[Serusers] problems with digest
Lucas Aimaretto
lucas at cyneric.com
Tue May 10 00:18:07 CEST 2005
Hi all,
I'm having trouble at authentication using radius and digest. Look at
radius output. The rare thing is that some phones get registered nicely,
but others no. The ones who get registered are X-Lite softphones and
grandstream. The ones that not, are the ATAs from voip solutions,
MTA-V102. Any help would be appreciated. The user is 1991106 and has NO
PASSWORD assigned ... ( but all of the users have NO PASSWORD ).
rad_recv: Access-Request packet from host IP_SER:33483, id=196,
length=269
User-Name = "1991106 at IP_SER"
Digest-Attributes = 0x0a0931393931313036
Digest-Attributes = 0x01103230382e3232312e3136392e3838
Digest-Attributes =
0x022a343237666563656136633030666366653433376234396139363436643036663733
63396635353639
Digest-Attributes = 0x04147369703a3230382e3232312e3136392e3838
Digest-Attributes = 0x030a5245474953544552
Digest-Response = "9b256af89daa817caf568f682e1d15a6"
Service-Type = IAPP-Register
X-Ascend-PW-Lifetime = 0x31393931313036
Cisco-AVPair =
"call-id=efbfcb25db042b56d47ddbe74e640d8f at 10.0.0.5"
NAS-IP-Address = IP_SER
NAS-Port = 5060
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 213
modcall[authorize]: module "preprocess" returns ok for request 213
modcall[authorize]: module "attr_filter" returns noop for request 213
modcall[authorize]: module "chap" returns noop for request 213
rlm_digest: Converting Digest-Attributes to something sane...
Digest-User-Name = "1991106"
Digest-Realm = "IP_SER"
Digest-Nonce = "427fecea6c00fcfe437b49a9646d06f73c9f5569"
Digest-URI = "sip:IP_SER"
Digest-Method = "REGISTER"
rlm_digest: Adding Auth-Type = DIGEST
modcall[authorize]: module "digest" returns ok for request 213
rlm_realm: Looking up realm "IP_SER" for User-Name =
"1991106 at IP_SER"
rlm_realm: Found realm "IP_SER"
rlm_realm: Adding Stripped-User-Name = "1991106"
rlm_realm: Proxying request from user 1991106 to realm IP_SER
rlm_realm: Adding Realm = "IP_SER"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 213
radius_xlat: '1991106'
rlm_sql (sql): sql_set_user escaped user --> '1991106'
radius_xlat: 'rad_authorize_check_query '1991106''
rlm_sql (sql): Reserving sql socket id: 1
radius_xlat: ''
radius_xlat: 'rad_authorize_reply_query '1991106','''
radius_xlat: ''
rlm_sql (sql): Released sql socket id: 1
modcall[authorize]: module "sql" returns ok for request 213
modcall: group authorize returns ok for request 213
rad_check_password: Found Auth-Type DIGEST
auth: type "digest"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 213
A1 = 1991106:IP_SER:
A2 = REGISTER:sip:IP_SER
KD =
b3b6936f2a09f4749902ff9f6e0f1b71:427fecea6c00fcfe437b49a9646d06f73c9f556
9:1111962db7ab8b0547fc8fbaa6408dd6
rlm_digest: FAILED authentication
modcall[authenticate]: module "digest" returns reject for request 213
modcall: group authenticate returns reject for request 213
auth: Failed to validate the user.
Sending Access-Reject of id 196 to IP_SER:33483
... any ideas ??
Look at this NGREP's ...
U IP_UA:60975 -> IP_SER:5060
REGISTER sip:IP_SER SIP/2.0.
Via: SIP/2.0/UDP 10.0.0.5:5070;branch=z9hG4bK2952116395.
From: <sip:1991106 at IP_SER>;tag=2375800474.
To: <sip:1991106 at IP_SER>.
Call-ID: efbfcb25db042b56d47ddbe74e640d8f at 10.0.0.5.
CSeq: 15158 REGISTER.
Contact: sip:1991106 at 10.0.0.5:5070.
Expires: 120.
Max-Forwards: 70.
User-Agent: SIP-ICSG102-1.372-icablesystem/v2.0_enabled.
Content-Length: 0.
U IP_SER:5060 -> IP_UA:60975
SIP/2.0 401 Unauthorized.
Via: SIP/2.0/UDP
10.0.0.5:5070;branch=z9hG4bK2952116395;rport=60975;received=64.32.92.159
.
From: <sip:1991106 at IP_SER>;tag=2375800474.
To: <sip:1991106 at IP_SER>;tag=6f0d146d94c4cb042663ff3cf87e2e72.527a.
Call-ID: efbfcb25db042b56d47ddbe74e640d8f at 10.0.0.5.
CSeq: 15158 REGISTER.
WWW-Authenticate: Digest realm="IP_SER",
nonce="427feab914e565fceccccccf1852a2b0ae3b69cb".
Content-Length: 0.
Warning: 392 IP_SER:5060 "Noisy feedback tells: pid=5366
req_src_ip=IP_UA req_src_port=60975 in_uri=sip:IP_SER out_uri=sip:IP_SER
via_cnt==1".
U IP_UA:60975 -> IP_SER:5060
REGISTER sip:IP_SER SIP/2.0.
Via: SIP/2.0/UDP 10.0.0.5:5070;branch=z9hG4bK2608934381.
From: <sip:1991106 at IP_SER>;tag=1079893788.
To: <sip:1991106 at IP_SER>.
Call-ID: efbfcb25db042b56d47ddbe74e640d8f at 10.0.0.5.
CSeq: 15159 REGISTER.
Contact: sip:1991106 at 10.0.0.5:5070.
Expires: 120.
Authorization: Digest username="1991106", realm="IP_SER",
nonce="427feab914e565fceccccccf1852a2b0ae3b69cb", uri="sip:IP_SER",
response="c7dc44af5d16f48c410813a7f4dc98f2".
Max-Forwards: 70.
User-Agent: SIP-ICSG102-1.372-icablesystem/v2.0_enabled.
Content-Length: 0.
U IP_SER:5060 -> IP_UA:60975
SIP/2.0 401 Unauthorized.
Via: SIP/2.0/UDP
10.0.0.5:5070;branch=z9hG4bK2608934381;rport=60975;received=64.32.92.159
.
From: <sip:1991106 at IP_SER>;tag=1079893788.
To: <sip:1991106 at IP_SER>;tag=6f0d146d94c4cb042663ff3cf87e2e72.16e1.
Call-ID: efbfcb25db042b56d47ddbe74e640d8f at 10.0.0.5.
CSeq: 15159 REGISTER.
WWW-Authenticate: Digest realm="IP_SER",
nonce="427feab914e565fceccccccf1852a2b0ae3b69cb".
Content-Length: 0.
Warning: 392 IP_SER:5060 "Noisy feedback tells: pid=5366
req_src_ip=IP_UA req_src_port=60975 in_uri=sip:IP_SER out_uri=sip:IP_SER
via_cnt==1".
So, you can see that the UA wants to register. Ser tells him to send
nonce and digest data, but, once the UA resends the info, it gets an 401
Unauthorized message. I do not know why .... :( because it works with
other phones ( xlite, grandstream ) ...
Best Regards
Lucas
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.308 / Virus Database: 266.11.5 - Release Date: 04/05/2005
More information about the sr-users
mailing list