2 Aug
2005
2 Aug
'05
10:57 a.m.
I have been using various versions of SER from last year without any problem
but recently I made a new installation of OpenSER 0.9.5. Since then I am
having problems with digest authentication from some of the phones. I have a
bunch of 186 ATAs and Cisco 7940 phones but they cannot register to the
server, while all the soft phones can register successfully. The server says
Credentials with given realm not found. I tried to change the realm to
localhost and to the the IP address of the server, with no luck.
And below is the result of ngrep
I tried to grep the messages from the phones and here below is one message
from a Cisco 186 ATA which has failed to register
########### Beginning of the capture ##################
U PHONEIP:5060 -> SERVERIP:5060
REGISTER sip:SERVERIP SIP/2.0.
Via: SIP/2.0/UDP PHONEIP:5060.
From: <sip:06090003@SERVERIP;user=phone>;tag=500808430.
To: <sip:06090003@SERVERIP;user=phone>.
Call-ID: 704382462@PHONEIP.
CSeq: 1 REGISTER.
Contact: <sip:06090003@PHONEIP:5060;user=phone;transport=udp>;expires=3600.
User-Agent: Cisco ATA 186 v2.16.2 ata18x (030829a).
Content-Length: 0.
#
U SERVERIP:5060 -> PHONEIP:5060
SIP/2.0 100 Trying.
Via: SIP/2.0/UDP PHONEIP:5060.
From: <sip:06090003@SERVERIP;user=phone>;tag=500808430.
To: <sip:06090003@SERVERIP;user=phone>.
Call-ID: 704382462@PHONEIP.
CSeq: 1 REGISTER.
Server: OpenSer (0.9.5 (i386/linux)).
Content-Length: 0.
Warning: 392 SERVERIP:5060 "Noisy feedback tells: pid=4490
req_src_ip=PHONEIP req_src_port=5060 in_uri=sip:SERVERIP
out_uri=sip:SERVERIP via_cnt==1".
#
U SERVERIP:5060 -> PHONEIP:5060
SIP/2.0 401 Unauthorized.
Via: SIP/2.0/UDP PHONEIP:5060.
From: <sip:06090003@SERVERIP;user=phone>;tag=500808430.
To:
<sip:06090003@SERVERIP;user=phone>;tag=329cfeaa6ded039da25ff8cbb8668bd2.8af0
.
Call-ID: 704382462@PHONEIP.
CSeq: 1 REGISTER.
WWW-Authenticate: Digest realm="talk.artel.rw",
nonce="42edb29e1dbcc6fa814dd3396634ed7be68eea56".
Server: OpenSer (0.9.5 (i386/linux)).
Content-Length: 0.
Warning: 392 SERVERIP:5060 "Noisy feedback tells: pid=4490
req_src_ip=PHONEIP req_src_port=5060 in_uri=sip:SERVERIP
out_uri=sip:SERVERIP via_cnt==1".
Any idea?
Aimable
2 Aug
2 Aug
11:50 a.m.
Hello Aimable,
if you get the "pre_auth(): Credentials with given realm not found"
message means the realm to be used in auth is not found in the
[WWW-]Authenticate header. Now depends of how you have in script:
if you use www_authorize("my_realm",""), then the
"my_relam" will
be searched in WWW-Authenticate header;
if you use www_authorize("",""), then the realn will be extracted
as
the domain part of the TO uri.
so you may try:
www_authorize("talk.artel.rw",""); - it will match the credential
or
www_authorize("",""), but configure your UAs to use
"talk.artel.rw"
in as domain part in FROM/URI.
depends which case fits you better...my guess? go for option 1. :)
regards,
bogdan
aimable wrote:
I have been using various versions of SER from last
year without any
problem but recently I made a new installation of OpenSER 0.9.5. Since
then I am having problems with digest authentication from some of the
phones. I have a bunch of 186 ATAs and Cisco 7940 phones but they
cannot register to the server, while all the soft phones can register
successfully. The server says Credentials with given realm not found.
I tried to change the realm to localhost and to the the IP address of
the server, with no luck.
