14 Apr
2005
14 Apr
'05
4:33 p.m.
Alex hi thanks for the fast reply.
I tried to use other client and it's seems to work, very strange, if i
am changing in my client to use other server i can see the
authentication process in the radius logs, but when i swap ip to my
server i can't see anything in the radius logs.
BTW the other ip phone working great.
thanks for help.
On 4/14/05, Alex <alexandergav(a)gmail.com> wrote:
Alex hi thanks for the fast reply.
I tried to use other client and it's seems to work, very strange, if i
am changing in my client to use other server i can see the
authentication process in the radius logs, but when i swap ip to my
server i can't see anything in the radius logs.
BTW the other ip phone working great.
thanks for help.
On 4/14/05, Alex Mack <amack(a)fhm.edu> wrote:
Hi!
SER is sending a nonce in its 401 reply. This is the challenge from the
SER to the UA.
The UA now has to calculate a reply implying his password and the given
nonce. The answer has to be added in an Authorization-Header inside the
next REGISTER.
The message flow (without RADIUS messages) would look like:
UA SER
| |
| REGISTER w/o Auth |
|-------------------->|
| |
| 401 Unauthorized (with nonce)
|<--------------------|
| |
| ACK |
|-------------------->|
| |
| REGISTER with Auth (calculated from nonce)
|-------------------->|
| |
| 200 OK |
|<--------------------|
| |
The second register has to have an "Authorization" header, otherwise
your client is misconfigured or misbehaving. Test it with another
client, e.g. X-Lite (www.xten.com)
Alex Mack
Alex schrieb:
So Daniel like i understand the problem is my
radius configuration,
another thing is that my ATA sending the same stuff, i mean if i will
change the sip server to different one where i installed freeradius
with ser it's working fine.
Daniel where i can start to fix that problem.?
Thank you very much for your time.
On 4/14/05, Alex <alexandergav(a)gmail.com> wrote:
So Daniel like i understand the problem is my
radius configuration,
another thing is that my ATA sending the same stuff, i mean if i will
change the sip server to different one where i installed freeradius
with ser it's working fine.
Daniel where i can start to fix that problem.?
Thank you very much for your time.
On 4/14/05, Daniel-Constantin Mierla <daniel(a)voice-system.ro> wrote:
>The second REGISTER (the block 3) must contains the response to the
>authentication challenge carried by 401 reply (block 2). That means that
>the block 3 must contain an Authorization header with authentication
>credentials computed according to HTTP-Digest authentication mechanism
>(RFC2617). Also, see the section 22.Usage of HTTP Authentication in SIP
>RFC3261 for more about user authentication in SIP.
>
>Daniel
>
>On 04/14/05 13:16, Alex wrote:
>
>
>
>>Sorry Daniel , i didn't get that, I send here 4 blocks, 1 one is the
>>register request the 2 is the reply from the server, 3 is the register
>>request, 4 is the reply from the server. If you can please point me to
>>the problem. Because like i see the 2 register requests (1,3 blocks)
>>are the same.
>>
>>
>>On 4/14/05, Daniel-Constantin Mierla <daniel(a)voice-system.ro> wrote:
>>
>>
>>
>>
>>>As you can see, the second REGISTER does not contain the authentication
>>>credentials (No Authorization header) in response to 401 reply. So,
>>>either you didn't configure the phone to authenticate or the Grandstream
>>>HT286 1.0.5.18 is faulty.
>>>
>>>Daniel
>>>
>>>
>>>On 04/14/05 12:35, Alex wrote:
>>>
>>>
>>>
>>>
>>>
>>>>Daniel thanks
>>>>btw it's clean installation of Red Hat Enterprise Linux AS release 3
>>>>ser-08.14 , freeradius-1.2 , radiusclient-4.8
>>>>
>>>>i am sending ngrep port 5060
>>>>i have here 2 requests of register and the replies to register.
