[Serusers] RV: problems with digest

Lucas Aimaretto lucas at cyneric.com
Tue May 10 01:08:42 CEST 2005 

> Hi all,
> 
> I'm having trouble at authentication using radius and digest. 
> Look at radius output. The rare thing is that some phones get 
> registered nicely, but others no. The ones who get registered 
> are X-Lite softphones and grandstream. The ones that not, are 
> the ATAs from voip solutions, MTA-V102. Any help would be 
> appreciated. The user is 1991106 and has NO PASSWORD assigned 
> ... ( but all of the users have NO PASSWORD ).
> 
> rad_recv: Access-Request packet from host IP_SER:33483, 
> id=196, length=269
>         User-Name = "1991106 at IP_SER"
>         Digest-Attributes = 0x0a0931393931313036
>         Digest-Attributes = 0x01103230382e3232312e3136392e3838
>         Digest-Attributes = 
> 0x022a34323766656365613663303066636665343337623439613936343664
> 303666373363396635353639
>         Digest-Attributes = 0x04147369703a3230382e3232312e3136392e3838
>         Digest-Attributes = 0x030a5245474953544552
>         Digest-Response = "9b256af89daa817caf568f682e1d15a6"
>         Service-Type = IAPP-Register
>         X-Ascend-PW-Lifetime = 0x31393931313036
>         Cisco-AVPair = 
> "call-id=efbfcb25db042b56d47ddbe74e640d8f at 10.0.0.5"
>         NAS-IP-Address = IP_SER
>         NAS-Port = 5060
>   Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 213
>   modcall[authorize]: module "preprocess" returns ok for request 213
>   modcall[authorize]: module "attr_filter" returns noop for 
> request 213
>   modcall[authorize]: module "chap" returns noop for request 213
>     rlm_digest: Converting Digest-Attributes to something sane...
>         Digest-User-Name = "1991106"
>         Digest-Realm = "IP_SER"
>         Digest-Nonce = "427fecea6c00fcfe437b49a9646d06f73c9f5569"
>         Digest-URI = "sip:IP_SER"
>         Digest-Method = "REGISTER"
> rlm_digest: Adding Auth-Type = DIGEST
>   modcall[authorize]: module "digest" returns ok for request 213
>     rlm_realm: Looking up realm "IP_SER" for User-Name = 
> "1991106 at IP_SER"
>     rlm_realm: Found realm "IP_SER"
>     rlm_realm: Adding Stripped-User-Name = "1991106"
>     rlm_realm: Proxying request from user 1991106 to realm IP_SER
>     rlm_realm: Adding Realm = "IP_SER"
>     rlm_realm: Authentication realm is LOCAL.
>   modcall[authorize]: module "suffix" returns noop for request 213
> radius_xlat:  '1991106'
> rlm_sql (sql): sql_set_user escaped user --> '1991106'
> radius_xlat:  'rad_authorize_check_query '1991106''
> rlm_sql (sql): Reserving sql socket id: 1
> radius_xlat:  ''
> radius_xlat:  'rad_authorize_reply_query '1991106','''
> radius_xlat:  ''
> rlm_sql (sql): Released sql socket id: 1
>   modcall[authorize]: module "sql" returns ok for request 213
> modcall: group authorize returns ok for request 213
>   rad_check_password:  Found Auth-Type DIGEST
> auth: type "digest"
>   Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 213
> A1 = 1991106:IP_SER:
> A2 = REGISTER:sip:IP_SER
> KD = 
> b3b6936f2a09f4749902ff9f6e0f1b71:427fecea6c00fcfe437b49a9646d0
> 6f73c9f5569:1111962db7ab8b0547fc8fbaa6408dd6
> rlm_digest: FAILED authentication
>   modcall[authenticate]: module "digest" returns reject for 
> request 213