And below is the result of ngrep
I tried to grep the messages from the phones and here below is one
message from a Cisco 186 ATA which has failed to register
########### Beginning of the capture ##################
U PHONEIP:5060 -> SERVERIP:5060
REGISTER sip:SERVERIP SIP/2.0.
Via: SIP/2.0/UDP PHONEIP:5060.
From: <sip:06090003@SERVERIP;user=phone>;tag=500808430.
To: <sip:06090003@SERVERIP;user=phone>.
Call-ID: 704382462@PHONEIP.
CSeq: 1 REGISTER.
Contact:
<sip:06090003@PHONEIP:5060;user=phone;transport=udp>;expires=3600.
User-Agent: Cisco ATA 186 v2.16.2 ata18x (030829a).
Content-Length: 0.
#
U SERVERIP:5060 -> PHONEIP:5060
SIP/2.0 100 Trying.
Via: SIP/2.0/UDP PHONEIP:5060.
From: <sip:06090003@SERVERIP;user=phone>;tag=500808430.
To: <sip:06090003@SERVERIP;user=phone>.
Call-ID: 704382462@PHONEIP.
CSeq: 1 REGISTER.
Server: OpenSer (0.9.5 (i386/linux)).
Content-Length: 0.
Warning: 392 SERVERIP:5060 "Noisy feedback tells: pid=4490
req_src_ip=PHONEIP req_src_port=5060 in_uri=sip:SERVERIP
out_uri=sip:SERVERIP via_cnt==1".
#
U SERVERIP:5060 -> PHONEIP:5060
SIP/2.0 401 Unauthorized.
Via: SIP/2.0/UDP PHONEIP:5060.
From: <sip:06090003@SERVERIP;user=phone>;tag=500808430.
To:
<sip:06090003@SERVERIP;user=phone>;tag=329cfeaa6ded039da25ff8cbb8668bd2.8af0.
Call-ID: 704382462@PHONEIP.
CSeq: 1 REGISTER.
WWW-Authenticate: Digest realm="talk.artel.rw",
nonce="42edb29e1dbcc6fa814dd3396634ed7be68eea56".
Server: OpenSer (0.9.5 (i386/linux)).
Content-Length: 0.
Warning: 392 SERVERIP:5060 "Noisy feedback tells: pid=4490
req_src_ip=PHONEIP req_src_port=5060 in_uri=sip:SERVERIP
out_uri=sip:SERVERIP via_cnt==1".
Any idea?
Aimable
------------------------------------------------------------------------
_______________________________________________
Users mailing list
Users(a)openser.org
http://openser.org/cgi-bin/mailman/listinfo/users
2:22 p.m.
I tried both of these configurations and none of them worked .
Here below is my configuration
debug=7
fork=yes
log_stderror=yes
listen=193.XXX.XX4.XXX
port=5060
children=4
alias=193.XXX.XX4.XXX
alias=sip.mydomain.tld
dns=yes
rev_dns=no
fifo="/tmp/openser_fifo"
fifo_db_url="mysql://USER:PASSWORD@localhost/openser"
loadmodule "/usr/local/lib/openser/modules/mysql.so"
loadmodule "/usr/local/lib/openser/modules/sl.so"
loadmodule "/usr/local/lib/openser/modules/tm.so"
loadmodule "/usr/local/lib/openser/modules/rr.so"
loadmodule "/usr/local/lib/openser/modules/maxfwd.so"
loadmodule "/usr/local/lib/openser/modules/usrloc.so"
loadmodule "/usr/local/lib/openser/modules/registrar.so"
loadmodule "/usr/local/lib/openser/modules/auth.so"
loadmodule "/usr/local/lib/openser/modules/auth_db.so"
loadmodule "/usr/local/lib/openser/modules/uri.so"
loadmodule "/usr/local/lib/openser/modules/uri_db.so"
loadmodule "/usr/local/lib/openser/modules/mediaproxy.so"
loadmodule "/usr/local/lib/openser/modules/nathelper.so"
loadmodule "/usr/local/lib/openser/modules/textops.so"
loadmodule "/usr/local/lib/openser/modules/domain.so"
loadmodule "/usr/local/lib/openser/modules/acc.so"
modparam("auth_db", "calculate_ha1", 1)
modparam("auth_db", "password_column", "password")
modparam("auth_db", "use_domain", 1)
modparam("domain", "db_mode", 1)
modparam("nathelper", "rtpproxy_disable", 1)
modparam("nathelper", "natping_interval", 180)
modparam("mediaproxy","natping_interval", 30)
modparam("mediaproxy","mediaproxy_socket",
"/var/run/mediaproxy.sock")
