:10000
> >>>>>>SIP/2.0 401 Unauthorized..Via: SIP/2.0/UDP
> >>>>>>telephoneip:10000;branch=z9hG4bK98514c3b052d7df6..From: "Test Alex"
> >>>>>><sip:Phonenumber at xxx.xxx.xxx.xxx;user=phone>;tag=50673f1baca1958c..To:
> >>>>>><sip:Phonenumber at xxx.xxx.xxx.xxx;user=phone>;tag=b27e1a1d33761e85846fc9
> >>>>>>8f5f3a7e58.f894..Call-ID: 1cff1b8955b8fa5c at 10.0.0.4..CSeq: 106
> >>>>>>REGISTER..WWW-Authenticate: Digest realm="xxx.xxx.xxx.xxx", nonc
> >>>>>>e="425e3acb812b5b2e8aa023e3fcffc618dc4cf661"..Server: Sip EXpress
> >>>>>>router (0.8.14 (i386/linux))..Content-Length: 0..Warning: 392
> >>>>>> xxx.xxx.xxx.xxx:5060 "Noisy feedback tells:  pid=1885
> >>>>>>req_src_ip=telephoneip req_src_port=10740 in_uri=sip:xxx.xxx.xxx.xxx
> >>>>>>out_uri=sip:xxx.xxx.xxx.xxx via_cnt==1"....
> >>>>>>#
> >>>>>>
> >>>>>>
> >>>>>>tell me if you need something else.
> >>>>>>
> >>>>>>
> >>>>>>On 4/14/05, Daniel-Constantin Mierla <daniel at voice-system.ro> wrote:
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>>Could you post the network dump with REGISTER/401/REGISTER messages? I
> >>>>>>>will take a look to see if something is wrong.
> >>>>>>>
> >>>>>>>
> >>>>>>>On 04/14/05 12:16, Alex wrote:
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>>Digest realm is the same for the register requests.
> >>>>>>>>furthermore the realm in To tag is correct.
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>Did you mean To URI instead of To tag?
> >>>>>>>
> >>>>>>>Daniel
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>>what else it can be.
> >>>>>>>>Thanks for any help.
> >>>>>>>>
> >>>>>>>>On 4/14/05, Daniel-Constantin Mierla <daniel at voice-system.ro> wrote:
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>>Watch the network traffic (ngrep or ethereal on port 5060) and check the
> >>>>>>>>>realm from 401 is the same as the one from next REGISTER.  Also, when
> >>>>>>>>>you use the empty realm parameter to radius_ww_authorize() and
> >>>>>>>>>www_challenge(), the realm is taken from To URI.
> >>>>>>>>>
> >>>>>>>>>Daniel
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>On 04/14/05 08:08, Alex wrote:
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>>Hi guys maybe someone can find the problem, i still can't see anything
> >>>>>>>>>>going to radius authentication. (the radius logs are empty)
> >>>>>>>>>>
> >>>>>>>>>>the register request is coming but it's not going to authenticate
> >>>>>>>>>>through the radius.
> >>>>>>>>>>Any help will be appreciated.
> >>>>>>>>>>
> >>>>>>>>>>here is the debug from ser :
> >>>>>>>>>>---------------------------------------------------------------------------------------------
> >>>>>>>>>>14(1036) parse_headers: flags=-1
> >>>>>>>>>>14(1036) check_via_address(62.219.158.191, 62.219.158.191, 1)
> >>>>>>>>>>14(1036) DEBUG:destroy_avp_list: destroing list (nil)
> >>>>>>>>>>14(1036) receive_msg: cleaning up
> >>>>>>>>>>9(1012) SIP Request:
> >>>>>>>>>>9(1012)  method:  <REGISTER>
> >>>>>>>>>>9(1012)  uri:     <sip:xxx.xxx.xxx.xxx>
> >>>>>>>>>>9(1012)  version: <SIP/2.0>
> >>>>>>>>>>9(1012) parse_headers: flags=1
> >>>>>>>>>>9(1012) Found param type 232, <branch> = <z9hG4bKfc5751413c832e6d>; state=16
> >>>>>>>>>>9(1012) end of header reached, state=5
> >>>>>>>>>>9(1012) parse_headers: Via found, flags=1
> >>>>>>>>>>9(1012) parse_headers: this is the first via
> >>>>>>>>>>9(1012) After parse_msg...
> >>>>>>>>>>9(1012) preparing to run routing scripts...
> >>>>>>>>>>9(1012) REGISTER: Authenticating user
> >>>>>>>>>>9(1012) parse_headers: flags=4
> >>>>>>>>>>9(1012) end of header reached, state=9
> >>>>>>>>>>9(1012) DEBUG: get_hdr_field: <To> [45];
> >>>>>>>>>>uri=[sip:phonenumber at xxx.xxx.xxx.xxx;user=phone]
> >>>>>>>>>>9(1012) DEBUG: to body [<sip:phonenumber at xxx.xxx.xxx.xxx;user=phone>
> >>>>>>>>>>]
> >>>>>>>>>>
> >>>>>>>>>>9(1012) parse_headers: flags=4096
> >>>>>>>>>>9(1012) get_hdr_field: cseq <CSeq>: <103> <REGISTER>
> >>>>>>>>>>9(1012) DEBUG: get_hdr_body : content_length=0
> >>>>>>>>>>9(1012) found end of header
> >>>>>>>>>>9(1012) pre_auth(): Credentials with given realm not found
> >>>>>>>>>>9(1012) REGISTER: challenging user
> >>>>>>>>>>9(1012) build_auth_hf(): 'WWW-Authenticate: Digest
> >>>>>>>>>>realm="xxx.xxx.xxx.xxx",
> >>>>>>>>>>nonce="425e063022afc1142ed6730d46da41692ff3ed57"
> >>>>>>>>>>
> >>>>>>>>>>_______________________________________________
> >>>>>>>>>>Serusers mailing list
> >>>>>>>>>>serusers at lists.iptel.org
> >>>>>>>>>>http://lists.iptel.org/mailman/listinfo/serusers
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>
> >>>>
> >>>>
> >
> >_______________________________________________
> >Serusers mailing list
> >serusers at lists.iptel.org
> >http://lists.iptel.org/mailman/listinfo/serusers
> >
> >
> >
> >
> 
>

More information about the sr-users mailing list