> modcall: group authenticate returns reject for request 213
> auth: Failed to validate the user.
> Sending Access-Reject of id 196 to IP_SER:33483
> 
> ... any ideas ??
> 
> Look at this NGREP's ...
> 
> U IP_UA:60975 -> IP_SER:5060
> REGISTER sip:IP_SER SIP/2.0.
> Via: SIP/2.0/UDP 10.0.0.5:5070;branch=z9hG4bK2952116395.
> From: <sip:1991106 at IP_SER>;tag=2375800474.
> To: <sip:1991106 at IP_SER>.
> Call-ID: efbfcb25db042b56d47ddbe74e640d8f at 10.0.0.5.
> CSeq: 15158 REGISTER.
> Contact: sip:1991106 at 10.0.0.5:5070.
> Expires: 120.
> Max-Forwards: 70.
> User-Agent: SIP-ICSG102-1.372-icablesystem/v2.0_enabled.
> Content-Length: 0.
> 
> U IP_SER:5060 -> IP_UA:60975
> SIP/2.0 401 Unauthorized.
> Via: SIP/2.0/UDP 
> 10.0.0.5:5070;branch=z9hG4bK2952116395;rport=60975;received=64
> .32.92.159.
> From: <sip:1991106 at IP_SER>;tag=2375800474.
> To: <sip:1991106 at IP_SER>;tag=6f0d146d94c4cb042663ff3cf87e2e72.527a.
> Call-ID: efbfcb25db042b56d47ddbe74e640d8f at 10.0.0.5.
> CSeq: 15158 REGISTER.
> WWW-Authenticate: Digest realm="IP_SER", 
> nonce="427feab914e565fceccccccf1852a2b0ae3b69cb".
> Content-Length: 0.
> Warning: 392 IP_SER:5060 "Noisy feedback tells:  pid=5366 
> req_src_ip=IP_UA req_src_port=60975 in_uri=sip:IP_SER 
> out_uri=sip:IP_SER via_cnt==1".
> 
> U IP_UA:60975 -> IP_SER:5060
> REGISTER sip:IP_SER SIP/2.0.
> Via: SIP/2.0/UDP 10.0.0.5:5070;branch=z9hG4bK2608934381.
> From: <sip:1991106 at IP_SER>;tag=1079893788.
> To: <sip:1991106 at IP_SER>.
> Call-ID: efbfcb25db042b56d47ddbe74e640d8f at 10.0.0.5.
> CSeq: 15159 REGISTER.
> Contact: sip:1991106 at 10.0.0.5:5070.
> Expires: 120.
> Authorization: Digest username="1991106", realm="IP_SER", 
> nonce="427feab914e565fceccccccf1852a2b0ae3b69cb", 
> uri="sip:IP_SER", response="c7dc44af5d16f48c410813a7f4dc98f2".
> Max-Forwards: 70.
> User-Agent: SIP-ICSG102-1.372-icablesystem/v2.0_enabled.
> Content-Length: 0.
> 
> U IP_SER:5060 -> IP_UA:60975
> SIP/2.0 401 Unauthorized.
> Via: SIP/2.0/UDP 
> 10.0.0.5:5070;branch=z9hG4bK2608934381;rport=60975;received=64
> .32.92.159.
> From: <sip:1991106 at IP_SER>;tag=1079893788.
> To: <sip:1991106 at IP_SER>;tag=6f0d146d94c4cb042663ff3cf87e2e72.16e1.
> Call-ID: efbfcb25db042b56d47ddbe74e640d8f at 10.0.0.5.
> CSeq: 15159 REGISTER.
> WWW-Authenticate: Digest realm="IP_SER", 
> nonce="427feab914e565fceccccccf1852a2b0ae3b69cb".
> Content-Length: 0.
> Warning: 392 IP_SER:5060 "Noisy feedback tells:  pid=5366 
> req_src_ip=IP_UA req_src_port=60975 in_uri=sip:IP_SER 
> out_uri=sip:IP_SER via_cnt==1".
> 
> So, you can see that the UA wants to register. Ser tells him 
> to send nonce and digest data, but, once the UA resends the 
> info, it gets an 401 Unauthorized message. I do not know why 
> .... :( because it works with other phones ( xlite, grandstream ) ... 

Hi there again ...
I've made another test and found out that if I assign a password to the
UserAgent, it works perfectly well ... :(
But only with this UserAgent only ( VoipSolutions' MTA-V102 ) ... With
Xlite or Grandstream it does not matter if the UserAgent has a password
or not.
Any ideas why is the password bothering ... ???

Best Regards,

Lucas

-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.308 / Virus Database: 266.11.5 - Release Date: 04/05/2005

More information about the sr-users mailing list