Alex hi thanks for the fast reply.
I tried to use other client and it's seems to work, very strange, if i am changing in my client to use other server i can see the authentication process in the radius logs, but when i swap ip to my server i can't see anything in the radius logs.
BTW the other ip phone working great.
thanks for help.
On 4/14/05, Alex alexandergav@gmail.com wrote:
Alex hi thanks for the fast reply.
I tried to use other client and it's seems to work, very strange, if i am changing in my client to use other server i can see the authentication process in the radius logs, but when i swap ip to my server i can't see anything in the radius logs.
BTW the other ip phone working great.
thanks for help.
On 4/14/05, Alex Mack amack@fhm.edu wrote:
Hi!
SER is sending a nonce in its 401 reply. This is the challenge from the SER to the UA. The UA now has to calculate a reply implying his password and the given nonce. The answer has to be added in an Authorization-Header inside the next REGISTER.
The message flow (without RADIUS messages) would look like:
UA SER | | | REGISTER w/o Auth | |-------------------->| | | | 401 Unauthorized (with nonce) |<--------------------| | | | ACK | |-------------------->| | | | REGISTER with Auth (calculated from nonce) |-------------------->| | | | 200 OK | |<--------------------| | |
The second register has to have an "Authorization" header, otherwise your client is misconfigured or misbehaving. Test it with another client, e.g. X-Lite (www.xten.com)
Alex Mack
Alex schrieb:
So Daniel like i understand the problem is my radius configuration, another thing is that my ATA sending the same stuff, i mean if i will change the sip server to different one where i installed freeradius with ser it's working fine.
Daniel where i can start to fix that problem.?
Thank you very much for your time.
On 4/14/05, Alex alexandergav@gmail.com wrote:
So Daniel like i understand the problem is my radius configuration, another thing is that my ATA sending the same stuff, i mean if i will change the sip server to different one where i installed freeradius with ser it's working fine.
Daniel where i can start to fix that problem.?
Thank you very much for your time.
On 4/14/05, Daniel-Constantin Mierla daniel@voice-system.ro wrote:
The second REGISTER (the block 3) must contains the response to the authentication challenge carried by 401 reply (block 2). That means that the block 3 must contain an Authorization header with authentication credentials computed according to HTTP-Digest authentication mechanism (RFC2617). Also, see the section 22.Usage of HTTP Authentication in SIP RFC3261 for more about user authentication in SIP.
Daniel
On 04/14/05 13:16, Alex wrote:
Sorry Daniel , i didn't get that, I send here 4 blocks, 1 one is the register request the 2 is the reply from the server, 3 is the register request, 4 is the reply from the server. If you can please point me to the problem. Because like i see the 2 register requests (1,3 blocks) are the same.
On 4/14/05, Daniel-Constantin Mierla daniel@voice-system.ro wrote:
>As you can see, the second REGISTER does not contain the authentication >credentials (No Authorization header) in response to 401 reply. So, >either you didn't configure the phone to authenticate or the Grandstream >HT286 1.0.5.18 is faulty. > >Daniel > > >On 04/14/05 12:35, Alex wrote: > > > > > >>Daniel thanks >>btw it's clean installation of Red Hat Enterprise Linux AS release 3 >>ser-08.14 , freeradius-1.2 , radiusclient-4.8 >> >>i am sending ngrep port 5060 >>i have here 2 requests of register and the replies to register. >> >> >>xxx.xxx.xxx.xxx - sipserverip >>telephoneip - ip where the call coming from >>Phonenumber - phone number >> >>-------------------------------------------------------------------------------------------------- >> >>U telephoneip:10739 -> xxx.xxx.xxx.xxx:5060 >>REGISTER sip:xxx.xxx.xxx.xxx SIP/2.0..Via: SIP/2.0/UDP >>telephoneip:10000;branch=z9hG4bK98514c3b052d7df6..From: "Test Alex" < >>sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone>;tag=50673f1baca1958c..To: >>sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone..Contact: <sip >>:Phonenumber@telephoneip:10000;user=phone>..Call-ID: >>1cff1b8955b8fa5c@10.0.0.4..CSeq: 106 REGISTER..Expires: >>3600..User-Agent >>: Grandstream HT286 1.0.5.18..Max-Forwards: 70..Allow: >>INVITE,ACK,CANCEL,BYE,NOTIFY,REFER,OPTIONS,INFO,SUBSCRIBE..Content-Lengt >>h: 0.... >># >>U xxx.xxx.xxx.xxx:5060 -> telephoneip:10000 >>SIP/2.0 401 Unauthorized..Via: SIP/2.0/UDP >>telephoneip:10000;branch=z9hG4bK98514c3b052d7df6..From: "Test Alex" >>sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone;tag=50673f1baca1958c..To: >>sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone;tag=b27e1a1d33761e85846fc9 >>8f5f3a7e58.f894..Call-ID: 1cff1b8955b8fa5c@10.0.0.4..CSeq: 106 >>REGISTER..WWW-Authenticate: Digest realm="xxx.xxx.xxx.xxx", nonc >>e="425e3ac34dc9509392435c11fb260f41420049c7"..Server: