[Serusers] problems with digest

Lucas Aimaretto lucas at cyneric.com
Tue May 10 00:18:07 CEST 2005


Hi all,

I'm having trouble at authentication using radius and digest. Look at
radius output. The rare thing is that some phones get registered nicely,
but others no. The ones who get registered are X-Lite softphones and
grandstream. The ones that not, are the ATAs from voip solutions,
MTA-V102. Any help would be appreciated. The user is 1991106 and has NO
PASSWORD assigned ... ( but all of the users have NO PASSWORD ).

rad_recv: Access-Request packet from host IP_SER:33483, id=196,
length=269
        User-Name = "1991106 at IP_SER"
        Digest-Attributes = 0x0a0931393931313036
        Digest-Attributes = 0x01103230382e3232312e3136392e3838
        Digest-Attributes =
0x022a343237666563656136633030666366653433376234396139363436643036663733
63396635353639
        Digest-Attributes = 0x04147369703a3230382e3232312e3136392e3838
        Digest-Attributes = 0x030a5245474953544552
        Digest-Response = "9b256af89daa817caf568f682e1d15a6"
        Service-Type = IAPP-Register
        X-Ascend-PW-Lifetime = 0x31393931313036
        Cisco-AVPair =
"call-id=efbfcb25db042b56d47ddbe74e640d8f at 10.0.0.5"
        NAS-IP-Address = IP_SER
        NAS-Port = 5060
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 213
  modcall[authorize]: module "preprocess" returns ok for request 213
  modcall[authorize]: module "attr_filter" returns noop for request 213
  modcall[authorize]: module "chap" returns noop for request 213
    rlm_digest: Converting Digest-Attributes to something sane...
        Digest-User-Name = "1991106"
        Digest-Realm = "IP_SER"
        Digest-Nonce = "427fecea6c00fcfe437b49a9646d06f73c9f5569"
        Digest-URI = "sip:IP_SER"
        Digest-Method = "REGISTER"
rlm_digest: Adding Auth-Type = DIGEST
  modcall[authorize]: module "digest" returns ok for request 213
    rlm_realm: Looking up realm "IP_SER" for User-Name =
"1991106 at IP_SER"
    rlm_realm: Found realm "IP_SER"
    rlm_realm: Adding Stripped-User-Name = "1991106"
    rlm_realm: Proxying request from user 1991106 to realm IP_SER
    rlm_realm: Adding Realm = "IP_SER"
    rlm_realm: Authentication realm is LOCAL.
  modcall[authorize]: module "suffix" returns noop for request 213
radius_xlat:  '1991106'
rlm_sql (sql): sql_set_user escaped user --> '1991106'
radius_xlat:  'rad_authorize_check_query '1991106''
rlm_sql (sql): Reserving sql socket id: 1
radius_xlat:  ''
radius_xlat:  'rad_authorize_reply_query '1991106','''
radius_xlat:  ''
rlm_sql (sql): Released sql socket id: 1
  modcall[authorize]: module "sql" returns ok for request 213
modcall: group authorize returns ok for request 213
  rad_check_password:  Found Auth-Type DIGEST
auth: type "digest"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 213
A1 = 1991106:IP_SER:
A2 = REGISTER:sip:IP_SER
KD =
b3b6936f2a09f4749902ff9f6e0f1b71:427fecea6c00fcfe437b49a9646d06f73c9f556
9:1111962db7ab8b0547fc8fbaa6408dd6
rlm_digest: FAILED authentication
  modcall[authenticate]: module "digest" returns reject for request 213
modcall: group authenticate returns reject for request 213
auth: Failed to validate the user.
Sending Access-Reject of id 196 to IP_SER:33483

... any ideas ??

Look at this NGREP's ...

U IP_UA:60975 -> IP_SER:5060
REGISTER sip:IP_SER SIP/2.0.
Via: SIP/2.0/UDP 10.0.0.5:5070;branch=z9hG4bK2952116395.
From: <sip:1991106 at IP_SER>;tag=2375800474.
To: <sip:1991106 at IP_SER>.
Call-ID: efbfcb25db042b56d47ddbe74e640d8f at 10.0.0.5.
CSeq: 15158 REGISTER.
Contact: sip:1991106 at 10.0.0.5:5070.
Expires: 120.
Max-Forwards: 70.
User-Agent: SIP-ICSG102-1.372-icablesystem/v2.0_enabled.
Content-Length: 0.

U IP_SER:5060 -> IP_UA:60975
SIP/2.0 401 Unauthorized.
Via: SIP/2.0/UDP
10.0.0.5:5070;branch=z9hG4bK2952116395;rport=60975;received=64.32.92.159
.
From: <sip:1991106 at IP_SER>;tag=2375800474.
To: <sip:1991106 at IP_SER>;tag=6f0d146d94c4cb042663ff3cf87e2e72.527a.
Call-ID: efbfcb25db042b56d47ddbe74e640d8f at 10.0.0.5.
CSeq: 15158 REGISTER.
WWW-Authenticate: Digest realm="IP_SER",
nonce="427feab914e565fceccccccf1852a2b0ae3b69cb".
Content-Length: 0.
Warning: 392 IP_SER:5060 "Noisy feedback tells:  pid=5366
req_src_ip=IP_UA req_src_port=60975 in_uri=sip:IP_SER out_uri=sip:IP_SER
via_cnt==1".

U IP_UA:60975 -> IP_SER:5060
REGISTER sip:IP_SER SIP/2.0.
Via: SIP/2.0/UDP 10.0.0.5:5070;branch=z9hG4bK2608934381.
From: <sip:1991106 at IP_SER>;tag=1079893788.
To: <sip:1991106 at IP_SER>.
Call-ID: efbfcb25db042b56d47ddbe74e640d8f at 10.0.0.5.
CSeq: 15159 REGISTER.
Contact: sip:1991106 at 10.0.0.5:5070.
Expires: 120.
Authorization: Digest username="1991106", realm="IP_SER",
nonce="427feab914e565fceccccccf1852a2b0ae3b69cb", uri="sip:IP_SER",
response="c7dc44af5d16f48c410813a7f4dc98f2".
Max-Forwards: 70.
User-Agent: SIP-ICSG102-1.372-icablesystem/v2.0_enabled.
Content-Length: 0.

U IP_SER:5060 -> IP_UA:60975
SIP/2.0 401 Unauthorized.
Via: SIP/2.0/UDP
10.0.0.5:5070;branch=z9hG4bK2608934381;rport=60975;received=64.32.92.159
.
From: <sip:1991106 at IP_SER>;tag=1079893788.
To: <sip:1991106 at IP_SER>;tag=6f0d146d94c4cb042663ff3cf87e2e72.16e1.
Call-ID: efbfcb25db042b56d47ddbe74e640d8f at 10.0.0.5.
CSeq: 15159 REGISTER.
WWW-Authenticate: Digest realm="IP_SER",
nonce="427feab914e565fceccccccf1852a2b0ae3b69cb".
Content-Length: 0.
Warning: 392 IP_SER:5060 "Noisy feedback tells:  pid=5366
req_src_ip=IP_UA req_src_port=60975 in_uri=sip:IP_SER out_uri=sip:IP_SER
via_cnt==1".

So, you can see that the UA wants to register. Ser tells him to send
nonce and digest data, but, once the UA resends the info, it gets an 401
Unauthorized message. I do not know why .... :( because it works with
other phones ( xlite, grandstream ) ... 

Best Regards

Lucas

-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.308 / Virus Database: 266.11.5 - Release Date: 04/05/2005
 




More information about the sr-users mailing list