Re: FW: Re: 401 Unauthorized after Authentication Digest

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: FW: Re: 401 Unauthorized after Authentication Digest

David Peláez
Thanks a lot for your replay. I already change the option "insecure=INVITE" as you suggested but I am still having the same problem. Find attached the peer configuration maybe I am missing something else.

About opensips authenticating calls from SIPphones how do I disabled that behavior? because my opensips sends an 407 Proxy Authentication to the Sip phone before sending the INVITE to asterisk server.

Best regards
David


On Wed, May 31, 2017, 10:50 John Quick <[hidden email]> wrote:
From: John Quick [mailto:[hidden email]]
Sent: 31 May 2017 09:49
To: '[hidden email]' <[hidden email]>
Subject: Re: [OpenSIPS-Users] 401 Unauthorized after Authentication Digest

Hi David,

In the scenario you describe, I would expect to see one of the following
solutions (but not both at the same time):
1. OpenSIPS acts as the registrar for the SIP phones. Calls (INVITE
requests) from SIP phones are routed on via a SIP trunk 2. OpenSIPS acts as
a transparent proxy in front of another SIP server such as Asterisk

Scenario 1 is the most common. OpenSIPS authenticates calls based on a list
of credentials that it holds, normally in the subscriber table. In this
case, you really want to avoid the situation where each outbound call
triggers an additional authentication request from the SIP trunk. Can you
re-configure your Asterisk endpoint so it trusts INVITE requests coming from
your OpenSIPS server? E.g. add the line insecure=INVITE to the sip peer
definition.

In scenario 2, which I would not consider to be the preferred solution,
OpenSIPS just passes the SIP messages between the phone and the Asterisk
server - in both directions. OpenSIPS does not authenticate calls because
that job is done by the Asterisk server and all the credentials are held by
Asterisk, not by OpenSIPS. In this case the 401 request would just be passed
upstream to the phone.

Try to avoid the situation where OpenSIPS is authenticating the INVITE from
the SIP phones using its own list of credentials, but then it also has to
authenticate each call sent over the SIP trunk. In theory you could use the
UAC_AUTH module of OpenSIPS to do this, but in practice I have never been
able to make this work because it breaks the CSeq numbering sequence of the
SIP request messages.

John Quick
Smartvox Limited


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: FW: Re: 401 Unauthorized after Authentication Digest

John Quick
Hi David,

In asterisk, "insecure=INVITE" should be sufficient to disable authentication, although I have only tried it using chan_sip, not pjsip.
Is it possible you have another sip peer defined where the address for "host=" is the same? It is very difficult to know which one Asterisk will use for incoming calls when there are two with the same address for host.
If you have parameters for username and secret in your sip peer, try commenting them out and see if that helps.

I would not advise disabling authentication of SIP phones. In fact you should make sure you always use strong passwords.
All makes of SIP phone will support username/password authentication and it is vital to keep it active if you don't want your phone system to be hacked.
However, you should add this line to opensips.cfg after the SIP phone authentication section (www_authorize) and before you send the call to Asterisk (t_relay):

consume_credentials();

This will remove the headers that OpenSIPS and the SIP phone exchanged for authentication. If you don't remove those headers, Asterisk is likely to get confused and may request authorisation.

The consume_credentials function is documented here:
http://www.opensips.org/html/docs/modules/2.2.x/auth.html#idp5543680

John Quick
Smartvox Limited


From: David Peláez [mailto:[hidden email]]
Sent: 02 June 2017 10:56
To: [hidden email]
Cc: [hidden email]
Subject: Re: FW: Re: [OpenSIPS-Users] 401 Unauthorized after Authentication Digest

Thanks a lot for your replay. I already change the option "insecure=INVITE" as you suggested but I am still having the same problem. Find attached the peer configuration maybe I am missing something else.
About opensips authenticating calls from SIPphones how do I disabled that behavior? because my opensips sends an 407 Proxy Authentication to the Sip phone before sending the INVITE to asterisk server.
Best regards
David



_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: FW: Re: 401 Unauthorized after Authentication Digest

David Peláez
Hi John.

I configured "secure=INVITE" but the same behaivor continue. Also the extensions on Asterisk server are pjsip and the trunk is chan_sip, could it be the problem why the calls aren't reching the SIPphone? Or some problem between the ports the servers are listen to?
I just have one peer defined which is the one I am sending the calls.

And now I have seen this error on Asterisk server:

[2017-06-06 10:58:20] NOTICE[3601] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"501" <[hidden email]>' failed for '192.168.1.12:5060' (callid: [hidden email]) - No matching endpoint found
[2017-06-06 10:58:20] NOTICE[3601] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"501" <[hidden email]>' failed for '192.168.1.12:5060' (callid: [hidden email]) - No matching endpoint found
[2017-06-06 10:58:20] NOTICE[3601] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"501" <[hidden email]>' failed for '192.168.1.12:5060' (callid: [hidden email]) - Failed to authenticate

What does it means?

Best regards
David 


2017-06-02 12:20 GMT+02:00 John Quick <[hidden email]>:
Hi David,

In asterisk, "insecure=INVITE" should be sufficient to disable authentication, although I have only tried it using chan_sip, not pjsip.
Is it possible you have another sip peer defined where the address for "host=" is the same? It is very difficult to know which one Asterisk will use for incoming calls when there are two with the same address for host.
If you have parameters for username and secret in your sip peer, try commenting them out and see if that helps.

