Sorry for intruding, but this is puzzling me a lot.

I followed the guide to make Kamailio work with asterisk and realtime, Kamailio version 4 and asterisk 11.

(http://kb.asipto.com/asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb)

up until now its working, and now want to get the phones (CISCO SPA504G, former linksys) to get the SIP notify command and reload to get their new config, from the asterisk cli

the cli command is "sip notify spa-reboot <username>"

The problem is that, using the setup in the guide, the phones registers with kamailio, kamalio then strip the password and register with no password to the asterisk, as supposed to be.

by that, when asterisk sends the SIP Notify with the reboot commands, it arrives to the kamailio, and is forwarded to phone, and the phone answers with a '401' and a digest.

In the flow, the kamailio (in the middle) receives the 401 and sends again  the sip message to asterisk, and asterisk uses the digest to cipher the password and reply, but as asterisk is configured with no password, the reply contains as 'wrong' password (the empty/blank one)

is there any way to make kamailio intercepts again that '401' and reply with a crafted message, with the right digest, password, (the one in the ul table) and user, so the phone can accept the order and reboots?

The other (ugly) option, is to remove the auth from the phone, for the Sip Provisioning, but that would leave and open door to a reboot attack without auth needed from any IP. And I dont like that option.

As we talk, I managed to create a routing logic, but is that the right approach? :

===================

request_route {

        if (is_method("NOTIFY"))
        {
                #xlog("NOTIFY received: $rs");

                t_on_failure("MANAGE_FAILURE_401"); #try to intercep a 401

        }

.....
}


failure_route[MANAGE_FAILURE_401] {
      

        if (t_check_status("401")) {
                #401 detectado dentro de un Notify,
                #probablemente ha sido por una orden de reboot.
                #hay que construir un paquete e intentar enviar, con el digest adecuado....

                $uac_req(method)="NOTIFY";
                $uac_req(ruri)="sip:";
                $uac_req(furi)="sip:";
                $uac_req(turi)="sip:";
                $uac_req(hdrs)="Contact: <sip:"+ ">\r\n";
                #Paquete construido, debe ser enviado
                uac_req_send();
               xlog("401 detectado");
               # exit;
        }

===================


Thanks in advance.....