[OpenSER-Users] Doesn't "proxy_authorize()" allow credentials if "From" == "Anonymous" <sip:anonymous@anonymous.invalid> ?
5 Jun
2008
5 Jun
'08
6:13 p.m.
Hi, when I do a call with hiddn callerid from my Twinkle it sends an INVITE
with:
-----------
INVITE sip:1414@my_domain.net SIP/2.0
From: "Anonymous" <sip:anonymous@anonymous.invalid>;tag=emirn
Privacy: id
P-Preferred-Identity: "IBC" <sip:ibc@my_domain.net>
-----------
and of course my Openser asks Twinkle for authentication:
-----------
SIP/2.0 407 Proxy Authentication Required
Proxy-Authenticate: Digest realm="my_domain.net",
nonce="4838005d57e5ee0a1f96430d63696fe1407ef93e", qop="auth"
-----------
and I see the $rc code of "proxy-authentication()" is -4 (no credentials).
So my Twinkle sends a correct INVITE (CSeq + 1 and "Proxy-Authorization"
header):
-----------
INVITE sip:1414@my_domain.net SIP/2.0
From: "Anonymous" <sip:anonymous@anonymous.invalid>;tag=emirn
Privacy: id
P-Preferred-Identity: "IBC" <sip:ibc@my_domain.net>
Proxy-Authorization: Digest username="ibc", realm="mt_domain.net",
nonce="4838005d57e5ee0a1f96430d63696fe1407ef93e",
uri="sip:1414@my_domain.net",
response="061d82967778669a01e53d168f2da93b",
algorithm=MD5, cnonce="9n7ln49l46", qop=auth, nc=00000001
-----------
But "proxy-authentication()" replies again with -4 (no credentials).
-----------
SIP/2.0 407 Proxy Authentication Required
Proxy-Authenticate: Digest realm="my_domain.net",
nonce="4838005d57e5ee0a1f96430d63696fe1407ef93e", qop="auth"
-----------
Why? Obviously the INVITE **does include** Proxy-Authorization.
Maybe RC3261 says that a server must not challenge for authentication a user
with From "Anonymous" <sip:anonymous@anonymous.invalid> ?
Of course authentication works properly when not hidding callerid.
Thanks for any explanation.
--
Iñaki Baz Castillo
ibc(a)in.ilimit.es
5 Jun
5 Jun
6:34 p.m.
New subject: [OpenSER-Users] Doesn't "proxy_authorize()" allow credentials if "From" == "Anonymous" <sip:anonymous@anonymous.invalid> ?
Iñaki Baz Castillo writes:
Why? Obviously the INVITE **does include**
Proxy-Authorization.
Maybe RC3261 says that a server must not challenge for authentication a user
with From "Anonymous" <sip:anonymous@anonymous.invalid> ?
inaki,
you can configure twinkle to include p-p-i header that includes real
from uri and then use information in that to authenticate the caller.
-- juha
6:53 p.m.
New subject: [OpenSER-Users] Doesn't "proxy_authorize()" allow credentials if "From" == "Anonymous" <sip:anonymous@anonymous.invalid> ?
El Thursday 05 June 2008 17:34:11 Juha Heinanen escribió:
Iñaki Baz Castillo writes:
Hi Juha, I already do it (option enabled). Please, note that the second INVITE
Twinkle sends after 407 includes PPI:
P-Preferred-Identity: "IBC" <sip:ibc@my_domain.net>
So all is correct. The second INVITE includes:
- CSeq + 1
- Proxy-Authorization with credentials and realm asked in the 407.
But OpenSer "proxy_authorize()" replies again -4 (no credentials).
All seems correct, this is why I think taht maybe RFC3261 disallows chanllenge
for request with "From" == "Anonymous"
<sip:anonymous@anonymous.invalid>.
Thanks.
--
Iñaki Baz Castillo
ibc(a)in.ilimit.es
Why? Obviously the INVITE **does include**
Proxy-Authorization.
Maybe RC3261 says that a server must not challenge for authentication a
user with From "Anonymous" <sip:anonymous@anonymous.invalid> ?
inaki,
you can configure twinkle to include p-p-i header that includes real
from uri and then use information in that to authenticate the caller.
7:01 p.m.
New subject: [OpenSER-Users] Doesn't "proxy_authorize()" allow credentials if "From" == "Anonymous" <sip:anonymous@anonymous.invalid> ?
Iñaki Baz Castillo writes:
Twinkle sends after 407 includes PPI:
P-Preferred-Identity: "IBC" <sip:ibc@my_domain.net>
So all is correct. The second INVITE includes:
- CSeq + 1
- Proxy-Authorization with credentials and realm asked in the 407.
