[Users] Problems with digest authentication
aimable
aimahab at artel.rw
Tue Aug 2 13:22:57 CEST 2005
I tried both of these configurations and none of them worked .
Here below is my configuration
debug=7
fork=yes
log_stderror=yes
listen=193.XXX.XX4.XXX
port=5060
children=4
alias=193.XXX.XX4.XXX
alias=sip.mydomain.tld
dns=yes
rev_dns=no
fifo="/tmp/openser_fifo"
fifo_db_url="mysql://USER:PASSWORD@localhost/openser"
loadmodule "/usr/local/lib/openser/modules/mysql.so"
loadmodule "/usr/local/lib/openser/modules/sl.so"
loadmodule "/usr/local/lib/openser/modules/tm.so"
loadmodule "/usr/local/lib/openser/modules/rr.so"
loadmodule "/usr/local/lib/openser/modules/maxfwd.so"
loadmodule "/usr/local/lib/openser/modules/usrloc.so"
loadmodule "/usr/local/lib/openser/modules/registrar.so"
loadmodule "/usr/local/lib/openser/modules/auth.so"
loadmodule "/usr/local/lib/openser/modules/auth_db.so"
loadmodule "/usr/local/lib/openser/modules/uri.so"
loadmodule "/usr/local/lib/openser/modules/uri_db.so"
loadmodule "/usr/local/lib/openser/modules/mediaproxy.so"
loadmodule "/usr/local/lib/openser/modules/nathelper.so"
loadmodule "/usr/local/lib/openser/modules/textops.so"
loadmodule "/usr/local/lib/openser/modules/domain.so"
loadmodule "/usr/local/lib/openser/modules/acc.so"
modparam("auth_db", "calculate_ha1", 1)
modparam("auth_db", "password_column", "password")
modparam("auth_db", "use_domain", 1)
modparam("domain", "db_mode", 1)
modparam("nathelper", "rtpproxy_disable", 1)
modparam("nathelper", "natping_interval", 180)
modparam("mediaproxy","natping_interval", 30)
modparam("mediaproxy","mediaproxy_socket", "/var/run/mediaproxy.sock")
modparam("mediaproxy","sip_asymmetrics","/usr/local/etc/openser/sip-asymmetr
ic-clients")
modparam("mediaproxy","rtp_asymmetrics","/usr/local/etc/openser/rtp-asymmetr
ic-clients")
modparam("usrloc", "db_mode", 2)
modparam("usrloc", "use_domain", 1)
modparam("registrar", "default_expires", 60)
modparam("registrar", "min_expires", 30)
modparam("registrar", "nat_flag", 6)
modparam("registrar", "use_domain", 1)
modparam("rr", "enable_full_lr", 1)
modparam("auth_db|uri_db|usrloc", "db_url",
"mysql://USER:PASSWORD@localhost/openser")
modparam("acc", "db_url", "mysql://USER:PASSWORD@localhost/openser")
modparam("acc", "failed_transactions", 1)
modparam("acc", "log_level", 1)
modparam("acc", "log_flag", 1)
modparam("acc", "db_flag", 1)
route {
# -----------------------------------------------------------------
# Sanity Check Section
# -----------------------------------------------------------------
if (!mf_process_maxfwd_header("10")) {
sl_send_reply("483", "Too Many Hops");
break;
};
if (msg:len > max_len) {
sl_send_reply("513", "Message Overflow");
break;
};
# -----------------------------------------------------------------
# Record Route Section and Acc section
# -----------------------------------------------------------------
if (method=="INVITE" && client_nat_test("3")) {
record_route_preset("193.XXX.XX4.XXX:5060;nat=yes");
} else if (method!="REGISTER") {
if!(uri=~"^sip:833[0-9]*@") {
record_route();
setflag(1);
}
};
# -----------------------------------------------------------------
# Call Tear Down Section
# -----------------------------------------------------------------
if (method=="BYE" || method=="CANCEL") {
end_media_session();
};
# -----------------------------------------------------------------
# Loose Route Section
# -----------------------------------------------------------------
if (loose_route()) {
if (has_totag() && (method=="INVITE" || method=="ACK")) {
if (client_nat_test("3") ||
search("^Route:.*;nat=yes")) {
setflag(6);
use_media_proxy();
};
};
route(1);
break;
};
# -----------------------------------------------------------------
# Call Type Processing Section
# -----------------------------------------------------------------
if (uri!=myself) {
route(1);
break;
};
if (uri==myself) {
if (method=="CANCEL") {
route(3);
break;
} else if (method=="INVITE") {
route(3);
break;
} else if (method=="REGISTER") {
route(2);
break;
};
lookup("aliases");
if (uri!=myself) {
route(1);
break;
};
if (!lookup("location")) {
sl_send_reply("404", "User Not Found");
break;
};
};
route(1);
}
route[1] {
# -----------------------------------------------------------------
# Default Message Handler
# -----------------------------------------------------------------
t_on_reply("1");
if (!t_relay()) {
if (method=="INVITE" || method=="ACK") {
end_media_session();
};
sl_reply_error();
};
}
route[2] {
# -----------------------------------------------------------------
# REGISTER Message Handler
# ----------------------------------------------------------------
if (!search("^Contact:\ +\*") && client_nat_test("7")) {
