401 Unauthorized after Authentication Digest

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

401 Unauthorized after Authentication Digest

David Peláez
Hello everyone.

My name is David, I am new on openisips and I am having some troubles to place calls from a Sip Phone in Opensips to an Asterisk Server.

The opsnsips server and the asterisk are connected throughout a SIP Trunk. When I make a call from phone A in Opensips to Phone B in Asterisk authorization digest is required from Asterisk Server, I can responce with the credentials but a new 401 Unauthorized message is send back to Opensips, and then the message is forwarded to phone A. 

Please find attached the pcap file from wireshark and the opensips.cfg file.

Any advice about this?

Best regards 
David

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

jfdj.txt (12K) Download Attachment
test.pcapng (2M) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: 401 Unauthorized after Authentication Digest

Tito Cumpen
David,


Can you please share your opensips.cfg file? Check if opensips is removing the credentials via consume_credentials. I presume this trace is taken from the sip phone itself? I don't see the hop towards asterisk here. you should just have opensips forward if you wan't to avoid double registration. From the look of the auth challenge it looks like opensips is generating a challenge with its own ip derived realm. I'd use the load balance module or simply forward the requests back and forth.


Here you can replace yate for asterisk.

or you can follow 

which requires a bit more of database work to allow the auth to be taken place at opensips.

On Tue, May 30, 2017 at 8:43 AM, David Peláez <[hidden email]> wrote:
Hello everyone.

My name is David, I am new on openisips and I am having some troubles to place calls from a Sip Phone in Opensips to an Asterisk Server.

The opsnsips server and the asterisk are connected throughout a SIP Trunk. When I make a call from phone A in Opensips to Phone B in Asterisk authorization digest is required from Asterisk Server, I can responce with the credentials but a new 401 Unauthorized message is send back to Opensips, and then the message is forwarded to phone A. 

Please find attached the pcap file from wireshark and the opensips.cfg file.

Any advice about this?

Best regards 
David

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users



_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: 401 Unauthorized after Authentication Digest

John Quick
In reply to this post by David Peláez
Hi David,

In the scenario you describe, I would expect to see one of the following
solutions (but not both at the same time):
1. OpenSIPS acts as the registrar for the SIP phones. Calls (INVITE
requests) from SIP phones are routed on via a SIP trunk
2. OpenSIPS acts as a transparent proxy in front of another SIP server such
as Asterisk

Scenario 1 is the most common. OpenSIPS authenticates calls based on a list
of credentials that it holds, normally in the subscriber table. In this
case, you really want to avoid the situation where each outbound call
triggers an additional authentication request from the SIP trunk. Can you
re-configure your Asterisk endpoint so it trusts INVITE requests coming from
your OpenSIPS server? E.g. add the line insecure=INVITE to the sip peer
definition.

In scenario 2, which I would not consider to be the preferred solution,
OpenSIPS just passes the SIP messages between the phone and the Asterisk
server - in both directions. OpenSIPS does not authenticate calls because
that job is done by the Asterisk server and all the credentials are held by
Asterisk, not by OpenSIPS. In this case the 401 request would just be passed
upstream to the phone.

Try to avoid the situation where OpenSIPS is authenticating the INVITE from
the SIP phones using its own list of credentials, but then it also has to
authenticate each call sent over the SIP trunk. In theory you could use the
UAC_AUTH module of OpenSIPS to do this, but in practice I have never been
able to make this work because it breaks the CSeq numbering sequence of the
SIP request messages.

John Quick
Smartvox Limited


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: 401 Unauthorized after Authentication Digest

John Quick
In reply to this post by David Peláez
Hello David,

I'm not familiar with the pjsip implementation on Asterisk so cannot really help. Are you sure you can mix chan_sip with pjsip? How does Asterisk know which one to use when it receives a SIP request?
If you are getting "no matching endpoint" warnings it suggests to me that you need to define the sip peer somewhere else or that you are not giving the correct IP address in your sip peer definition, but this is only a guess.
Perhaps there is an Asterisk forum where you could get help. The underlying problem seems to be that Asterisk is demanding authentication when you don't want it to - in which case your problem is with Asterisk, not with OpenSIPS.

John Quick
Smartvox Limited


From: David Peláez [mailto:[hidden email]]
Sent: 06 June 2017 13:39
To: John Q <[hidden email]>
Cc: [hidden email]
Subject: Re: FW: Re: [OpenSIPS-Users] 401 Unauthorized after Authentication Digest

Hi John.

I configured "secure=INVITE" but the same behaivor continue. Also the extensions on Asterisk server are pjsip and the trunk is chan_sip, could it be the problem why the calls aren't reching the SIPphone? Or some problem between the ports the servers are listen to?
I just have one peer defined which is the one I am sending the calls.

And now I have seen this error on Asterisk server:

[2017-06-06 10:58:20] NOTICE[3601] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"501" <mailto:sip%3A2000@192.168.1.12>' failed for '<a href="http://192.168.1.12:5060'">http://192.168.1.12:5060' (callid: mailto:[hidden email]) - No matching endpoint found
[2017-06-06 10:58:20] NOTICE[3601] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"501" <mailto:sip%3A2000@192.168.1.12>' failed for '<a href="http://192.168.1.12:5060'">http://192.168.1.12:5060' (callid: mailto:[hidden email]) - No matching endpoint found
[2017-06-06 10:58:20] NOTICE[3601] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"501" <mailto:sip%3A2000@192.168.1.12>' failed for '<a href="http://192.168.1.12:5060'">http://192.168.1.12:5060' (callid: mailto:[hidden email]) - Failed to authenticate

What does it means?

Best regards
David


2017-06-02 12:20 GMT+02:00 John Quick <mailto:[hidden email]>:
Hi David,

In asterisk, "insecure=INVITE" should be sufficient to disable authentication, although I have only tried it using chan_sip, not pjsip.
Is it possible you have another sip peer defined where the address for "host=" is the same? It is very difficult to know which one Asterisk will use for incoming calls when there are two with the same address for host.
If you have parameters for username and secret in your sip peer, try commenting them out and see if that helps.

I would not advise disabling authentication of SIP phones. In fact you should make sure you always use strong passwords.
All makes of SIP phone will support username/password authentication and it is vital to keep it active if you don't want your phone system to be hacked.
However, you should add this line to opensips.cfg after the SIP phone authentication section (www_authorize) and before you send the call to Asterisk (t_relay):

consume_credentials();

This will remove the headers that OpenSIPS and the SIP phone exchanged for authentication. If you don't remove those headers, Asterisk is likely to get confused and may request authorisation.

The consume_credentials function is documented here:
http://www.opensips.org/html/docs/modules/2.2.x/auth.html#idp5543680

John Quick
Smartvox Limited


From: David Peláez [mailto:mailto:[hidden email]]
Sent: 02 June 2017 10:56
To: mailto:[hidden email]
Cc: mailto:[hidden email]
Subject: Re: FW: Re: [OpenSIPS-Users] 401 Unauthorized after Authentication Digest

Thanks a lot for your replay. I already change the option "insecure=INVITE" as you suggested but I am still having the same problem. Find attached the peer configuration maybe I am missing something else.
About opensips authenticating calls from SIPphones how do I disabled that behavior? because my opensips sends an 407 Proxy Authentication to the Sip phone before sending the INVITE to asterisk server.
Best regards
David




_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Loading...