But OpenSer "proxy_authorize()" replies again -4 (no credentials).
did you call [radius-]proxy_authorize with domain and uri user params
taken from p-p-i header?
-- juha
6:45 p.m.
Hi!
Do you have the domain hardcoded in the authenticate function? If not
openser tries to detect it from the from header (anonymous.invalid) and
thus may not find the authorization header.
regards
klaus
Iñaki Baz Castillo schrieb:
Hi, when I do a call with hiddn callerid from my
Twinkle it sends an INVITE
with:
-----------
INVITE sip:1414@my_domain.net SIP/2.0
From: "Anonymous" <sip:anonymous@anonymous.invalid>;tag=emirn
Privacy: id
P-Preferred-Identity: "IBC" <sip:ibc@my_domain.net>
-----------
and of course my Openser asks Twinkle for authentication:
-----------
SIP/2.0 407 Proxy Authentication Required
Proxy-Authenticate: Digest realm="my_domain.net",
nonce="4838005d57e5ee0a1f96430d63696fe1407ef93e", qop="auth"
-----------
and I see the $rc code of "proxy-authentication()" is -4 (no credentials).
So my Twinkle sends a correct INVITE (CSeq + 1 and "Proxy-Authorization"
header):
-----------
INVITE sip:1414@my_domain.net SIP/2.0
From: "Anonymous" <sip:anonymous@anonymous.invalid>;tag=emirn
Privacy: id
P-Preferred-Identity: "IBC" <sip:ibc@my_domain.net>
Proxy-Authorization: Digest username="ibc", realm="mt_domain.net",
nonce="4838005d57e5ee0a1f96430d63696fe1407ef93e",
uri="sip:1414@my_domain.net",
response="061d82967778669a01e53d168f2da93b",
algorithm=MD5, cnonce="9n7ln49l46", qop=auth, nc=00000001
-----------
But "proxy-authentication()" replies again with -4 (no credentials).
-----------
SIP/2.0 407 Proxy Authentication Required
Proxy-Authenticate: Digest realm="my_domain.net",
nonce="4838005d57e5ee0a1f96430d63696fe1407ef93e", qop="auth"
-----------
Why? Obviously the INVITE **does include** Proxy-Authorization.
Maybe RC3261 says that a server must not challenge for authentication a user
with From "Anonymous" <sip:anonymous@anonymous.invalid> ?
Of course authentication works properly when not hidding callerid.
Thanks for any explanation.
7:01 p.m.
New subject: [OpenSER-Users] Doesn't "proxy_authorize()" allow credentials if "From" == "Anonymous" <sip:anonymous@anonymous.invalid> ?
El Thursday 05 June 2008 17:45:56 Klaus Darilion escribió:
Hi!
Do you have the domain hardcoded in the authenticate function? If not
openser tries to detect it from the from header (anonymous.invalid) and
thus may not find the authorization header.
No, I've it fixed. Note the 407 nad next INVITE in my first message ;)
-----------
SIP/2.0 407 Proxy Authentication Required
Proxy-Authenticate: Digest realm="my_domain.net",
nonce="4838005d57e5ee0a1f96430d63696fe1407ef93e", qop="auth"
-----------
-----------
INVITE sip:1414@my_domain.net SIP/2.0
From: "Anonymous" <sip:anonymous@anonymous.invalid>;tag=emirn
Privacy: id
P-Preferred-Identity: "IBC" <sip:ibc@my_domain.net>
Proxy-Authorization: Digest username="ibc", realm="mt_domain.net",
nonce="4838005d57e5ee0a1f96430d63696fe1407ef93e",
uri="sip:1414@my_domain.net",
response="061d82967778669a01e53d168f2da93b",
algorithm=MD5, cnonce="9n7ln49l46", qop=auth, nc=00000001
-----------
Thanks.
--
Iñaki Baz Castillo
ibc(a)in.ilimit.es
7:22 p.m.
New subject: [OpenSER-Users] Doesn't "proxy_authorize()" allow credentials if "From" == "Anonymous" <sip:anonymous@anonymous.invalid> ? [SOLVED]
El Thursday 05 June 2008 17:45:56 Klaus Darilion escribió:
Hi!
Do you have the domain hardcoded in the authenticate function? If not
openser tries to detect it from the from header (anonymous.invalid) and
thus may not find the authorization header.
Opsss, right!
I set the Realm fixed just in the proxy_challenge() but not in
proxy_authorize(), that's the reason.
Thanks a lot Juha and Klaus for your help :)
--
Iñaki Baz Castillo
ibc(a)in.ilimit.es
6014
days inactive
6014
days old
6 comments
3 participants
participants (3)
-
Iñaki Baz Castillo -
jh@tutpro.com -
Klaus Darilion