[OpenSER-Users] Proxy Authorization - Two Digests
Johansson Olle E
oej at edvina.net
Thu Apr 24 13:08:38 CEST 2008
24 apr 2008 kl. 00.55 skrev Ash Rah:
> Unfortunately I need to authenticate in both places. Any suggestion
> will
> be greatly appreciated.
SIP authentication is realm based and also built as a challenge-
response mechanism. We're not sending username and password in clear
text. The server creates a challenge, called a nonce that is the basis
of the authentication scheme. If OpenSER authenticates, there's no way
for Asterisk to handle the same authentication headers, since Asterisk
did not create the challenge (or the 'nonce' as it is called in the
header).
If you have different realms on the servers, then X-lite would have to
handle that situation. THis is perfectly valid but very few clients
support realm based authentication, where you basically set up a list
with several sets of credentials, one set per realm (username,
secret). Asterisk does support this as a client.
Sorry that I could not come up with a solution, but I hope this
explanation helps to understand why it's hard. The usual setup is that
you use OpenSER as the authenticating host and set up Asterisk to only
trust SIP from OpenSER - by ACL or other means.
/O
>
>
> Bogdan-Andrei Iancu wrote:
>> Hi Ash,
>>
>> I guess you first need to decide where you want to have the
>> authentication done - either on openser, either on asterisk. But it
>> should be a single place.
>>
>> Regards,
>> Bogdan
>>
>> Ash Rah wrote:
>>> Hello,
>>>
>>> I am trying to make a design like below to work.
>>>
>>> X-Lite ----- OpenSER ----- Asterisk ----->(PSTN Calls)
>>>
>>> X-Lite registers with OpenSer and PSTN calls are routed through
>>> Asterisk from OpenSER. When a call is sent to Asterisk, Asterisk
>>> tries to authenticate the user on X-Lite. I maintain same username
>>> and password for both OpenSER and Asterisk.
>>>
>>> Now when an INVITE from X-Lite hits OpenSER, it goes through the
>>> following script and is asked for Proxy Authorization:
>>>
>>> if (!proxy_authorize("","subscriber")) {
>>> proxy_challenge("","0");
>>> exit;
>>> }
>>>
>>> When I dial a PSTN number from X-Lite, X-Lite at some point, ends up
>>> sending two Digests (one for OpenSER and one for Atserisk) in same
>>> INVITE but gets stuck with Proxy Authorization failure (from
>>> OpenSER). If I take off the above proxy_authorize section from
>>> OpenSER script, everything works fine.
>>>
>>> Can anyone suggest a solution to this.
>>>
>>> Thanks in advance.
>>>
>>>
>>>
>>> U 2008/04/23 13:28:42.314669 110.110.110.110:26986 ->
>>> 120.120.120.120:5060
>>> INVITE sip:6048484848484 at sip.dummydomain.com SIP/2.0.
>>> Via: SIP/2.0/UDP
>>> 172.16.40.14:26986;branch=z9hG4bK-d87543-886860777744b40e-1--
>>> d87543-;rport.
>>>
>>> Max-Forwards: 70.
>>> Contact: <sip:1274229212 at 110.110.110.110:26986>.
>>> To: "6048484848484"<sip:6048484848484 at sip.dummydomain.com>.
>>> From: "1274229212"<sip:1274229212 at sip.dummydomain.com>;tag=7d74b26b.
>>> Call-ID: ZjIyNDQzOWIxZTM2MWJjMTgzNmE1YWE3ZDY1M2RjZWE..
>>> CSeq: 3 INVITE.
>>> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
>>> SUBSCRIBE, INFO.
>>> Content-Type: application/sdp.
>>> Proxy-Authorization: Digest
>>> username="1274229212",realm="asterisk",nonce="01d3972c",uri="sip:6048484848484 at sip.dummydomain.com
>>> ",response="ff9058f8ea89c55d0b110d4eccf27e9c",algorithm=MD5.
>>>
>>> Proxy-Authorization: Digest
>>> username
>>> =
>>> "1274229212
>>> ",realm
>>> =
>>> "sip
>>> .dummydomain
>>> .com",nonce="480ee655da312e1c8f977cae40a747d26f7e9c5f",uri="sip:6048484848484 at sip.dummydomain.com
>>> ",response="361700cce632c00ff70ede5e5126c6ac",algo
>>>
>>> rithm=MD5.
>>> User-Agent: X-Lite release 1011s stamp 41150.
>>> Content-Length: 333.
>>> .
>>> v=0.
>>> o=- 9 2 IN IP4 172.16.40.14.
>>> s=CounterPath X-Lite 3.0.
>>> c=IN IP4 172.16.40.14.
>>> t=0 0.
>>> m=audio 45136 RTP/AVP 0 101.
>>> a=alt:1 3 : gpvy8HMY JXNZYRF+ 172.16.40.14 45136.
>>> a=alt:2 2 : 8S3XPC3M 6q9Z76Pq 192.168.38.1 45136.
>>> a=alt:3 1 : rISpUdBc PRYZ7B/8 192.168.23.1 45136.
>>> a=fmtp:101 0-15.
>>> a=rtpmap:101 telephone-event/8000.
>>> a=sendrecv.
>>>
>>>
>>> U 2008/04/23 13:28:42.314910 120.120.120.120:5060 ->
>>> 110.110.110.110:26986
>>> SIP/2.0 407 Proxy Authentication Required.
>>> Via: SIP/2.0/UDP
>>> 172.16.40.14:26986;branch=z9hG4bK-d87543-886860777744b40e-1--
>>> d87543-;rport=26986;received=110.110.110.110.
>>>
>>> To:
>>> "6048484848484"<sip:
>>> 6048484848484
>>> @sip.dummydomain.com>;tag=058e81974577b8ca6a831d36c0f6fe25.d85d.
>>>
>>> From: "1274229212"<sip:1274229212 at sip.dummydomain.com>;tag=7d74b26b.
>>> Call-ID: ZjIyNDQzOWIxZTM2MWJjMTgzNmE1YWE3ZDY1M2RjZWE..
>>> CSeq: 3 INVITE.
>>> Proxy-Authenticate: Digest realm="sip.dummydomain.com",
>>> nonce="480ee6560e7141c28e990448575d0918ce86a82d".
>>> Server: OpenSER (1.3.1-notls (i386/linux)).
>>> Content-Length: 0.
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.openser.org
>>> http://lists.openser.org/cgi-bin/mailman/listinfo/users
>>>
>>>
>>
>>
>>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.openser.org
> http://lists.openser.org/cgi-bin/mailman/listinfo/users
---
* Olle E Johansson - oej at edvina.net
* Cell phone +46 70 593 68 51, Office +46 8 96 40 20, Sweden
More information about the sr-users
mailing list