modparam("mediaproxy","sip_asymmetrics","/usr/local/etc/openser/sip-asymmetr
ic-clients")
modparam("mediaproxy","rtp_asymmetrics","/usr/local/etc/openser/rtp-asymmetr
ic-clients")
modparam("usrloc", "db_mode", 2)
modparam("usrloc", "use_domain", 1)
modparam("registrar", "default_expires", 60)
modparam("registrar", "min_expires", 30)
modparam("registrar", "nat_flag", 6)
modparam("registrar", "use_domain", 1)
modparam("rr", "enable_full_lr", 1)
modparam("auth_db|uri_db|usrloc", "db_url",
"mysql://USER:PASSWORD@localhost/openser")
modparam("acc", "db_url",
"mysql://USER:PASSWORD@localhost/openser")
modparam("acc", "failed_transactions", 1)
modparam("acc", "log_level", 1)
modparam("acc", "log_flag", 1)
modparam("acc", "db_flag", 1)
route {
# -----------------------------------------------------------------
# Sanity Check Section
# -----------------------------------------------------------------
if (!mf_process_maxfwd_header("10")) {
sl_send_reply("483", "Too Many Hops");
break;
};
if (msg:len > max_len) {
sl_send_reply("513", "Message Overflow");
break;
};
# -----------------------------------------------------------------
# Record Route Section and Acc section
# -----------------------------------------------------------------
if (method=="INVITE" && client_nat_test("3")) {
record_route_preset("193.XXX.XX4.XXX:5060;nat=yes");
} else if (method!="REGISTER") {
if!(uri=~"^sip:833[0-9]*@") {
record_route();
setflag(1);
}
};
# -----------------------------------------------------------------
# Call Tear Down Section
# -----------------------------------------------------------------
if (method=="BYE" || method=="CANCEL") {
end_media_session();
};
# -----------------------------------------------------------------
# Loose Route Section
# -----------------------------------------------------------------
if (loose_route()) {
if (has_totag() && (method=="INVITE" ||
method=="ACK")) {
if (client_nat_test("3") ||
search("^Route:.*;nat=yes")) {
setflag(6);
use_media_proxy();
};
};
route(1);
break;
};
# -----------------------------------------------------------------
# Call Type Processing Section
# -----------------------------------------------------------------
if (uri!=myself) {
route(1);
break;
};
if (uri==myself) {
if (method=="CANCEL") {
route(3);
break;
} else if (method=="INVITE") {
route(3);
break;
} else if (method=="REGISTER") {
route(2);
break;
};
lookup("aliases");
if (uri!=myself) {
route(1);
break;
};
if (!lookup("location")) {
sl_send_reply("404", "User Not Found");
break;
};
};
route(1);
}
route[1] {
# -----------------------------------------------------------------
# Default Message Handler
# -----------------------------------------------------------------
t_on_reply("1");
if (!t_relay()) {
if (method=="INVITE" || method=="ACK") {
end_media_session();
};
sl_reply_error();
};
}
route[2] {
# -----------------------------------------------------------------
# REGISTER Message Handler
# ----------------------------------------------------------------
if (!search("^Contact:\ +\*") && client_nat_test("7"))
{
setflag(6);
fix_nated_register();
force_rport();
};
sl_send_reply("100", "Trying");
if (!www_authorize("","subscriber")) {
www_challenge("","0");
break;
};
if (!check_to()) {
sl_send_reply("401", "Unauthorized");
break;
};
consume_credentials();
if (!save("location")) {
sl_reply_error();
};
}
route[3] {
