Hello guys,
I'm having a strange problem with my Kamailio 1.5.3 when trying to register an Audiocodes Gateway. I'm using authentication for REGISTER messages.
The GW sends a REGISTER without credentials, so I do a proxy_challenge. Then the GW sends a REGISTER with credentials but the proxy_authorize is returning -4.
I did an NGREP to check the messages and they don't seem malformed, can you tell me if there is something on the functions that might be loosing the Proxy-Authorization header? This happens only with this GW, not if i register a softphone (XLITE).
Within route block: ... if (is_method("REGISTER")) { route(11); save("location"); exit(); } ...
Route(11): route[11] {
# ----- AUTENTICACION DE UN MENSAJE ----- if (!proxy_authorize("", "subscriber")) { switch($retcode) { case -1: xlog("L_INFO", "AUTH: Invalid username\n"); sl_send_reply("403", "Forbidden"); exit; case -2: xlog("L_INFO", "AUTH: Invalid password\n"); sl_send_reply("403", "Forbidden"); exit; case -3: xlog("L_INFO", "AUTH: Nonce ambiguo\n"); break; case -4: xlog("L_INFO", "AUTH: No credentials\n"); break; #default: #xlog("L_INFO", "AUTH: Unknown error\n"); #break; }
#xlog("L_DBG", "AUTH: -Data- Auth Username = $au\n"); #xlog("L_DBG", "AUTH: -Data- Domain = $fd\n"); #xlog("L_DBG", "AUTH: -Data- From Username = $fU\n");
proxy_challenge("192.168.200.130","0"); exit; };
xlog("L_INFO", "AUTH: Valid username and credentials\n"); consume_credentials(); }
NGREP: # U 10.0.1.200:5060 -> 192.168.200.130:5060 REGISTER sip:192.168.200.130 SIP/2.0. Via: SIP/2.0/UDP 10.0.1.200;branch=z9hG4bKac26395445. Max-Forwards: 70. From: <sip:testdevice@10.0.1.200 sip%3Atestdevice@10.0.1.200
;tag=1c26389068.
To: <sip:testdevice@10.0.1.200 sip%3Atestdevice@10.0.1.200>. Call-ID: 154992670511200004613@10.0.1.200. CSeq: 68 REGISTER. Contact: sip:testdevice@10.0.1.200:5060;expires=180. Allow: REGISTER,OPTIONS,INVITE,ACK,CANCEL,BYE,NOTIFY,PRACK,REFER,INFO,SUBSCRIBE,UPDATE. Expires: 180. User-Agent: Audiocodes-Sip-Gateway-/v.5.80A.023.006. Content-Length: 0. .
# U 192.168.200.130:5060 -> 10.0.1.200:5060 SIP/2.0 407 Proxy Authentication Required. Via: SIP/2.0/UDP 10.0.1.200;branch=z9hG4bKac26395445. From: <sip:testdevice@10.0.1.200 sip%3Atestdevice@10.0.1.200
;tag=1c26389068.
To: <sip:testdevice@10.0.1.200 sip%3Atestdevice@10.0.1.200
;tag=f8f2ab2c1295e90ed7dbb499b30f44b2.ee1a.
Call-ID: 154992670511200004613@10.0.1.200. CSeq: 68 REGISTER. Proxy-Authenticate: Digest realm="192.168.200.130", nonce="4b142e8900000000188436d32ee472791b706f36952f4162". Server: Kamailio (1.5.3-notls (i386/linux)). Content-Length: 0. .
# U 10.0.1.200:5060 -> 192.168.200.130:5060 REGISTER sip:192.168.200.130 SIP/2.0. Via: SIP/2.0/UDP 10.0.1.200;branch=z9hG4bKac26766380. Max-Forwards: 70. From: <sip:testdevice@10.0.1.200 sip%3Atestdevice@10.0.1.200
;tag=1c26389068.
To: <sip:testdevice@10.0.1.200 sip%3Atestdevice@10.0.1.200>. Call-ID: 154992670511200004613@10.0.1.200. CSeq: 69 REGISTER. Proxy-Authorization: Digest username="testdevice",realm="192.168.200.130",nonce="4b142e8900000000188436d32ee472791b706f36952f4162",uri="sip:192.168.200.130",algorithm=MD5,response="9fa0904b94f94152619a16c46ffa6485". Contact: sip:testdevice@10.0.1.200:5060;expires=180. Allow: REGISTER,OPTIONS,INVITE,ACK,CANCEL,BYE,NOTIFY,PRACK,REFER,INFO,SUBSCRIBE,UPDATE. Expires: 180. User-Agent: Audiocodes-Sip-Gateway-/v.5.80A.023.006. Content-Length: 0. .
# U 192.168.200.130:5060 -> 10.0.1.200:5060 SIP/2.0 407 Proxy Authentication Required. Via: SIP/2.0/UDP 10.0.1.200;branch=z9hG4bKac26766380. From: <sip:testdevice@10.0.1.200 sip%3Atestdevice@10.0.1.200
;tag=1c26389068.
To: <sip:testdevice@10.0.1.200 sip%3Atestdevice@10.0.1.200
;tag=f8f2ab2c1295e90ed7dbb499b30f44b2.b7c8.
Call-ID: 154992670511200004613@10.0.1.200. CSeq: 69 REGISTER. Proxy-Authenticate: Digest realm="192.168.200.130", nonce="4b142e8900000001515ab7891a3d534cc3f15e5627322da3". Server: Kamailio (1.5.3-notls (i386/linux)). Content-Length: 0. .
Thanks in advance! Uriel
On Montag, 30. November 2009, Uriel Rozenbaum wrote:
Hello Uriel,
do you see any error related to the parser in the log files, perhaps the Proxy-Authorization header somehow uses not the correct syntax? I'm not aware of any error that looses auth headers. You also not get a "stale nonce" result, which could be because of some bug in the nonce check code, which is the youngest part of the module.
Best regards,
Henning
Hi Henning,
It's very strange because the only ERROR I get is the one I print based on the return value, nothing else. I tried PROXY and WWW auth/challenge.
I tried registering the GW with an Asterisk server and it got registered OK, but Asterisk only uses WWW Auth. I don't think Asterisk is 100% fault free but at least I'm sure the parsing part should be OK. Maybe kamailio is not finding credentials after some given header?
Is there any higher debug level I can try?
Thanks! Uriel
On Mon, Dec 7, 2009 at 10:38 AM, Henning Westerholt < henning.westerholt@1und1.de> wrote:
On Montag, 7. Dezember 2009, Uriel Rozenbaum wrote:
Hey Uriel,
ok, you use INFO level in the cfg for your informations, so anything higher then this should be logged as well. You could try to set level 4 (DEBUG), but this is nothing which can be enabled on a production system with high traffic longer than e few seconds. There are some fifo cmds that can be used to switch the log level during runtime, this is probably helpful for you if you need to debug in production.
Regards,
Henning
Hello,
the problem seems to be in the challenge/authorize parameters. The challenge has a realm parameter while authorize realm parameter is empty -- that means the realm is taken from From header.
Therefore, to fix it, use the same realm parameter to proxy_challenge() and proxy_authorize() functions.
Cheers, Daniel
On 12/7/09 5:21 PM, Henning Westerholt wrote:
Hey Daniel, Henning,
That made the trick, now it works OK.
Thanks for the help! Uriel
On Tue, Dec 8, 2009 at 5:23 AM, Daniel-Constantin Mierla miconda@gmail.comwrote:
-
Daniel-Constantin Mierla -
Henning Westerholt -
Uriel Rozenbaum