Sip EXpress >>router (0.8.14 (i386/linux))..Content-Length: 0..Warning: 392 >> xxx.xxx.xxx.xxx:5060 "Noisy feedback tells: pid=1912 >>req_src_ip=telephoneip req_src_port=10739 in_uri=sip:xxx.xxx.xxx.xxx >>out_uri=sip:xxx.xxx.xxx.xxx via_cnt==1".... >># >> >>U telephoneip:10740 -> xxx.xxx.xxx.xxx:5060 >>REGISTER sip:xxx.xxx.xxx.xxx SIP/2.0..Via: SIP/2.0/UDP >>telephoneip:10000;branch=z9hG4bK98514c3b052d7df6..From: "Test Alex" < >>sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone>;tag=50673f1baca1958c..To: >>sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone..Contact: <sip >>:Phonenumber@telephoneip:10000;user=phone>..Call-ID: >>1cff1b8955b8fa5c@10.0.0.4..CSeq: 106 REGISTER..Expires: >>3600..User-Agent >>: Grandstream HT286 1.0.5.18..Max-Forwards: 70..Allow: >>INVITE,ACK,CANCEL,BYE,NOTIFY,REFER,OPTIONS,INFO,SUBSCRIBE..Content-Lengt >>h: 0.... >># >>U xxx.xxx.xxx.xxx:5060 -> telephoneip:10000 >>SIP/2.0 401 Unauthorized..Via: SIP/2.0/UDP >>telephoneip:10000;branch=z9hG4bK98514c3b052d7df6..From: "Test Alex" >>sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone;tag=50673f1baca1958c..To: >>sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone;tag=b27e1a1d33761e85846fc9 >>8f5f3a7e58.f894..Call-ID: 1cff1b8955b8fa5c@10.0.0.4..CSeq: 106 >>REGISTER..WWW-Authenticate: Digest realm="xxx.xxx.xxx.xxx", nonc >>e="425e3acb812b5b2e8aa023e3fcffc618dc4cf661"..Server: Sip EXpress >>router (0.8.14 (i386/linux))..Content-Length: 0..Warning: 392 >> xxx.xxx.xxx.xxx:5060 "Noisy feedback tells: pid=1885 >>req_src_ip=telephoneip req_src_port=10740 in_uri=sip:xxx.xxx.xxx.xxx >>out_uri=sip:xxx.xxx.xxx.xxx via_cnt==1".... >># >> >> >>tell me if you need something else. >> >> >>On 4/14/05, Daniel-Constantin Mierla daniel@voice-system.ro wrote: >> >> >> >> >> >> >>>Could you post the network dump with REGISTER/401/REGISTER messages? I >>>will take a look to see if something is wrong. >>> >>> >>>On 04/14/05 12:16, Alex wrote: >>> >>> >>> >>> >>> >>> >>> >>>>Digest realm is the same for the register requests. >>>>furthermore the realm in To tag is correct. >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>Did you mean To URI instead of To tag? >>> >>>Daniel >>> >>> >>> >>> >>> >>> >>> >>>>what else it can be. >>>>Thanks for any help. >>>> >>>>On 4/14/05, Daniel-Constantin Mierla daniel@voice-system.ro wrote: >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>>Watch the network traffic (ngrep or ethereal on port 5060) and check the >>>>>realm from 401 is the same as the one from next REGISTER. Also, when >>>>>you use the empty realm parameter to radius_ww_authorize() and >>>>>www_challenge(), the realm is taken from To URI. >>>>> >>>>>Daniel >>>>> >>>>> >>>>>On 04/14/05 08:08, Alex wrote: >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>>Hi guys maybe someone can find the problem, i still can't see anything >>>>>>going to radius authentication. (the radius logs are empty) >>>>>> >>>>>>the register request is coming but it's not going to authenticate >>>>>>through the radius. >>>>>>Any help will be appreciated. >>>>>> >>>>>>here is the debug from ser : >>>>>>--------------------------------------------------------------------------------------------- >>>>>>14(1036) parse_headers: flags=-1 >>>>>>14(1036) check_via_address(62.219.158.191, 62.219.158.191, 1) >>>>>>14(1036) DEBUG:destroy_avp_list: destroing list (nil) >>>>>>14(1036) receive_msg: cleaning up >>>>>>9(1012) SIP Request: >>>>>>9(1012) method: <REGISTER> >>>>>>9(1012) uri: sip:xxx.xxx.xxx.xxx >>>>>>9(1012) version: <SIP/2.0> >>>>>>9(1012) parse_headers: flags=1 >>>>>>9(1012) Found param type 232, <branch> = <z9hG4bKfc5751413c832e6d>; state=16 >>>>>>9(1012) end of header reached, state=5 >>>>>>9(1012) parse_headers: Via found, flags=1 >>>>>>9(1012) parse_headers: this is the first via >>>>>>9(1012) After parse_msg... >>>>>>9(1012) preparing to run routing scripts... >>>>>>9(1012) REGISTER: Authenticating user >>>>>>9(1012) parse_headers: flags=4 >>>>>>9(1012) end of header reached, state=9 >>>>>>9(1012) DEBUG: get_hdr_field: <To> [45]; >>>>>>uri=[sip:phonenumber@xxx.xxx.xxx.xxx;user=phone] >>>>>>9(1012) DEBUG: to body [sip:phonenumber@xxx.xxx.xxx.xxx;user=phone >>>>>>] >>>>>> >>>>>>9(1012) parse_headers: flags=4096 >>>>>>9(1012) get_hdr_field: cseq <CSeq>: <103> <REGISTER> >>>>>>9(1012) DEBUG: get_hdr_body : content_length=0 >>>>>>9(1012) found end of header >>>>>>9(1012) pre_auth(): Credentials with given realm not found >>>>>>9(1012) REGISTER: challenging user >>>>>>9(1012) build_auth_hf(): 'WWW-Authenticate: Digest >>>>>>realm="xxx.xxx.xxx.xxx", >>>>>>nonce="425e063022afc1142ed6730d46da41692ff3ed57" >>>>>> >>>>>>_______________________________________________ >>>>>>Serusers mailing list >>>>>>serusers@lists.iptel.org >>>>>>http://lists.iptel.org/mailman/listinfo/serusers >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>> >>>> >>>> >> >> >>
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
-
Alex