[SR-Users] [Kamailio]: INVITE Authorization
Spinov Evgeniy
spinov_evgeniy at intalisan.com
Fri Dec 3 12:08:15 CET 2010
Thank you for your reply.
I will insert part of configuration file, to show where is problem occurs.
Block is pretty simple:
if (method=="INVITE") {
if (!proxy_authorize("", "sipusers")) {
xlog("L_NOTICE", "[$Tf] Detected INVITE before
authorization $fU -> $tU\n");
proxy_challenge("", "0");
break;
} else if (!check_from()) {
sl_send_reply("403", "Use From=ID");
break;
}
consume_credentials();
}
ds_select_dst("1", "4");
xlog("L_NOTICE", "Balancing call to asterisk => $du, from $fU \n");
route(RELAY);
exit;
This is Kamailio 3.0.3. I've tried on recently released 3.1.1 - problem is
the same.
Also, I've started running debug, to find out how exactly auth requests are
processed. And I've figured out that failing requests differs on following:
After all authorization staff ends:
6(1678) DEBUG: auth [api.c:246]: authorization is OK
6(1678) DEBUG: auth [api.c:194]: nonce index= 9
6(1678) DEBUG: auth [index.c:187]: nonce already used
6(1678) DEBUG: auth [api.c:198]: nonce index not valid
After that, core is freeing resources and I receive "Detected INVITE before
authorization" message, which means that proxy_authorize returned false. So
this is not ACK routing problem. Why this error occur and how I can deal
with it?
Also I've made investigation with packet dumps and they are correct. If you
like, I can put them here, but it senseless, cause UA is replying in same
way every time:
1. -> INVITE
2. <- 407 from K
3. -> ACK
4. -> DIGEST
Hope this will help.
On Fri, 03 Dec 2010 11:20:38 +0100, Daniel-Constantin Mierla
<miconda at gmail.com> wrote:
> Hello,
>
> On 12/2/10 1:42 PM, Spinov Evgeniy wrote:
>> Hello.
>>
>> I have Kamailio ( K in further ) and 2x Asterisk boxes ( A1 and A2 in
>> further ) configured, so UAC registers at K and when it sends a call,
>> it's routed to A1 or A2, balanced.
>>
>> The problem is, that I cannot find how to authorize INVITE requests, so
>> unregistered UAC could not send INVITE requests. Simply cannot find
>> anything.
>>
>> I'm making registration, using www_authorize() and checking all INVITES
>> with proxy_authorize(). Just after kamailio is started - everything
>> works fine and as planned: registered UAC can call and not registered -
>> cannot. But after aproximately 40 seconds everything is stopped. Not
>> calls passed and everybody receives 407 Proxy Authorization is required.
>>
>> So, the question: how it is correctly to verify that incoming INVITE on
>> K is authorized? It seems to me that I'm doing that in wrong way.
> you have to do proxy_authorize() for each invite you want to authorize
> (if you look at default config file for v3.1.x and search for WITH_AUTH,
> you will see the config actions for authentication). The asterisks must
> accept SIP traffic based on source ip filtering, allowing only calls
> coming from kamailio.
>
> If you mean that the calls are interrupted after 40 seconds, then it is
> very likely ACK is not routed properly. If you mean something else,
> capture the SIP traffic via ngrep/wireshark, run kamailio in higher
> debug lever (debug=3 in config) and send the SIP trace and the syslog
> messages. Also, try to describe in more details what actually seems to
> go wrong. All these will help people here on mailing list to give you
> proper hints how to solve.
>
> Cheers,
> Daniel
>
> --
> Daniel-Constantin Mierla
> Kamailio (OpenSER) Advanced Training
> Jan 24-26, 2011, Irvine, CA, USA
> http://www.asipto.com
More information about the sr-users
mailing list