[Serusers] Can't solve the problem. Need help.

Alex Vishnev avishnev at optonline.net
Sat Apr 16 19:40:48 CEST 2005 

Alex,

I found this interesting and don't know if this is what is causing your
problem. Normally, when register is issued the Via header indicates where
UAS/proxy should respond. In your first packet, here is what's happening:

U sourceip:26012 -> xxx.xxx.xxx.xxx:5060
  REGISTER sip:xxx.xxx.xxx.xxx SIP/2.0..
  Via: SIP/2.0/UDP sourceip:22115;

It looks like UA wants to receive the response back on port 22115. Now, SER
sends the response to that port, but it does not look like UA is listening
there, as UA just re-originates REGISTER. The question I have is why do you
have a strange port number, instead of 5060? So it looks to me the reason
why you never getting another REGISTER with credentials is because 401
Unauthorized never makes it to your Grandstream UA.


So I would do the following:

1. Check with Grandstream to see if your firmware is the latest/stable
version. I use Grandstream Bt100 and have not problems. I know grandstream
is pretty good in resolving problems.

2. If UA is behind NAT, please make sure that grandstream is configured for
NAT traversal.

Hope this helps

Alex Vishnev

-----Original Message-----
From: serusers-bounces at iptel.org [mailto:serusers-bounces at lists.iptel.org] On
Behalf Of Alex
Sent: Saturday, April 16, 2005 12:13 PM
To: aland at ox.org; freeradius-users at lists.freeradius.org; serusers at lists.iptel.org;
amack at fhm.edu; daniel at voice-system.ro
Subject: [Serusers] Can't solve the problem. Need help.

This is the answer i got on the list :
The second REGISTER (the block 3) must contains the response to the
authentication challenge carried by 401 reply (block 2). That means that
the block 3 must contain an Authorization header with authentication
credentials computed according to HTTP-Digest authentication mechanism
(RFC2617). 

U sourceip:26012 -> xxx.xxx.xxx.xxx:5060
  REGISTER sip:xxx.xxx.xxx.xxx SIP/2.0..Via: SIP/2.0/UDP
sourceip:22115;branch=z9hG4bK4913f67fbbcfb571..From: "Alex "
  <sip:phonenumber at xxx.xxx.xxx.xxx>;tag=94a44507e03df901..To:
<sip:phonenumber at xxx.xxx.xxx.xxx>..Contact:
  <sip:phonenumber at sourceip:22115>..Call-ID:
c9f64c0c2ef27cd1 at 10.0.0.6..CSeq: 100 REGISTER..Expires:
3600..User-Agent: Grandstream HT286 1.0.5.11..Max-F
  orwards: 70..Allow:
INVITE,ACK,CANCEL,BYE,NOTIFY,REFER,OPTIONS,INFO,SUBSCRIBE..Content-Length:
0....
#
U xxx.xxx.xxx.xxx:5060 -> sourceip:22115
  SIP/2.0 401 Unauthorized..Via: SIP/2.0/UDP
sourceip:22115;branch=z9hG4bK4913f67fbbcfb571..From: "Alex "
<sip:phonenumber at xxx.xxx.xxx.xxx>;
  tag=94a44507e03df901..To:
<sip:phonenumber at xxx.xxx.xxx.xxx>;tag=b27e1a1d33761e85846fc98f5f3a7e58.eb04.
.Call-I
  D: c9f64c0c2ef27cd1 at 10.0.0.6..CSeq: 100 REGISTER..WWW-Authenticate:
Digest realm="xxx.xxx.xxx.xxx", nonce="42612dd595b3558cfdd4
  46b83b081d1e2d3cc480"..Server: Sip EXpress router (0.8.14
(i386/linux))..Content-Length: 0..Warning: 392 xxx.xxx.xxx.xxx:5060 "
  Noisy feedback tells:  pid=21363 req_src_ip=sourceip
req_src_port=26012 in_uri=sip:xxx.xxx.xxx.xxx
out_uri=sip:xxx.xxx.xxx.xxx via_cnt==1"....

#
U sourceip:26012 -> xxx.xxx.xxx.xxx:5060
  REGISTER sip:xxx.xxx.xxx.xxx SIP/2.0..Via: SIP/2.0/UDP
sourceip:22115;branch=z9hG4bK4913f67fbbcfb571..From: "Alex "
  <sip:phonenumber at xxx.xxx.xxx.xxx>;tag=94a44507e03df901..To:
<sip:phonenumber at xxx.xxx.xxx.xxx>..Contact:
  <sip:phonenumber at sourceip:22115>..Call-ID:
c9f64c0c2ef27cd1 at 10.0.0.6..CSeq: 100 REGISTER..Expires:
3600..User-Agent: Grandstream HT286 1.0.5.11..Max-F
  orwards: 70..Allow:
INVITE,ACK,CANCEL,BYE,NOTIFY,REFER,OPTIONS,INFO,SUBSCRIBE..Content-Length:
0....
#
U xxx.xxx.xxx.xxx:5060 -> sourceip:22115
  SIP/2.0 401 Unauthorized..Via: SIP/2.0/UDP
sourceip:22115;branch=z9hG4bK4913f67fbbcfb571..From: "Alex "
 <sip:phonenumber at xxx.xxx.xxx.xxx>;tag=94a44507e03df901..To:
<sip:phonenumber at xxx.xxx.xxx.xxx>;tag=b27e1a1d33761e85846fc98f5f3a7e58.eb04.
.Call-I
  D: c9f64c0c2ef27cd1 at 10.0.0.6..CSeq: 100 REGISTER..WWW-Authenticate:
Digest realm="xxx.xxx.xxx.xxx", nonce="42612dd63c17bd54baef
  0f620d6b9b066c23c8ce"..Server: Sip EXpress router (0.8.14
(i386/linux))..Content-Length: 0..Warning: 392 xxx.xxx.xxx.xxx:5060 "
  Noisy feedback tells:  pid=21360 req_src_ip=sourceip
req_src_port=26012 in_uri=sip:xxx.xxx.xxx.xxx
out_uri=sip:xxx.xxx.xxx.xxx via_cnt==1"....


