[Asterisk-Users] Problem with SIP 407
Olle E. Johansson
oej at edvina.net
Wed Feb 25 07:12:02 MST 2004
Vic Cross wrote:
> G'day Marc,
>
> On Wed, 25 Feb 2004, Marc Fargas wrote:
>
>
>>I’m in trouble with SIP. I’ve got a SIP FXS gateway from www.micronet.info
>>(SP5002/S) and traed to register to asterisk, It seems to autentícate but
>>sniffing the net it shows a 407 proxy authen required error message and I
>>cannot make any outgoing calls from that gateway.
>
>
> I captured a flow between * and an ATA-186 the other day, because I had
> the same problem (well, the symptom was the same).
>
> The 407 message from * is part of the registration flow. It tells the
> client that it needs to resend its REGISTER, this time including a
> "Proxy-Authentication" (sp?) header in the request. That header contains
> the authentication data (authuser, password).
Let's clear this up:
A SIP ua sends a REGISTER to a location server to tell the server where
it can be reached. At registration, the server challenges the UA with a
www-authentication. When authenticated, the server stores the IP address
and contact header for some time (expiry=) to be able to place calls to
the UA. This is a SIP peer in asterisk.
The standard sip channels has a bug here and issues a Proxy-authentication.
The chan_sip2 channel issues a www-auth.
When a SIP UA want to call through asterisk, asterisk want's to know
for certain who it is before admitting any services (except default context).
To let the SIP ua through, we issue a Proxy-auth. If it succeeds, the asterisk
sip user is allowed to reach whatever is reachable in the user's SIP context.
A type=friend SIP client is both a user and a peer.
Neither form of authentication sends the password in clear. This is nowadays
forbidden in SIP. We use digest authentication, a challenge-response mechanism.
I'm a bit afraid that Asterisk's authentication in the SIP channels is a bit
out of date and that may be your problem. Please forward SIP debug output
so we can go through the various stages that leads to the 407.
>>I’ve tried putting ‘Domain’ = Asterisk on the FXS and other things, also
>>played with codecs but everything seems to come from the 407 message, how
>>can I avoid that message?
>
>
> Well, you could try removing the password (secret=XXXXXXX) from the entry
> in sip.conf, allowing the client to register without authentication.
> Might be something to try, but I don't think I'd run live that way... ;-)
If so, add an ACL so you limit the IP addresses that may use this account.
/O
More information about the asterisk-users
mailing list