>>>>
>>>>
>>>>xxx.xxx.xxx.xxx - sipserverip
>>>>telephoneip - ip where the call coming from
>>>>Phonenumber - phone number
>>>>
>>>>--------------------------------------------------------------------------------------------------
>>>>
>>>>U telephoneip:10739 -> xxx.xxx.xxx.xxx:5060
>>>>REGISTER sip:xxx.xxx.xxx.xxx SIP/2.0..Via: SIP/2.0/UDP
>>>>telephoneip:10000;branch=z9hG4bK98514c3b052d7df6..From: "Test
Alex" <
>>>>sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone>;tag=50673f1baca1958c..To:
>>>><sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone>..Contact: <sip
>>>>:Phonenumber@telephoneip:10000;user=phone>..Call-ID:
>>>>1cff1b8955b8fa5c@10.0.0.4..CSeq: 106 REGISTER..Expires:
>>>>3600..User-Agent
>>>>: Grandstream HT286 1.0.5.18..Max-Forwards: 70..Allow:
>>>>INVITE,ACK,CANCEL,BYE,NOTIFY,REFER,OPTIONS,INFO,SUBSCRIBE..Content-Lengt
>>>>h: 0....
>>>>#
>>>>U xxx.xxx.xxx.xxx:5060 -> telephoneip:10000
>>>>SIP/2.0 401 Unauthorized..Via: SIP/2.0/UDP
>>>>telephoneip:10000;branch=z9hG4bK98514c3b052d7df6..From: "Test
Alex"
>>>><sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone>;tag=50673f1baca1958c..To:
>>>><sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone>;tag=b27e1a1d33761e85846fc9
>>>>8f5f3a7e58.f894..Call-ID: 1cff1b8955b8fa5c@10.0.0.4..CSeq: 106
>>>>REGISTER..WWW-Authenticate: Digest realm="xxx.xxx.xxx.xxx",
nonc
>>>>e="425e3ac34dc9509392435c11fb260f41420049c7"..Server: Sip
EXpress
>>>>router (0.8.14 (i386/linux))..Content-Length: 0..Warning: 392
>>>> xxx.xxx.xxx.xxx:5060 "Noisy feedback tells: pid=1912
>>>>req_src_ip=telephoneip req_src_port=10739 in_uri=sip:xxx.xxx.xxx.xxx
>>>>out_uri=sip:xxx.xxx.xxx.xxx via_cnt==1"....
>>>>#
>>>>
>>>>U telephoneip:10740 -> xxx.xxx.xxx.xxx:5060
>>>>REGISTER sip:xxx.xxx.xxx.xxx SIP/2.0..Via: SIP/2.0/UDP
>>>>telephoneip:10000;branch=z9hG4bK98514c3b052d7df6..From: "Test
Alex" <
>>>>sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone>;tag=50673f1baca1958c..To:
>>>><sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone>..Contact: <sip
>>>>:Phonenumber@telephoneip:10000;user=phone>..Call-ID:
>>>>1cff1b8955b8fa5c@10.0.0.4..CSeq: 106 REGISTER..Expires:
>>>>3600..User-Agent
>>>>: Grandstream HT286 1.0.5.18..Max-Forwards: 70..Allow:
>>>>INVITE,ACK,CANCEL,BYE,NOTIFY,REFER,OPTIONS,INFO,SUBSCRIBE..Content-Lengt
>>>>h: 0....
>>>>#
>>>>U xxx.xxx.xxx.xxx:5060 -> telephoneip:10000
>>>>SIP/2.0 401 Unauthorized..Via: SIP/2.0/UDP
>>>>telephoneip:10000;branch=z9hG4bK98514c3b052d7df6..From: "Test
Alex"
>>>><sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone>;tag=50673f1baca1958c..To:
>>>><sip:Phonenumber@xxx.xxx.xxx.xxx;user=phone>;tag=b27e1a1d33761e85846fc9
>>>>8f5f3a7e58.f894..Call-ID: 1cff1b8955b8fa5c@10.0.0.4..CSeq: 106
>>>>REGISTER..WWW-Authenticate: Digest realm="xxx.xxx.xxx.xxx",
nonc
>>>>e="425e3acb812b5b2e8aa023e3fcffc618dc4cf661"..Server: Sip
EXpress
>>>>router (0.8.14 (i386/linux))..Content-Length: 0..Warning: 392
>>>> xxx.xxx.xxx.xxx:5060 "Noisy feedback tells: pid=1885
>>>>req_src_ip=telephoneip req_src_port=10740 in_uri=sip:xxx.xxx.xxx.xxx
>>>>out_uri=sip:xxx.xxx.xxx.xxx via_cnt==1"....
>>>>#
>>>>
>>>>
>>>>tell me if you need something else.
