Yes, there is an explanation. The default configuration file authenticates REGISTERs only. If you want to authenticate calls (INVITEs) as well, then you have to modify the configuration file and insert additional authentication when INVITE is being processed.

But be careful -- you cannot authenticate all INVITE messages because foreing users will be not able to call your subscribers (foreign users have no username and password on your server). You should check if the INVITE is coming from one of your subscribers and then authenticate.

Jan.

On 18-03 10:32, Ticknor.Scott@ic.gc.ca wrote:

hey Everyone,

me and my partner in the lab here have set up a very simple SER implementation. up to now we have been using digest authentication with mysql, and created users with serctl etc. it was nice to get it working and place some calls, we have a couple cisco 7960 phones as well as X-Lite clients. but in our tests we found that we could put *any* user name & password in the X-Lite config--and the calls would still succeed! the message console in X-Lite shows the 401 unautourized response to REGISTER [which is to be expected] but then if we go ahead and dial...the other phone will ring.

there must be an explanation. i see some people are using RADIUS for authentication; would a RADIUS implementation solve this problem? i cannot attach my ser.cfg just now...but it is almost completely stock anyway, the changes made were uncommenting the digest auth bits, and setting the domain name. ideas?

scott t, DSi

---

Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers

Hi!

I use this setup:

if (is_from_local() ) { if (!proxy_authorize("", "subscriber")) { xlog("L_ERR", "%is [%Tf]: %rm %fu -> %ru: bad credentials\n"); proxy_challenge("", "0"); break; } else { if (!check_from()) { sl_send_reply("403", "cheating: user!=from"); xlog("L_ERR", "%is [%Tf]: %rm %fu -> %ru: authuser!=from ->break\n"); break; }; }; xlog("L_INFO", "%is [%Tf]: %rm %fu -> %ru:successful authenticated\n"); setflag(2); # local user } else { if ((!is_uri_host_local()) ) { if (is_present_hf("Route")) { xlog("L_INFO", "%is [%Tf]: %rm %fu -> %ru: relaying allowed because route header is present\n"); } else { sl_send_reply("403", "we don't support relaying"); xlog("L_ERR", "%is [%Tf]: %rm %fu -> %ru: 403 relaying not allowed\n"); break; }; }; };

As you see, you also have to verify, that the username in the credentials is the same as in the From: header. This is done using the check_from() method.

For register requests, you have to compare the auth-username with the To: header. --> check_to()

regards, Klaus

Ticknor.Scott@ic.gc.ca wrote:

hey Everyone,

me and my partner in the lab here have set up a very simple SER implementation. up to now we have been using digest authentication with mysql, and created users with serctl etc. it was nice to get it working and place some calls, we have a couple cisco 7960 phones as well as X-Lite clients. but in our tests we found that we could put *any* user name & password in the X-Lite config--and the calls would still succeed! the message console in X-Lite shows the 401 unautourized response to REGISTER [which is to be expected] but then if we go ahead and dial...the other phone will ring.

there must be an explanation. i see some people are using RADIUS for authentication; would a RADIUS implementation solve this problem? i cannot attach my ser.cfg just now...but it is almost completely stock anyway, the changes made were uncommenting the digest auth bits, and setting the domain name. ideas?

scott t, DSi

---

Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers