[Serusers] RV: problems with digest

Greger V. Teigre greger at teigre.com
Tue May 10 07:27:48 CEST 2005 

Hi Lucas!
Good to see that you made RADIUS auth work :-)  Empty passwords is a border 
case in the digest algorithm, which may have been differently implemented in 
your MTA-V102. This should not be so, and it should qualify as a bug in the 
client.
g-)

Lucas Aimaretto wrote:
>> Hi all,
>>
>> I'm having trouble at authentication using radius and digest.
>> Look at radius output. The rare thing is that some phones get
>> registered nicely, but others no. The ones who get registered
>> are X-Lite softphones and grandstream. The ones that not, are
>> the ATAs from voip solutions, MTA-V102. Any help would be
>> appreciated. The user is 1991106 and has NO PASSWORD assigned
>> ... ( but all of the users have NO PASSWORD ).
>>
>> rad_recv: Access-Request packet from host IP_SER:33483,
>> id=196, length=269
>>         User-Name = "1991106 at IP_SER"
>>         Digest-Attributes = 0x0a0931393931313036
>>         Digest-Attributes = 0x01103230382e3232312e3136392e3838
>>         Digest-Attributes =
>> 0x022a34323766656365613663303066636665343337623439613936343664
>> 303666373363396635353639
>>         Digest-Attributes =
>>         0x04147369703a3230382e3232312e3136392e3838 Digest-Attributes
>>         = 0x030a5245474953544552 Digest-Response =
>>         "9b256af89daa817caf568f682e1d15a6" Service-Type =
>>         IAPP-Register X-Ascend-PW-Lifetime = 0x31393931313036
>>         Cisco-AVPair =
>> "call-id=efbfcb25db042b56d47ddbe74e640d8f at 10.0.0.5"
>>         NAS-IP-Address = IP_SER
>>         NAS-Port = 5060
>>   Processing the authorize section of radiusd.conf
>> modcall: entering group authorize for request 213
>>   modcall[authorize]: module "preprocess" returns ok for request 213
>>   modcall[authorize]: module "attr_filter" returns noop for
>> request 213
>>   modcall[authorize]: module "chap" returns noop for request 213
>>     rlm_digest: Converting Digest-Attributes to something sane...
>>         Digest-User-Name = "1991106"
>>         Digest-Realm = "IP_SER"
>>         Digest-Nonce = "427fecea6c00fcfe437b49a9646d06f73c9f5569"
>>         Digest-URI = "sip:IP_SER"
>>         Digest-Method = "REGISTER"
>> rlm_digest: Adding Auth-Type = DIGEST
>>   modcall[authorize]: module "digest" returns ok for request 213
>>     rlm_realm: Looking up realm "IP_SER" for User-Name =
>> "1991106 at IP_SER"
>>     rlm_realm: Found realm "IP_SER"
>>     rlm_realm: Adding Stripped-User-Name = "1991106"
>>     rlm_realm: Proxying request from user 1991106 to realm IP_SER
>>     rlm_realm: Adding Realm = "IP_SER"
>>     rlm_realm: Authentication realm is LOCAL.
>>   modcall[authorize]: module "suffix" returns noop for request 213
>> radius_xlat:  '1991106'
>> rlm_sql (sql): sql_set_user escaped user --> '1991106'
>> radius_xlat:  'rad_authorize_check_query '1991106''
>> rlm_sql (sql): Reserving sql socket id: 1
>> radius_xlat:  ''
>> radius_xlat:  'rad_authorize_reply_query '1991106','''
>> radius_xlat:  ''
>> rlm_sql (sql): Released sql socket id: 1
>>   modcall[authorize]: module "sql" returns ok for request 213
>> modcall: group authorize returns ok for request 213
>>   rad_check_password:  Found Auth-Type DIGEST
>> auth: type "digest"
>>   Processing the authenticate section of radiusd.conf
>> modcall: entering group authenticate for request 213
>> A1 = 1991106:IP_SER:
>> A2 = REGISTER:sip:IP_SER
>> KD =