setflag(6);
fix_nated_register();
force_rport();
};
sl_send_reply("100", "Trying");
if (!www_authorize("","subscriber")) {
www_challenge("","0");
break;
};
if (!check_to()) {
sl_send_reply("401", "Unauthorized");
break;
};
consume_credentials();
if (!save("location")) {
sl_reply_error();
};
}
route[3] {
# -----------------------------------------------------------------
# CANCEL and INVITE Message Handler
# -----------------------------------------------------------------
if (client_nat_test("3")) {
setflag(7);
force_rport();
fix_nated_contact();
};
lookup("aliases");
if (uri!=myself) {
route(1);
break;
};
if (!lookup("location")) {
sl_send_reply("404", "User Not Found");
break;
};
if (method=="CANCEL") {
route(1);
break;
};
if (!proxy_authorize("","subscriber")) {
proxy_challenge("","0");
break;
} else if (!check_from()) {
sl_send_reply("403", "Use From=ID");
break;
};
consume_credentials();
if (isflagset(6) || isflagset(7)) {
use_media_proxy();
};
route(1);
}
onreply_route[1] {
if ((isflagset(6) || isflagset(7)) &&
(status=~"(180)|(183)|2[0-9][0-9]")) {
if (!search("^Content-Length:\ +0")) {
use_media_proxy();
};
};
if (client_nat_test("1")) {
fix_nated_contact();
};
}
-----Original Message-----
From: Bogdan-Andrei Iancu [mailto:bogdan at voice-system.ro]
Sent: Tuesday, August 02, 2005 10:50 AM
To: aimable
Cc: users at openser.org
Subject: Re: [Users] Problems with digest authentication
Hello Aimable,
if you get the "pre_auth(): Credentials with given realm not found"
message means the realm to be used in auth is not found in the
[WWW-]Authenticate header. Now depends of how you have in script:
if you use www_authorize("my_realm",""), then the "my_relam" will
be searched in WWW-Authenticate header;
if you use www_authorize("",""), then the realn will be extracted as
the domain part of the TO uri.
so you may try:
www_authorize("talk.artel.rw",""); - it will match the credential
or
www_authorize("",""), but configure your UAs to use "talk.artel.rw"
in as domain part in FROM/URI.
depends which case fits you better...my guess? go for option 1. :)
regards,
bogdan
aimable wrote:
> I have been using various versions of SER from last year without any
> problem but recently I made a new installation of OpenSER 0.9.5. Since
> then I am having problems with digest authentication from some of the
> phones. I have a bunch of 186 ATAs and Cisco 7940 phones but they
> cannot register to the server, while all the soft phones can register
> successfully. The server says Credentials with given realm not found.
> I tried to change the realm to localhost and to the the IP address of
> the server, with no luck.
>
>
>
> And below is the result of ngrep
>
>
>
> I tried to grep the messages from the phones and here below is one
> message from a Cisco 186 ATA which has failed to register
>
>
>
> ########### Beginning of the capture ##################
>
>
>
> U PHONEIP:5060 -> SERVERIP:5060
>
> REGISTER sip:SERVERIP SIP/2.0.
>
> Via: SIP/2.0/UDP PHONEIP:5060.
>
> From: <sip:06090003 at SERVERIP;user=phone>;tag=500808430.
>
> To: <sip:06090003 at SERVERIP;user=phone>.
>
> Call-ID: 704382462 at PHONEIP.
>
> CSeq: 1 REGISTER.
>
> Contact:
> <sip:06090003 at PHONEIP:5060;user=phone;transport=udp>;expires=3600.
>
> User-Agent: Cisco ATA 186 v2.16.2 ata18x (030829a).
>
> Content-Length: 0.
>
>
>
> #
>
> U SERVERIP:5060 -> PHONEIP:5060
>
> SIP/2.0 100 Trying.
>
> Via: SIP/2.0/UDP PHONEIP:5060.
>
> From: <sip:06090003 at SERVERIP;user=phone>;tag=500808430.
>
> To: <sip:06090003 at SERVERIP;user=phone>.
>
> Call-ID: 704382462 at PHONEIP.
>
> CSeq: 1 REGISTER.
>
> Server: OpenSer (0.9.5 (i386/linux)).
>
> Content-Length: 0.
>
> Warning: 392 SERVERIP:5060 "Noisy feedback tells: pid=4490
> req_src_ip=PHONEIP req_src_port=5060 in_uri=sip:SERVERIP
> out_uri=sip:SERVERIP via_cnt==1".
>
>
>
> #
>
> U SERVERIP:5060 -> PHONEIP:5060
>
> SIP/2.0 401 Unauthorized.
>
> Via: SIP/2.0/UDP PHONEIP:5060.
>
> From: <sip:06090003 at SERVERIP;user=phone>;tag=500808430.
>
> To:
>
<sip:06090003 at SERVERIP;user=phone>;tag=329cfeaa6ded039da25ff8cbb8668bd2.8af0
.
>
> Call-ID: 704382462 at PHONEIP.
>
> CSeq: 1 REGISTER.
>
> WWW-Authenticate: Digest realm="talk.artel.rw",
> nonce="42edb29e1dbcc6fa814dd3396634ed7be68eea56".
>
> Server: OpenSer (0.9.5 (i386/linux)).
>
> Content-Length: 0.
>
> Warning: 392 SERVERIP:5060 "Noisy feedback tells: pid=4490
> req_src_ip=PHONEIP req_src_port=5060 in_uri=sip:SERVERIP
> out_uri=sip:SERVERIP via_cnt==1".
>
>
>
>
>
>
>
>
>
> Any idea?
>
>
>
> Aimable
>
>
>
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Users mailing list
>Users at openser.org
>http://openser.org/cgi-bin/mailman/listinfo/users
>
>
More information about the sr-users
mailing list