Re: [Serusers] cisco 7960 authentication failure

On 10-09 07:50, Jakob Schlyter wrote: Yes, this is our policy. The realm is only a string, nothing more. Since a message can contain several digest credentials headers, the realm is used to distinguish among them. So, you configure your proxy to use one particular realm and it then tries to find credentials with that realm and ignores any other. If you use www_challenge("") and www_authorize("") then the server extracts the realm from the message. If it is REGISTER then the From domain will be used, otherwise the To domain will be used. This is the challenge that will be sent to the user. You must use ./gen_ha1 jakob(a)schlyter.net schlyter.net ser2003 to get the same hash. The reason is that you have realm in the username. A user agent that sent the credentials above also calculate the response using "jakob(a)schlyter.net" as username so you must do the same. BTW you don't have to put @chlyter.net into the username, it is not mandatory, you can use just "jakob". The reason why do we handle this special case (realm in username) is that there are some user agents which put this into username automatically and it can't be switched off. Also, realm parameter in the credentials is not protected by the hash so from time to time people prefer to include the realm into the username parameter which is protected by the hash. Jan.