[Serusers] RV: problems with digest
Lucas Aimaretto
lucas at cyneric.com
Tue May 10 01:08:42 CEST 2005
> Hi all,
>
> I'm having trouble at authentication using radius and digest.
> Look at radius output. The rare thing is that some phones get
> registered nicely, but others no. The ones who get registered
> are X-Lite softphones and grandstream. The ones that not, are
> the ATAs from voip solutions, MTA-V102. Any help would be
> appreciated. The user is 1991106 and has NO PASSWORD assigned
> ... ( but all of the users have NO PASSWORD ).
>
> rad_recv: Access-Request packet from host IP_SER:33483,
> id=196, length=269
> User-Name = "1991106 at IP_SER"
> Digest-Attributes = 0x0a0931393931313036
> Digest-Attributes = 0x01103230382e3232312e3136392e3838
> Digest-Attributes =
> 0x022a34323766656365613663303066636665343337623439613936343664
> 303666373363396635353639
> Digest-Attributes = 0x04147369703a3230382e3232312e3136392e3838
> Digest-Attributes = 0x030a5245474953544552
> Digest-Response = "9b256af89daa817caf568f682e1d15a6"
> Service-Type = IAPP-Register
> X-Ascend-PW-Lifetime = 0x31393931313036
> Cisco-AVPair =
> "call-id=efbfcb25db042b56d47ddbe74e640d8f at 10.0.0.5"
> NAS-IP-Address = IP_SER
> NAS-Port = 5060
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 213
> modcall[authorize]: module "preprocess" returns ok for request 213
> modcall[authorize]: module "attr_filter" returns noop for
> request 213
> modcall[authorize]: module "chap" returns noop for request 213
> rlm_digest: Converting Digest-Attributes to something sane...
> Digest-User-Name = "1991106"
> Digest-Realm = "IP_SER"
> Digest-Nonce = "427fecea6c00fcfe437b49a9646d06f73c9f5569"
> Digest-URI = "sip:IP_SER"
> Digest-Method = "REGISTER"
> rlm_digest: Adding Auth-Type = DIGEST
> modcall[authorize]: module "digest" returns ok for request 213
> rlm_realm: Looking up realm "IP_SER" for User-Name =
> "1991106 at IP_SER"
> rlm_realm: Found realm "IP_SER"
> rlm_realm: Adding Stripped-User-Name = "1991106"
> rlm_realm: Proxying request from user 1991106 to realm IP_SER
> rlm_realm: Adding Realm = "IP_SER"
> rlm_realm: Authentication realm is LOCAL.
> modcall[authorize]: module "suffix" returns noop for request 213
> radius_xlat: '1991106'
> rlm_sql (sql): sql_set_user escaped user --> '1991106'
> radius_xlat: 'rad_authorize_check_query '1991106''
> rlm_sql (sql): Reserving sql socket id: 1
> radius_xlat: ''
> radius_xlat: 'rad_authorize_reply_query '1991106','''
> radius_xlat: ''
> rlm_sql (sql): Released sql socket id: 1
> modcall[authorize]: module "sql" returns ok for request 213
> modcall: group authorize returns ok for request 213
> rad_check_password: Found Auth-Type DIGEST
> auth: type "digest"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 213
> A1 = 1991106:IP_SER:
> A2 = REGISTER:sip:IP_SER
> KD =
> b3b6936f2a09f4749902ff9f6e0f1b71:427fecea6c00fcfe437b49a9646d0
> 6f73c9f5569:1111962db7ab8b0547fc8fbaa6408dd6
> rlm_digest: FAILED authentication
> modcall[authenticate]: module "digest" returns reject for
> request 213
> modcall: group authenticate returns reject for request 213
> auth: Failed to validate the user.
> Sending Access-Reject of id 196 to IP_SER:33483
>
> ... any ideas ??
>
> Look at this NGREP's ...
>
> U IP_UA:60975 -> IP_SER:5060
> REGISTER sip:IP_SER SIP/2.0.
> Via: SIP/2.0/UDP 10.0.0.5:5070;branch=z9hG4bK2952116395.
> From: <sip:1991106 at IP_SER>;tag=2375800474.