>>>>
>>>>
>>>>On 4/14/05, Daniel-Constantin Mierla <daniel(a)voice-system.ro>
wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>Could you post the network dump with REGISTER/401/REGISTER messages?
I
>>>>>will take a look to see if something is wrong.
>>>>>
>>>>>
>>>>>On 04/14/05 12:16, Alex wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>Digest realm is the same for the register requests.
>>>>>>furthermore the realm in To tag is correct.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>Did you mean To URI instead of To tag?
>>>>>
>>>>>Daniel
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>what else it can be.
>>>>>>Thanks for any help.
>>>>>>
>>>>>>On 4/14/05, Daniel-Constantin Mierla
<daniel(a)voice-system.ro> wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>Watch the network traffic (ngrep or ethereal on port 5060) and
check the
>>>>>>>realm from 401 is the same as the one from next REGISTER.
Also, when
>>>>>>>you use the empty realm parameter to radius_ww_authorize()
and
>>>>>>>www_challenge(), the realm is taken from To URI.
>>>>>>>
>>>>>>>Daniel
>>>>>>>
>>>>>>>
>>>>>>>On 04/14/05 08:08, Alex wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>Hi guys maybe someone can find the problem, i still
can't see anything
>>>>>>>>going to radius authentication. (the radius logs are
empty)
>>>>>>>>
>>>>>>>>the register request is coming but it's not going to
authenticate
>>>>>>>>through the radius.
>>>>>>>>Any help will be appreciated.
>>>>>>>>
>>>>>>>>here is the debug from ser :
>>>>>>>>---------------------------------------------------------------------------------------------
>>>>>>>>14(1036) parse_headers: flags=-1
>>>>>>>>14(1036) check_via_address(62.219.158.191, 62.219.158.191,
1)
>>>>>>>>14(1036) DEBUG:destroy_avp_list: destroing list (nil)
>>>>>>>>14(1036) receive_msg: cleaning up
>>>>>>>>9(1012) SIP Request:
>>>>>>>>9(1012) method: <REGISTER>
>>>>>>>>9(1012) uri: <sip:xxx.xxx.xxx.xxx>
>>>>>>>>9(1012) version: <SIP/2.0>
>>>>>>>>9(1012) parse_headers: flags=1
>>>>>>>>9(1012) Found param type 232, <branch> =
<z9hG4bKfc5751413c832e6d>; state=16
>>>>>>>>9(1012) end of header reached, state=5
>>>>>>>>9(1012) parse_headers: Via found, flags=1
>>>>>>>>9(1012) parse_headers: this is the first via
>>>>>>>>9(1012) After parse_msg...
>>>>>>>>9(1012) preparing to run routing scripts...
>>>>>>>>9(1012) REGISTER: Authenticating user
>>>>>>>>9(1012) parse_headers: flags=4
>>>>>>>>9(1012) end of header reached, state=9
>>>>>>>>9(1012) DEBUG: get_hdr_field: <To> [45];
>>>>>>>>uri=[sip:phonenumber@xxx.xxx.xxx.xxx;user=phone]
>>>>>>>>9(1012) DEBUG: to body
[<sip:phonenumber@xxx.xxx.xxx.xxx;user=phone>
>>>>>>>>]
>>>>>>>>
>>>>>>>>9(1012) parse_headers: flags=4096
>>>>>>>>9(1012) get_hdr_field: cseq <CSeq>: <103>
<REGISTER>
>>>>>>>>9(1012) DEBUG: get_hdr_body : content_length=0
>>>>>>>>9(1012) found end of header
>>>>>>>>9(1012) pre_auth(): Credentials with given realm not
found
>>>>>>>>9(1012) REGISTER: challenging user
>>>>>>>>9(1012) build_auth_hf(): 'WWW-Authenticate: Digest
>>>>>>>>realm="xxx.xxx.xxx.xxx",
>>>>>>>>nonce="425e063022afc1142ed6730d46da41692ff3ed57"
>>>>>>>>
>>>>>>>>_______________________________________________
>>>>>>>>Serusers mailing list
>>>>>>>>serusers(a)lists.iptel.org
>>>>>>>>http://lists.iptel.org/mailman/listinfo/serusers
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>
>>>>
>>>>
>>
>>
>>
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers
7172
days inactive
7172
days old
0 comments
1 participants
participants (1)
-
Alex