# -----------------------------------------------------------------
# CANCEL and INVITE Message Handler
# -----------------------------------------------------------------
if (client_nat_test("3")) {
setflag(7);
force_rport();
fix_nated_contact();
};
lookup("aliases");
if (uri!=myself) {
route(1);
break;
};
if (!lookup("location")) {
sl_send_reply("404", "User Not Found");
break;
};
if (method=="CANCEL") {
route(1);
break;
};
if (!proxy_authorize("","subscriber")) {
proxy_challenge("","0");
break;
} else if (!check_from()) {
sl_send_reply("403", "Use From=ID");
break;
};
consume_credentials();
if (isflagset(6) || isflagset(7)) {
use_media_proxy();
};
route(1);
}
onreply_route[1] {
if ((isflagset(6) || isflagset(7)) &&
(status=~"(180)|(183)|2[0-9][0-9]")) {
if (!search("^Content-Length:\ +0")) {
use_media_proxy();
};
};
if (client_nat_test("1")) {
fix_nated_contact();
};
}
-----Original Message-----
From: Bogdan-Andrei Iancu [mailto:bogdan@voice-system.ro]
Sent: Tuesday, August 02, 2005 10:50 AM
To: aimable
Cc: users(a)openser.org
Subject: Re: [Users] Problems with digest authentication
Hello Aimable,
if you get the "pre_auth(): Credentials with given realm not found"
message means the realm to be used in auth is not found in the
[WWW-]Authenticate header. Now depends of how you have in script:
if you use www_authorize("my_realm",""), then the
"my_relam" will
be searched in WWW-Authenticate header;
if you use www_authorize("",""), then the realn will be extracted
as
the domain part of the TO uri.
so you may try:
www_authorize("talk.artel.rw",""); - it will match the credential
or
www_authorize("",""), but configure your UAs to use
"talk.artel.rw"
in as domain part in FROM/URI.
depends which case fits you better...my guess? go for option 1. :)
regards,
bogdan
aimable wrote:
I have been using various versions of SER from last
year without any
problem but recently I made a new installation of OpenSER 0.9.5. Since
then I am having problems with digest authentication from some of the
phones. I have a bunch of 186 ATAs and Cisco 7940 phones but they
cannot register to the server, while all the soft phones can register
successfully. The server says Credentials with given realm not found.
I tried to change the realm to localhost and to the the IP address of
the server, with no luck.
And below is the result of ngrep
I tried to grep the messages from the phones and here below is one
message from a Cisco 186 ATA which has failed to register
########### Beginning of the capture ##################
U PHONEIP:5060 -> SERVERIP:5060
REGISTER sip:SERVERIP SIP/2.0.
Via: SIP/2.0/UDP PHONEIP:5060.
From: <sip:06090003@SERVERIP;user=phone>;tag=500808430.
To: <sip:06090003@SERVERIP;user=phone>.
Call-ID: 704382462@PHONEIP.
CSeq: 1 REGISTER.
Contact:
<sip:06090003@PHONEIP:5060;user=phone;transport=udp>;expires=3600.
User-Agent: Cisco ATA 186 v2.16.2 ata18x (030829a).
Content-Length: 0.
#
U SERVERIP:5060 -> PHONEIP:5060
SIP/2.0 100 Trying.
Via: SIP/2.0/UDP PHONEIP:5060.
From: <sip:06090003@SERVERIP;user=phone>;tag=500808430.
To: <sip:06090003@SERVERIP;user=phone>.
Call-ID: 704382462@PHONEIP.
CSeq: 1 REGISTER.
Server: OpenSer (0.9.5 (i386/linux)).
Content-Length: 0.
Warning: 392 SERVERIP:5060 "Noisy feedback tells: pid=4490
req_src_ip=PHONEIP req_src_port=5060 in_uri=sip:SERVERIP
out_uri=sip:SERVERIP via_cnt==1".
#
U SERVERIP:5060 -> PHONEIP:5060
SIP/2.0 401 Unauthorized.
