[asterisk-users] polycom with http/https basic authentication

Robert McNaught asteriskator at gmail.com
Fri Jun 27 12:20:13 CDT 2008 

Hi,

I apologize that this is not directly associated with Asterisk, I have
been trying to solve this, but not having any luck.

Does anyone have a setup with http or https with basic authentication
for provisioning Polycom Phones.  We use edgemarc 4500 routers and use
Option 66 to auto-provision phones using DHCP.  I am trying to set up
an apache server with subdirectories for different customers protected
by a username and password so that their phones can only access their
own directory.

The string I am putting in Option 66 is:

"http://username:password@http.server.com/dir1/"

This is packet dumps of the polycom phone trying to grab files from
the server - using basic authentication - I have set up .htaccess
files which work correctly when pulling down files using firefox.

GET FILE WITH POLYCOM
[root at server3 ~]# ngrep -q 'HTTP/1.[01]'
interface: eth0 (XXX.XXX.XXX.XXX/255.255.254.0)
match: HTTP/1.[01]

T XXX.XXX.XXX.XXX:1024 -> XXX.XXX.XXX.XXX [AP]
  GET /dir1/2345-12200-002.bootrom.ld HTTP/1.1..Host:
http.server.com..Accept: */*..U
  ser-Agent: FileTransport PolycomSoundPointIP-SPIP_320-UA/4.0.0.0423....

T XXX.XXX.XXX.XXX:80 -> XXX.XXX.XXX.XXX:1024 [AP]
  HTTP/1.1 401 Authorization Required..Date: Fri, 27 Jun 2008 16:46:59
GMT..Server: A
  pache/2.0.61 (Unix) mod_ssl/2.0.61 OpenSSL/0.9.8b
mod_auth_passthrough/2.1 mod_bwli
  mited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5..WWW-Authenticate: Basic
realm="Restricted
   Area"..Content-Length: 703..Content-Type: text/html;
charset=iso-8859-1....<!DOCTY
  PE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>401
Authorization R
  equired</title>.</head><body>.<h1>Authorization
Required</h1>.<p>This server could
  not verify that you.are authorized to access the document.requested.
 Either you su
  pplied the wrong.credentials (e.g., bad password), or your.browser
doesn't understa
  nd how to supply.the credentials required.</p>.<p>Additionally, a
404 Not Found.err
  or was encountered while trying to use an ErrorDocument to handle
the request.</p>.
  <hr>.<address>Apache/2.0.61 (Unix) mod_ssl/2.0.61 OpenSSL/0.9.8b
mod_auth_passthrou
  gh/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5 Server at
prov.xiptel.net P
  ort 80</address>.</body></html>.

T XXX.XXX.XXX.XXX:1025 -> XXX.XXX.XXX.XXX:80 [AP]
  GET /dir1/bootrom.ld HTTP/1.1..Host: http.server.com..Accept:
*/*..User-Agent: File
  Transport PolycomSoundPointIP-SPIP_320-UA/4.0.0.0423....



USING FIREFOX
[root at server3 ~]# ngrep -q 'HTTP/1.[01]'
interface: eth0 (69.73.146.0/255.255.254.0)
match: HTTP/1.[01]

T XXX.XXX.XXX.XXX:57773 -> XXX.XXX.XXX.XXX:80 [AP]
  GET /dir1/2345-11300-010.bootrom.ld HTTP/1.1..Host:
http.server.com..User-Agent: Mo
  zilla/5.0 (X11; U; Linux i686; en-US; rv:1.9) Gecko/2008061015
Firefox/3.0..Accept:
   text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8..Accept-Language:
  en-us,en;q=0.5..Accept-Encoding: gzip,deflate..Accept-Charset:
ISO-8859-1,utf-8;q=0
  .7,*;q=0.7..Keep-Alive: 300..Connection: keep-alive..Referer:
http://prov.xiptel.ne
  t/dir1/..Cookie: logintheme=cpanel; cprelogin=no; cpsession=closed....

T XXX.XXX.XXX.XXX:80 -> XXX.XXX.XXX.XXX:57773 [AP]
  HTTP/1.1 401 Authorization Required..Date: Fri, 27 Jun 2008 16:36:20
GMT..Server: A
  pache/2.0.61 (Unix) mod_ssl/2.0.61 OpenSSL/0.9.8b
mod_auth_passthrough/2.1 mod_bwli
  mited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5..WWW-Authenticate: Basic
realm="Restricted
   Area"..Content-Length: 703..Keep-Alive: timeout=15,
max=100..Connection: Keep-Aliv
  e..Content-Type: text/html; charset=iso-8859-1....<!DOCTYPE HTML
PUBLIC "-//IETF//D
  TD HTML 2.0//EN">.<html><head>.<title>401 Authorization
Required</title>.</head><bo
  dy>.<h1>Authorization Required</h1>.<p>This server could not verify
that you.are au
  thorized to access the document.requested.  Either you supplied the
wrong.credentia
  ls (e.g., bad password), or your.browser doesn't understand how to
supply.the crede
  ntials required.</p>.<p>Additionally, a 404 Not Found.error was
encountered while t
  rying to use an ErrorDocument to handle the
request.</p>.<hr>.<address>Apache/2.0.6
  1 (Unix) mod_ssl/2.0.61 OpenSSL/0.9.8b mod_auth_passthrough/2.1
mod_bwlimited/1.4 F
  rontPage/5.0.2.2635 PHP/5.2.5 Server at prov.xiptel.net Port
80</address>.</body></
  html>.

T XXX.XXX.XXX.XXX:57773 -> XXX.XXX.XXX.XXX:80 [AP]
  GET /dir1/2345-11300-010.bootrom.ld HTTP/1.1..Host:
http.server.com..User-Agent: Mo
  zilla/5.0 (X11; U; Linux i686; en-US; rv:1.9) Gecko/2008061015
Firefox/3.0..Accept:
   text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8..Accept-Language:
  en-us,en;q=0.5..Accept-Encoding: gzip,deflate..Accept-Charset:
ISO-8859-1,utf-8;q=0
  .7,*;q=0.7..Keep-Alive: 300..Connection: keep-alive..Referer:
http://prov.xiptel.ne
  t/dir1/..Cookie: logintheme=cpanel; cprelogin=no;
cpsession=closed..Authorization:
  Basic ZGlyMTppcGd2MTMxNA==....


As you can see, the server responds asking for authorization
credentials, which are not responded to by the Polycom in its next
HTTP message, whereas with a browser, when I type in my username and
password in the dialog box, a response is made.

I have been assured by Polycom that basic authentication works with
their new models of phones - I am using a ip320.  Further their admin
guide states:

"The protocol that will be used to transfer files from the boot server
depends on
several factors including the phone model and whether the bootROM or SIP
application stage of provisioning is in progress. By default, the phones are
shipped with FTP enabled as the provisioning protocol. If an unsupported
protocol is specified, this may result in a defined behavior (see the
table below
for details of which protocol the phone will use). The Specified Protocol listed
in the table can be selected in the Server Type field or the Server Address can
include a transfer protocol, for example http://usr:pwd@server (refer to
Server Menu on page 3-9). The boot server address can be an IP address,
domain string name, or URL. The boot server address can also be obtained
through DHCP. Configuration file names in the <Ethernet address>.cfg file
can include a transfer protocol, for example
https://usr:pwd@server/dir/file.cfg. If a user name and password are
specified as part of the server address or file name, they will be
used only if the
server supports them."


Anyone familiar with this situation, or have a different Option 66
string?  or any troubleshooting tips

Thanks

Robert

More information about the asterisk-users mailing list