30 Nov
2009
30 Nov
'09
4:49 p.m.
Hello guys,
I'm having a strange problem with my Kamailio 1.5.3 when trying to register
an Audiocodes Gateway. I'm using authentication for REGISTER messages.
The GW sends a REGISTER without credentials, so I do a proxy_challenge. Then
the GW sends a REGISTER with credentials but the proxy_authorize is
returning -4.
I did an NGREP to check the messages and they don't seem malformed, can you
tell me if there is something on the functions that might be loosing the
Proxy-Authorization header?
This happens only with this GW, not if i register a softphone (XLITE).
Within route block:
...
if (is_method("REGISTER"))
{
route(11);
save("location");
exit();
}
...
Route(11):
route[11] {
# ----- AUTENTICACION DE UN MENSAJE -----
if (!proxy_authorize("", "subscriber"))
{
switch($retcode)
{
case -1:
xlog("L_INFO", "AUTH: Invalid username\n");
sl_send_reply("403", "Forbidden");
exit;
case -2:
xlog("L_INFO", "AUTH: Invalid password\n");
sl_send_reply("403", "Forbidden");
exit;
case -3:
xlog("L_INFO", "AUTH: Nonce ambiguo\n");
break;
case -4:
xlog("L_INFO", "AUTH: No credentials\n");
break;
#default:
#xlog("L_INFO", "AUTH: Unknown error\n");
#break;
}
#xlog("L_DBG", "AUTH: -Data- Auth Username = $au\n");
#xlog("L_DBG", "AUTH: -Data- Domain = $fd\n");
#xlog("L_DBG", "AUTH: -Data- From Username = $fU\n");
proxy_challenge("192.168.200.130","0");
exit;
};
xlog("L_INFO", "AUTH: Valid username and credentials\n");
consume_credentials();
}
NGREP:
#
U 10.0.1.200:5060 -> 192.168.200.130:5060
REGISTER sip:192.168.200.130 SIP/2.0.
Via: SIP/2.0/UDP 10.0.1.200;branch=z9hG4bKac26395445.
Max-Forwards: 70.
From: <sip:testdevice@10.0.1.200 <sip%3Atestdevice(a)10.0.1.200>
;tag=1c26389068.
To:
<sip:testdevice@10.0.1.200 <sip%3Atestdevice(a)10.0.1.200>>0>>.
Call-ID: 154992670511200004613(a)10.0.1.200.
CSeq: 68 REGISTER.
Contact: <sip:testdevice@10.0.1.200:5060>;expires=180.
Allow:
REGISTER,OPTIONS,INVITE,ACK,CANCEL,BYE,NOTIFY,PRACK,REFER,INFO,SUBSCRIBE,UPDATE.
Expires: 180.
User-Agent: Audiocodes-Sip-Gateway-/v.5.80A.023.006.
Content-Length: 0.
.
#
U 192.168.200.130:5060 -> 10.0.1.200:5060
SIP/2.0 407 Proxy Authentication Required.
Via: SIP/2.0/UDP 10.0.1.200;branch=z9hG4bKac26395445.
From: <sip:testdevice@10.0.1.200 <sip%3Atestdevice(a)10.0.1.200>
;tag=1c26389068.
To:
<sip:testdevice@10.0.1.200 <sip%3Atestdevice(a)10.0.1.200>
;tag=f8f2ab2c1295e90ed7dbb499b30f44b2.ee1a.
Call-ID: 154992670511200004613(a)10.0.1.200.
CSeq: 68 REGISTER.
Proxy-Authenticate: Digest realm="192.168.200.130",
nonce="4b142e8900000000188436d32ee472791b706f36952f4162".
Server: Kamailio (1.5.3-notls (i386/linux)).
Content-Length: 0.
.
#
U 10.0.1.200:5060 -> 192.168.200.130:5060
REGISTER sip:192.168.200.130 SIP/2.0.
Via: SIP/2.0/UDP 10.0.1.200;branch=z9hG4bKac26766380.
Max-Forwards: 70.
From: <sip:testdevice@10.0.1.200 <sip%3Atestdevice(a)10.0.1.200>
;tag=1c26389068.
To:
<sip:testdevice@10.0.1.200 <sip%3Atestdevice(a)10.0.1.200>>0>>.
Call-ID: 154992670511200004613(a)10.0.1.200.