Via: SIP/2.0/UDP PHONEIP:5060.
From: <sip:06090003@SERVERIP;user=phone>;tag=500808430.
To:
<sip:06090003@SERVERIP;user=phone>;tag=329cfeaa6ded039da25ff8cbb8668bd2.8af0
.
Call-ID: 704382462@PHONEIP.
CSeq: 1 REGISTER.
WWW-Authenticate: Digest realm="talk.artel.rw",
nonce="42edb29e1dbcc6fa814dd3396634ed7be68eea56".
Server: OpenSer (0.9.5 (i386/linux)).
Content-Length: 0.
Warning: 392 SERVERIP:5060 "Noisy feedback tells: pid=4490
req_src_ip=PHONEIP req_src_port=5060 in_uri=sip:SERVERIP
out_uri=sip:SERVERIP via_cnt==1".
Any idea?
Aimable
------------------------------------------------------------------------
_______________________________________________
Users mailing list
Users(a)openser.org
http://openser.org/cgi-bin/mailman/listinfo/users
3:15 p.m.
Hi Aimable,
have you tried with
www_authorize("talk.artel.rw","subscriber")
in the REGISTER block? just asking because I don't see this in your cfg.
if your did, but still doesn't work, please send the net traffic capture
and the OpenSER log (in full debug mode) for the failed REGISTER. For
sure, there is a config problem somewhere....
regards,
bogdan
aimable wrote:
I tried both of these configurations and none of them
worked .
Here below is my configuration
debug=7
fork=yes
log_stderror=yes
listen=193.XXX.XX4.XXX
port=5060
children=4
alias=193.XXX.XX4.XXX
alias=sip.mydomain.tld
dns=yes
rev_dns=no
fifo="/tmp/openser_fifo"
fifo_db_url="mysql://USER:PASSWORD@localhost/openser"
loadmodule "/usr/local/lib/openser/modules/mysql.so"
loadmodule "/usr/local/lib/openser/modules/sl.so"
loadmodule "/usr/local/lib/openser/modules/tm.so"
loadmodule "/usr/local/lib/openser/modules/rr.so"
loadmodule "/usr/local/lib/openser/modules/maxfwd.so"
loadmodule "/usr/local/lib/openser/modules/usrloc.so"
loadmodule "/usr/local/lib/openser/modules/registrar.so"
loadmodule "/usr/local/lib/openser/modules/auth.so"
loadmodule "/usr/local/lib/openser/modules/auth_db.so"
loadmodule "/usr/local/lib/openser/modules/uri.so"
loadmodule "/usr/local/lib/openser/modules/uri_db.so"
loadmodule "/usr/local/lib/openser/modules/mediaproxy.so"
loadmodule "/usr/local/lib/openser/modules/nathelper.so"
loadmodule "/usr/local/lib/openser/modules/textops.so"
loadmodule "/usr/local/lib/openser/modules/domain.so"
loadmodule "/usr/local/lib/openser/modules/acc.so"
modparam("auth_db", "calculate_ha1", 1)
modparam("auth_db", "password_column", "password")
modparam("auth_db", "use_domain", 1)
modparam("domain", "db_mode", 1)
modparam("nathelper", "rtpproxy_disable", 1)
modparam("nathelper", "natping_interval", 180)
modparam("mediaproxy","natping_interval", 30)
modparam("mediaproxy","mediaproxy_socket",
"/var/run/mediaproxy.sock")
modparam("mediaproxy","sip_asymmetrics","/usr/local/etc/openser/sip-asymmetr
ic-clients")
modparam("mediaproxy","rtp_asymmetrics","/usr/local/etc/openser/rtp-asymmetr
ic-clients")
modparam("usrloc", "db_mode", 2)
modparam("usrloc", "use_domain", 1)
modparam("registrar", "default_expires", 60)
modparam("registrar", "min_expires", 30)
modparam("registrar", "nat_flag", 6)
modparam("registrar", "use_domain", 1)
modparam("rr", "enable_full_lr", 1)
modparam("auth_db|uri_db|usrloc", "db_url",
"mysql://USER:PASSWORD@localhost/openser")
modparam("acc", "db_url",
"mysql://USER:PASSWORD@localhost/openser")
modparam("acc", "failed_transactions", 1)
modparam("acc", "log_level", 1)
modparam("acc", "log_flag", 1)
modparam("acc", "db_flag", 1)
route {
# -----------------------------------------------------------------
# Sanity Check Section
# -----------------------------------------------------------------
if (!mf_process_maxfwd_header("10")) {