here is my ser debug:
-------------------------------------

12(21360) SIP Request:
12(21360)  method:  <REGISTER>
12(21360)  uri:     <sip:xxx.xxx.xxx.xxx>
12(21360)  version: <SIP/2.0>
12(21360) parse_headers: flags=1
12(21360) Found param type 232, <branch> = <z9hG4bKf776a5d04027adc6>;
state=16
12(21360) end of header reached, state=5
12(21360) parse_headers: Via found, flags=1
12(21360) parse_headers: this is the first via
12(21360) After parse_msg...
12(21360) preparing to run routing scripts...
12(21360) REGISTER message received
12(21360) REGISTER: Authenticating user
12(21360) parse_headers: flags=4
12(21360) end of header reached, state=9
12(21360) DEBUG: get_hdr_field: <To> [34];
uri=[sip:phonenumber at xxx.xxx.xxx.xxx]
12(21360) DEBUG: to body [<sip:phonenumber at xxx.xxx.xxx.xxx>
]
12(21360) parse_headers: flags=4096
12(21360) get_hdr_field: cseq <CSeq>: <100> <REGISTER>
12(21360) DEBUG: get_hdr_body : content_length=0
12(21360) found end of header
12(21360) pre_auth(): Credentials with given realm not found
12(21360) REGISTER: challenging user
12(21360) build_auth_hf(): 'WWW-Authenticate: Digest
realm="xxx.xxx.xxx.xxx",
nonce="42613540bb4462c045f7f3fe7714c3a1d6c0bca9"
'
12(21360) parse_headers: flags=-1
12(21360) check_via_address(62.219.160.40, 62.219.160.40, 1)
12(21360) DEBUG:destroy_avp_list: destroing list (nil)
12(21360) receive_msg: cleaning up

For some reason that i can not figure out i don't receive anything on
the radius logs.
it's looks like my granstream ATA286 not going through authectication
process.
when i change the ip of the sip server to different one (2-server)
it's working perfect.
The grandstream ATA286 sending same packets, on the 2 server it's
working, on 1- one nothing happens.
on the problematic server i have clean installation of freeradius-1.02
radiusclient-4.8 ser-8.14

I tested the installation of the freeradius with the :
radclient -f digest localhost auth testing123     
Received response ID 134, code 2, length = 45
        Reply-Message = "Hello, test with digest"

radius logs:
----------------------------------------------
rad_recv: Access-Request packet from host 127.0.0.1:32844, id=134,
length=140
        User-Name = "test"
        Digest-Response = "631d6d73147add2f9e437f59bbc3aeb7"
        Digest-Attributes = "\001\013testrealm"
        Digest-Attributes = "\002\n1234abcd"
        Digest-Attributes = "\003\010INVITE"
        Digest-Attributes = "\004\034sip:5555551212 at example.com"
        Digest-Attributes = "\006\005MD5"
        Digest-Attributes = "\n\006test"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
    rlm_digest: Converting Digest-Attributes to something sane...
        Digest-Realm = "testrealm"
        Digest-Nonce = "1234abcd"
        Digest-Method = "INVITE"
        Digest-URI = "sip:5555551212 at example.com"
        Digest-Algorithm = "MD5"
        Digest-User-Name = "test"
rlm_digest: Adding Auth-Type = DIGEST
  modcall[authorize]: module "digest" returns ok for request 0
    rlm_realm: No '@' in User-Name = "test", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 0
    users: Matched entry DEFAULT at line 152
    users: Matched entry test at line 215
  modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns ok for request 0
  rad_check_password:  Found Auth-Type Digest
auth: type "digest"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
A1 = test:testrealm:test
A2 = INVITE:sip:5555551212 at example.com
KD =
1e00d6dbd30441265df6064b9d9b7da9:1234abcd:675b8c827b388805aa252ea38bfb6804 
  modcall[authenticate]: module "digest" returns ok for request 0
modcall: group authenticate returns ok for request 0
radius_xlat:  'Hello, test with digest'
Sending Access-Accept of id 134 to 127.0.0.1:32844
        Reply-Message = "Hello, test with digest"
Finished request 0

I need some help to figure out that's the problem with this server.
And what can be a reason what i don't see any authentication process
in the radius , when the packets coming from ATA286
to authenticate the the user. 


Thanks for any help.

_______________________________________________
Serusers mailing list
serusers at lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers

More information about the sr-users mailing list