CSeq: 69 REGISTER.
Proxy-Authorization: Digest
username="testdevice",realm="192.168.200.130",nonce="4b142e8900000000188436d32ee472791b706f36952f4162",uri="sip:192.168.200.130",algorithm=MD5,response="9fa0904b94f94152619a16c46ffa6485".
Contact: <sip:testdevice@10.0.1.200:5060>;expires=180.
Allow:
REGISTER,OPTIONS,INVITE,ACK,CANCEL,BYE,NOTIFY,PRACK,REFER,INFO,SUBSCRIBE,UPDATE.
Expires: 180.
User-Agent: Audiocodes-Sip-Gateway-/v.5.80A.023.006.
Content-Length: 0.
.
#
U 192.168.200.130:5060 -> 10.0.1.200:5060
SIP/2.0 407 Proxy Authentication Required.
Via: SIP/2.0/UDP 10.0.1.200;branch=z9hG4bKac26766380.
From: <sip:testdevice@10.0.1.200 <sip%3Atestdevice(a)10.0.1.200>
;tag=1c26389068.
To:
<sip:testdevice@10.0.1.200 <sip%3Atestdevice(a)10.0.1.200>
;tag=f8f2ab2c1295e90ed7dbb499b30f44b2.b7c8.
Call-ID: 154992670511200004613(a)10.0.1.200.
CSeq: 69 REGISTER.
Proxy-Authenticate: Digest realm="192.168.200.130",
nonce="4b142e8900000001515ab7891a3d534cc3f15e5627322da3".
Server: Kamailio (1.5.3-notls (i386/linux)).
Content-Length: 0.
.
Thanks in advance!
Uriel
7 Dec
7 Dec
9:38 a.m.
On Montag, 30. November 2009, Uriel Rozenbaum wrote:
I'm having a strange problem with my Kamailio
1.5.3 when trying to register
an Audiocodes Gateway. I'm using authentication for REGISTER messages.
The GW sends a REGISTER without credentials, so I do a proxy_challenge.
Then the GW sends a REGISTER with credentials but the proxy_authorize is
returning -4.
I did an NGREP to check the messages and they don't seem malformed, can you
tell me if there is something on the functions that might be loosing the
Proxy-Authorization header?
This happens only with this GW, not if i register a softphone (XLITE).
Hello Uriel,
do you see any error related to the parser in the log files, perhaps the
Proxy-Authorization header somehow uses not the correct syntax? I'm not aware
of any error that looses auth headers. You also not get a "stale nonce"
result, which could be because of some bug in the nonce check code, which is
the youngest part of the module.
Best regards,
Henning
10:57 a.m.
Hi Henning,
It's very strange because the only ERROR I get is the one I print based on
the return value, nothing else. I tried PROXY and WWW auth/challenge.
I tried registering the GW with an Asterisk server and it got registered OK,
but Asterisk only uses WWW Auth. I don't think Asterisk is 100% fault free
but at least I'm sure the parsing part should be OK. Maybe kamailio is not
finding credentials after some given header?
Is there any higher debug level I can try?
Thanks!
Uriel
On Mon, Dec 7, 2009 at 10:38 AM, Henning Westerholt <
henning.westerholt(a)1und1.de> wrote:
On Montag, 30. November 2009, Uriel Rozenbaum wrote:
I'm having a strange problem with my Kamailio
1.5.3 when trying to
register
an Audiocodes Gateway. I'm using
authentication for REGISTER messages.
The GW sends a REGISTER without credentials, so I do a proxy_challenge.
Then the GW sends a REGISTER with credentials but the proxy_authorize is
returning -4.
I did an NGREP to check the messages and they don't seem malformed, can
you
tell me if there is something on the functions
that might be loosing the
Proxy-Authorization header?
This happens only with this GW, not if i register a softphone (XLITE).
Hello Uriel,
do you see any error related to the parser in the log files, perhaps the
Proxy-Authorization header somehow uses not the correct syntax? I'm not
aware of any error that looses auth headers. You also not get a "stale
nonce" result, which could be because of some bug in the nonce check code,
which is the youngest part of the module.
Best regards,
Henning
12:21 p.m.
On Montag, 7. Dezember 2009, Uriel Rozenbaum wrote:
It's very strange because the only ERROR I get is
the one I print based on
the return value, nothing else. I tried PROXY and WWW auth/challenge.