sl_send_reply("483", "Too Many Hops");
break;
};
if (msg:len > max_len) {
sl_send_reply("513", "Message Overflow");
break;
};
# -----------------------------------------------------------------
# Record Route Section and Acc section
# -----------------------------------------------------------------
if (method=="INVITE" && client_nat_test("3")) {
record_route_preset("193.XXX.XX4.XXX:5060;nat=yes");
} else if (method!="REGISTER") {
if!(uri=~"^sip:833[0-9]*@") {
record_route();
setflag(1);
}
};
# -----------------------------------------------------------------
# Call Tear Down Section
# -----------------------------------------------------------------
if (method=="BYE" || method=="CANCEL") {
end_media_session();
};
# -----------------------------------------------------------------
# Loose Route Section
# -----------------------------------------------------------------
if (loose_route()) {
if (has_totag() && (method=="INVITE" ||
method=="ACK")) {
if (client_nat_test("3") ||
search("^Route:.*;nat=yes")) {
setflag(6);
use_media_proxy();
};
};
route(1);
break;
};
# -----------------------------------------------------------------
# Call Type Processing Section
# -----------------------------------------------------------------
if (uri!=myself) {
route(1);
break;
};
if (uri==myself) {
if (method=="CANCEL") {
route(3);
break;
} else if (method=="INVITE") {
route(3);
break;
} else if (method=="REGISTER") {
route(2);
break;
};
lookup("aliases");
if (uri!=myself) {
route(1);
break;
};
if (!lookup("location")) {
sl_send_reply("404", "User Not Found");
break;
};
};
route(1);
}
route[1] {
# -----------------------------------------------------------------
# Default Message Handler
# -----------------------------------------------------------------
t_on_reply("1");
if (!t_relay()) {
if (method=="INVITE" || method=="ACK") {
end_media_session();
};
sl_reply_error();
};
}
route[2] {
# -----------------------------------------------------------------
# REGISTER Message Handler
# ----------------------------------------------------------------
if (!search("^Contact:\ +\*") && client_nat_test("7"))
{
setflag(6);
fix_nated_register();
force_rport();
};
sl_send_reply("100", "Trying");
if (!www_authorize("","subscriber")) {
www_challenge("","0");
break;
};
if (!check_to()) {
sl_send_reply("401", "Unauthorized");
break;
};
consume_credentials();
if (!save("location")) {
sl_reply_error();
};
}
route[3] {
# -----------------------------------------------------------------
# CANCEL and INVITE Message Handler
# -----------------------------------------------------------------
if (client_nat_test("3")) {
setflag(7);
force_rport();
fix_nated_contact();
};
lookup("aliases");
if (uri!=myself) {
route(1);
break;
};
if (!lookup("location")) {
sl_send_reply("404", "User Not Found");
break;
};
if (method=="CANCEL") {
route(1);
break;
};
if (!proxy_authorize("","subscriber")) {
proxy_challenge("","0");
break;
} else if (!check_from()) {
sl_send_reply("403", "Use From=ID");
break;
};
consume_credentials();
if (isflagset(6) || isflagset(7)) {
use_media_proxy();
};
route(1);
}
onreply_route[1] {
if ((isflagset(6) || isflagset(7)) &&
(status=~"(180)|(183)|2[0-9][0-9]")) {
if (!search("^Content-Length:\ +0")) {
use_media_proxy();
};
};
if (client_nat_test("1")) {
fix_nated_contact();
};
}
7058
days inactive
7058
days old
3 comments
2 participants
participants (2)
-
aimable -
Bogdan-Andrei Iancu