[Serusers] Aastra Intelligate Registration Problem

Marian Dumitru marian.dumitru at voice-sistem.ro
Tue Feb 15 12:59:02 CET 2005


Hi Martin,

Indeed, accordingly to the RFC, the cnonce and nc are required when qop 
is used. It looks like a bug in PBX.
You can try to get over it by disabling "qop" in SER authentication.

Best regards,
Marian

Martin Koenig wrote:
> Hello,
> 
> we have a problem with the SIP trunk of an Aastra Intelligate PBX.
> 
> Registration fails with the SER error message "pre_auth(): Credentials 
> received are not filled properly". SER is 0.8.14.
> 
> See ngrep:
> 
> #
> U 2005/02/15 11:40:46.093312 aastra_intelligate:5060 -> toplink_proxy:5060
> REGISTER sip:toplink-voice.de SIP/2.0.
> Via: SIP/2.0/UDP 
> aastra_intelligate:5060;branch=fc15d6ace7866108222849a9dd6303d8.
> To: username<sip:username at toplink-voice.de:5060>.
> From: username<sip:username at toplink-voice.de:5060>;tag=f52ad23f5a30a9cd.
> Call-ID: 182a55ff8fb00e0d31a6f7cb9b8c22b9 at aastra_intelligate.
> CSeq: 2289 REGISTER.
> Max-Forwards: 70.
> Expires: 3000.
> Contact: <sip:username at aastra_intelligate>.
> Allow: ACK,BYE,CANCEL,INVITE.
> User-Agent: Aastra Intelligate.
> Content-Length: 0.
> .
> 
> #
> U 2005/02/15 11:40:46.093883 toplink_proxy:5060 -> aastra_intelligate:5060
> SIP/2.0 401 Unauthorized.
> Via: SIP/2.0/UDP 
> aastra_intelligate:5060;branch=fc15d6ace7866108222849a9dd6303d8.
> To: 
> username<sip:username at toplink-voice.de:5060>;tag=16ac3fc2258766c821c391b58b08db64.9f29. 
> 
> From: username<sip:username at toplink-voice.de:5060>;tag=f52ad23f5a30a9cd.
> Call-ID: 182a55ff8fb00e0d31a6f7cb9b8c22b9 at aastra_intelligate.
> CSeq: 2289 REGISTER.
> WWW-Authenticate: Digest realm="toplink-voice.de", 
> nonce="4211d2da1728b0bd58773cf042217a138e8508ca", qop="auth".
> Content-Length: 0.
> .
> 
> #
> U 2005/02/15 11:40:46.321069 aastra_intelligate:5060 -> toplink_proxy:5060
> REGISTER sip:toplink-voice.de SIP/2.0.
> Via: SIP/2.0/UDP 
> aastra_intelligate:5060;branch=c46c24632f85f6b001dca195835600a4.
> To: username<sip:username at toplink-voice.de:5060>.
> From: username<sip:username at toplink-voice.de:5060>;tag=f52ad23f5a30a9cd.
> Call-ID: 182a55ff8fb00e0d31a6f7cb9b8c22b9 at aastra_intelligate.
> CSeq: 2290 REGISTER.
> Max-Forwards: 70.
> Expires: 3000.
> Contact: <sip:username at aastra_intelligate>.
> Allow: ACK,BYE,CANCEL,INVITE.
> Authorization: Digest 
> nc=00000001,nonce="4211d2da1728b0bd58773cf042217a138e8508ca",qop=auth,realm="toplink-voice.de",response="62989172348871cf1fd92b4bc9bc3be2",uri="sip:toplink-voice.de",username="username". 
> 
> User-Agent: Aastra Intelligate.
> Content-Length: 0.
> .
> 
> #
> U 2005/02/15 11:40:46.321559 toplink_proxy:5060 -> aastra_intelligate:5060
> SIP/2.0 400 Bad Request.
> Via: SIP/2.0/UDP 
> aastra_intelligate:5060;branch=c46c24632f85f6b001dca195835600a4.
> To: 
> username<sip:username at toplink-voice.de:5060>;tag=16ac3fc2258766c821c391b58b08db64.f64f. 
> 
> From: username<sip:username at toplink-voice.de:5060>;tag=f52ad23f5a30a9cd.
> Call-ID: 182a55ff8fb00e0d31a6f7cb9b8c22b9 at aastra_intelligate.
> CSeq: 2290 REGISTER.
> Content-Length: 0.
> 
> 
> When I take a look at the Authorization Header of the PBX:
> 
> Authorization: Digest nc=00000001,
> nonce="4211d2da1728b0bd58773cf042217a138e8508ca",
> qop=auth,
> realm="toplink-voice.de",
> response="62989172348871cf1fd92b4bc9bc3be2",
> uri="sip:toplink-voice.de",
> username="username"
> 
> It is obvious that the cnonce is missing.
> 
> According to RFC2617 it should be present, right?
> 
> Quote RFC2617:
> "cnonce
> This MUST be specified if a qop directive is sent (see above), and
> MUST NOT be specified if the server did not send a qop directive in
> the WWW-Authenticate header field. The cnonce-value is an opaque
> quoted string value provided by the client and used by both client
> and server to avoid chosen plaintext attacks, to provide mutual
> authentication, and to provide some message integrity protection.
> See the descriptions below of the calculation of the response-
> digest and request-digest values."
> 
> Could anyone please verify this? Testing with the SIPgate.de SER proxy, 
> registration works. How is this possible if PBX is not sending RFC2617 
> compilant Authorization headers?
> 
> With best regards,
> Martin Koenig
> 
> _______________________________________________
> Serusers mailing list
> serusers at lists.iptel.org
> http://lists.iptel.org/mailman/listinfo/serusers
> 

-- 
Voice System
http://www.voice-system.ro




More information about the sr-users mailing list