I would not advise disabling authentication of SIP phones. In fact you should make sure you always use strong passwords.
All makes of SIP phone will support username/password authentication and it is vital to keep it active if you don't want your phone system to be hacked.
However, you should add this line to opensips.cfg after the SIP phone authentication section (www_authorize) and before you send the call to Asterisk (t_relay):

consume_credentials();

This will remove the headers that OpenSIPS and the SIP phone exchanged for authentication. If you don't remove those headers, Asterisk is likely to get confused and may request authorisation.

The consume_credentials function is documented here:
http://www.opensips.org/html/docs/modules/2.2.x/auth.html#idp5543680

John Quick
Smartvox Limited


From: David Peláez [mailto:[hidden email]]
Sent: 02 June 2017 10:56
To: [hidden email]
Cc: [hidden email]
Subject: Re: FW: Re: [OpenSIPS-Users] 401 Unauthorized after Authentication Digest

Thanks a lot for your replay. I already change the option "insecure=INVITE" as you suggested but I am still having the same problem. Find attached the peer configuration maybe I am missing something else.
About opensips authenticating calls from SIPphones how do I disabled that behavior? because my opensips sends an 407 Proxy Authentication to the Sip phone before sending the INVITE to asterisk server.
Best regards
David




_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: FW: Re: 401 Unauthorized after Authentication Digest

John Quick
David,

Have you read this:
https://wiki.asterisk.org/wiki/display/AST/Migrating+from+chan_sip+to+res_pjsip#Migratingfromchan_siptores_pjsip-Disablingres_pjsipandchan_pjsip

It looks like you can only have both active together if they are listening on different ports. Do you know which port each one is using and are you 100% sure that OpenSIPS is sending its INVITE request to the port assigned to chan_sip?

John Quick
Smartvox Limited


From: David Peláez [mailto:[hidden email]]
Sent: 06 June 2017 13:39
To: John Q <[hidden email]>
Cc: [hidden email]
Subject: Re: FW: Re: [OpenSIPS-Users] 401 Unauthorized after Authentication Digest

Hi John.

I configured "secure=INVITE" but the same behaivor continue. Also the extensions on Asterisk server are pjsip and the trunk is chan_sip, could it be the problem why the calls aren't reching the SIPphone? Or some problem between the ports the servers are listen to?
I just have one peer defined which is the one I am sending the calls.

And now I have seen this error on Asterisk server:

[2017-06-06 10:58:20] NOTICE[3601] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"501" <mailto:sip%3A2000@192.168.1.12>' failed for '<a href="http://192.168.1.12:5060'">http://192.168.1.12:5060' (callid: mailto:[hidden email]) - No matching endpoint found
[2017-06-06 10:58:20] NOTICE[3601] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"501" <mailto:sip%3A2000@192.168.1.12>' failed for '<a href="http://192.168.1.12:5060'">http://192.168.1.12:5060' (callid: mailto:[hidden email]) - No matching endpoint found
[2017-06-06 10:58:20] NOTICE[3601] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"501" <mailto:sip%3A2000@192.168.1.12>' failed for '<a href="http://192.168.1.12:5060'">http://192.168.1.12:5060' (callid: mailto:[hidden email]) - Failed to authenticate

What does it means?

Best regards
David


2017-06-02 12:20 GMT+02:00 John Quick <mailto:[hidden email]>:
Hi David,

In asterisk, "insecure=INVITE" should be sufficient to disable authentication, although I have only tried it using chan_sip, not pjsip.
Is it possible you have another sip peer defined where the address for "host=" is the same? It is very difficult to know which one Asterisk will use for incoming calls when there are two with the same address for host.
If you have parameters for username and secret in your sip peer, try commenting them out and see if that helps.

I would not advise disabling authentication of SIP phones. In fact you should make sure you always use strong passwords.
All makes of SIP phone will support username/password authentication and it is vital to keep it active if you don't want your phone system to be hacked.
However, you should add this line to opensips.cfg after the SIP phone authentication section (www_authorize) and before you send the call to Asterisk (t_relay):

consume_credentials();

This will remove the headers that OpenSIPS and the SIP phone exchanged for authentication. If you don't remove those headers, Asterisk is likely to get confused and may request authorisation.

The consume_credentials function is documented here:
http://www.opensips.org/html/docs/modules/2.2.x/auth.html#idp5543680

John Quick
Smartvox Limited


From: David Peláez [mailto:mailto:[hidden email]]
Sent: 02 June 2017 10:56
To: mailto:[hidden email]
Cc: mailto:[hidden email]
Subject: Re: FW: Re: [OpenSIPS-Users] 401 Unauthorized after Authentication Digest

Thanks a lot for your replay. I already change the option "insecure=INVITE" as you suggested but I am still having the same problem. Find attached the peer configuration maybe I am missing something else.
About opensips authenticating calls from SIPphones how do I disabled that behavior? because my opensips sends an 407 Proxy Authentication to the Sip phone before sending the INVITE to asterisk server.
Best regards
David




_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users