> To: <sip:1991106 at IP_SER>.
> Call-ID: efbfcb25db042b56d47ddbe74e640d8f at 10.0.0.5.
> CSeq: 15158 REGISTER.
> Contact: sip:1991106 at 10.0.0.5:5070.
> Expires: 120.
> Max-Forwards: 70.
> User-Agent: SIP-ICSG102-1.372-icablesystem/v2.0_enabled.
> Content-Length: 0.
>
> U IP_SER:5060 -> IP_UA:60975
> SIP/2.0 401 Unauthorized.
> Via: SIP/2.0/UDP
> 10.0.0.5:5070;branch=z9hG4bK2952116395;rport=60975;received=64
> .32.92.159.
> From: <sip:1991106 at IP_SER>;tag=2375800474.
> To: <sip:1991106 at IP_SER>;tag=6f0d146d94c4cb042663ff3cf87e2e72.527a.
> Call-ID: efbfcb25db042b56d47ddbe74e640d8f at 10.0.0.5.
> CSeq: 15158 REGISTER.
> WWW-Authenticate: Digest realm="IP_SER",
> nonce="427feab914e565fceccccccf1852a2b0ae3b69cb".
> Content-Length: 0.
> Warning: 392 IP_SER:5060 "Noisy feedback tells: pid=5366
> req_src_ip=IP_UA req_src_port=60975 in_uri=sip:IP_SER
> out_uri=sip:IP_SER via_cnt==1".
>
> U IP_UA:60975 -> IP_SER:5060
> REGISTER sip:IP_SER SIP/2.0.
> Via: SIP/2.0/UDP 10.0.0.5:5070;branch=z9hG4bK2608934381.
> From: <sip:1991106 at IP_SER>;tag=1079893788.
> To: <sip:1991106 at IP_SER>.
> Call-ID: efbfcb25db042b56d47ddbe74e640d8f at 10.0.0.5.
> CSeq: 15159 REGISTER.
> Contact: sip:1991106 at 10.0.0.5:5070.
> Expires: 120.
> Authorization: Digest username="1991106", realm="IP_SER",
> nonce="427feab914e565fceccccccf1852a2b0ae3b69cb",
> uri="sip:IP_SER", response="c7dc44af5d16f48c410813a7f4dc98f2".
> Max-Forwards: 70.
> User-Agent: SIP-ICSG102-1.372-icablesystem/v2.0_enabled.
> Content-Length: 0.
>
> U IP_SER:5060 -> IP_UA:60975
> SIP/2.0 401 Unauthorized.
> Via: SIP/2.0/UDP
> 10.0.0.5:5070;branch=z9hG4bK2608934381;rport=60975;received=64
> .32.92.159.
> From: <sip:1991106 at IP_SER>;tag=1079893788.
> To: <sip:1991106 at IP_SER>;tag=6f0d146d94c4cb042663ff3cf87e2e72.16e1.
> Call-ID: efbfcb25db042b56d47ddbe74e640d8f at 10.0.0.5.
> CSeq: 15159 REGISTER.
> WWW-Authenticate: Digest realm="IP_SER",
> nonce="427feab914e565fceccccccf1852a2b0ae3b69cb".
> Content-Length: 0.
> Warning: 392 IP_SER:5060 "Noisy feedback tells: pid=5366
> req_src_ip=IP_UA req_src_port=60975 in_uri=sip:IP_SER
> out_uri=sip:IP_SER via_cnt==1".
>
> So, you can see that the UA wants to register. Ser tells him
> to send nonce and digest data, but, once the UA resends the
> info, it gets an 401 Unauthorized message. I do not know why
> .... :( because it works with other phones ( xlite, grandstream ) ...
Hi there again ...
I've made another test and found out that if I assign a password to the
UserAgent, it works perfectly well ... :(
But only with this UserAgent only ( VoipSolutions' MTA-V102 ) ... With
Xlite or Grandstream it does not matter if the UserAgent has a password
or not.
Any ideas why is the password bothering ... ???
Best Regards,
Lucas
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.308 / Virus Database: 266.11.5 - Release Date: 04/05/2005
More information about the sr-users
mailing list