I tried registering the GW with an Asterisk server and it got registered
OK, but Asterisk only uses WWW Auth. I don't think Asterisk is 100% fault
free but at least I'm sure the parsing part should be OK. Maybe kamailio is
not finding credentials after some given header?
Is there any higher debug level I can try?
Hey Uriel,
ok, you use INFO level in the cfg for your informations, so anything higher
then this should be logged as well. You could try to set level 4 (DEBUG), but
this is nothing which can be enabled on a production system with high traffic
longer than e few seconds. There are some fifo cmds that can be used to switch
the log level during runtime, this is probably helpful for you if you need to
debug in production.
Regards,
Henning
8 Dec
8 Dec
4:23 a.m.
Hello,
the problem seems to be in the challenge/authorize parameters. The
challenge has a realm parameter while authorize realm parameter is empty
-- that means the realm is taken from From header.
Therefore, to fix it, use the same realm parameter to proxy_challenge()
and proxy_authorize() functions.
Cheers,
Daniel
On 12/7/09 5:21 PM, Henning Westerholt wrote:
On Montag, 7. Dezember 2009, Uriel Rozenbaum wrote:
--
Daniel-Constantin Mierla
* http://www.asipto.com/
It's very strange because the only ERROR I
get is the one I print
based on
the return value, nothing else. I tried PROXY and
WWW auth/challenge.
I tried registering the GW with an Asterisk server and it got registered
OK, but Asterisk only uses WWW Auth. I don't think Asterisk is 100%
fault
free but at least I'm sure the parsing part
should be OK. Maybe
kamailio is
not finding credentials after some given header?
Is there any higher debug level I can try?
Hey Uriel,
ok, you use INFO level in the cfg for your informations, so anything
higher then this should be logged as well. You could try to set level
4 (DEBUG), but this is nothing which can be enabled on a production
system with high traffic longer than e few seconds. There are some
fifo cmds that can be used to switch the log level during runtime,
this is probably helpful for you if you need to debug in production.
Regards,
Henning
_______________________________________________
Kamailio (OpenSER) - Users mailing list
Users(a)lists.kamailio.org
http://lists.kamailio.org/cgi-bin/mailman/listinfo/users
http://lists.openser-project.org/cgi-bin/mailman/listinfo/users
9 Dec
9 Dec
12:37 p.m.
Hey Daniel, Henning,
That made the trick, now it works OK.
Thanks for the help!
Uriel
On Tue, Dec 8, 2009 at 5:23 AM, Daniel-Constantin Mierla
<miconda(a)gmail.com>wrote;wrote:
Hello,
the problem seems to be in the challenge/authorize parameters. The
challenge has a realm parameter while authorize realm parameter is empty --
that means the realm is taken from From header.
Therefore, to fix it, use the same realm parameter to proxy_challenge() and
proxy_authorize() functions.
Cheers,
Daniel
On 12/7/09 5:21 PM, Henning Westerholt wrote:
On Montag, 7. Dezember 2009, Uriel Rozenbaum wrote:
It's very strange because the only ERROR I
get is the one I print based
on
the return value, nothing else. I tried PROXY and
WWW auth/challenge.
I tried registering the GW with an Asterisk server and it got registered
OK, but Asterisk only uses WWW Auth. I don't think Asterisk is 100% fault
free but at least I'm sure the parsing part should be OK. Maybe kamailio
is
not finding credentials after some given header?
Is there any higher debug level I can try?
Hey Uriel,
ok, you use INFO level in the cfg for your informations, so anything
higher then this should be logged as well. You could try to set level 4
(DEBUG), but this is nothing which can be enabled on a production system
with high traffic longer than e few seconds. There are some fifo cmds that
can be used to switch the log level during runtime, this is probably helpful
for you if you need to debug in production.
Regards,
Henning
_______________________________________________
Kamailio (OpenSER) - Users mailing
listUsers@lists.kamailio.orghttp://lists.kamailio.org/cgi-bin/mailman/listinfo/usershttp://lists.openser-project.org/cgi-bin/mailman/listinfo/users
--
Daniel-Constantin Mierla
* http://www.asipto.com/
5362
days inactive
5371
days old
5 comments
3 participants
participants (3)
-
Daniel-Constantin Mierla -
Henning Westerholt -
Uriel Rozenbaum