>> b3b6936f2a09f4749902ff9f6e0f1b71:427fecea6c00fcfe437b49a9646d0
>> 6f73c9f5569:1111962db7ab8b0547fc8fbaa6408dd6
>> rlm_digest: FAILED authentication
>>   modcall[authenticate]: module "digest" returns reject for
>> request 213
>> modcall: group authenticate returns reject for request 213
>> auth: Failed to validate the user.
>> Sending Access-Reject of id 196 to IP_SER:33483
>>
>> ... any ideas ??
>>
>> Look at this NGREP's ...
>>
>> U IP_UA:60975 -> IP_SER:5060
>> REGISTER sip:IP_SER SIP/2.0.
>> Via: SIP/2.0/UDP 10.0.0.5:5070;branch=z9hG4bK2952116395.
>> From: <sip:1991106 at IP_SER>;tag=2375800474.
>> To: <sip:1991106 at IP_SER>.
>> Call-ID: efbfcb25db042b56d47ddbe74e640d8f at 10.0.0.5.
>> CSeq: 15158 REGISTER.
>> Contact: sip:1991106 at 10.0.0.5:5070.
>> Expires: 120.
>> Max-Forwards: 70.
>> User-Agent: SIP-ICSG102-1.372-icablesystem/v2.0_enabled.
>> Content-Length: 0.
>>
>> U IP_SER:5060 -> IP_UA:60975
>> SIP/2.0 401 Unauthorized.
>> Via: SIP/2.0/UDP
>> 10.0.0.5:5070;branch=z9hG4bK2952116395;rport=60975;received=64
>> .32.92.159.
>> From: <sip:1991106 at IP_SER>;tag=2375800474.
>> To: <sip:1991106 at IP_SER>;tag=6f0d146d94c4cb042663ff3cf87e2e72.527a.
>> Call-ID: efbfcb25db042b56d47ddbe74e640d8f at 10.0.0.5.
>> CSeq: 15158 REGISTER.
>> WWW-Authenticate: Digest realm="IP_SER",
>> nonce="427feab914e565fceccccccf1852a2b0ae3b69cb".
>> Content-Length: 0.
>> Warning: 392 IP_SER:5060 "Noisy feedback tells:  pid=5366
>> req_src_ip=IP_UA req_src_port=60975 in_uri=sip:IP_SER
>> out_uri=sip:IP_SER via_cnt==1".
>>
>> U IP_UA:60975 -> IP_SER:5060
>> REGISTER sip:IP_SER SIP/2.0.
>> Via: SIP/2.0/UDP 10.0.0.5:5070;branch=z9hG4bK2608934381.
>> From: <sip:1991106 at IP_SER>;tag=1079893788.
>> To: <sip:1991106 at IP_SER>.
>> Call-ID: efbfcb25db042b56d47ddbe74e640d8f at 10.0.0.5.
>> CSeq: 15159 REGISTER.
>> Contact: sip:1991106 at 10.0.0.5:5070.
>> Expires: 120.
>> Authorization: Digest username="1991106", realm="IP_SER",
>> nonce="427feab914e565fceccccccf1852a2b0ae3b69cb",
>> uri="sip:IP_SER", response="c7dc44af5d16f48c410813a7f4dc98f2".
>> Max-Forwards: 70.
>> User-Agent: SIP-ICSG102-1.372-icablesystem/v2.0_enabled.
>> Content-Length: 0.
>>
>> U IP_SER:5060 -> IP_UA:60975
>> SIP/2.0 401 Unauthorized.
>> Via: SIP/2.0/UDP
>> 10.0.0.5:5070;branch=z9hG4bK2608934381;rport=60975;received=64
>> .32.92.159.
>> From: <sip:1991106 at IP_SER>;tag=1079893788.
>> To: <sip:1991106 at IP_SER>;tag=6f0d146d94c4cb042663ff3cf87e2e72.16e1.
>> Call-ID: efbfcb25db042b56d47ddbe74e640d8f at 10.0.0.5.
>> CSeq: 15159 REGISTER.
>> WWW-Authenticate: Digest realm="IP_SER",
>> nonce="427feab914e565fceccccccf1852a2b0ae3b69cb".
>> Content-Length: 0.
>> Warning: 392 IP_SER:5060 "Noisy feedback tells:  pid=5366
>> req_src_ip=IP_UA req_src_port=60975 in_uri=sip:IP_SER
>> out_uri=sip:IP_SER via_cnt==1".
>>
>> So, you can see that the UA wants to register. Ser tells him
>> to send nonce and digest data, but, once the UA resends the
>> info, it gets an 401 Unauthorized message. I do not know why
>> .... :( because it works with other phones ( xlite, grandstream ) ...
>
> Hi there again ...
> I've made another test and found out that if I assign a password to
> the UserAgent, it works perfectly well ... :(
> But only with this UserAgent only ( VoipSolutions' MTA-V102 ) ... With
> Xlite or Grandstream it does not matter if the UserAgent has a
> password or not.
> Any ideas why is the password bothering ... ???
>
> Best Regards,
>
> Lucas

More information about the sr-users mailing list