[asterisk-users] polycom with http/https basic authentication

Robert McNaught asteriskator at gmail.com
Fri Jun 27 14:37:54 CDT 2008 

We use FTP just now, and it works ok.  Ultimately I want to use HTTPS
as we are sending config files over the internet, which have access
credentials on how to register a phone, which is potentially damaging
- most people deploy on a LAN, but we have a central provisioning
server.  Polycom are fairly flakey when it comes to mention FTPS -
they say it isnt officially supported, and does not seem to be
something many people are doing.

Plus it seems industry standard just now is to use HTTP/s - snom and
linksys both use HTTP, and not FTP (which seems fairly unique to
polycom), so it would be better to use the same protocol for all makes
of telephone - especially as you can only put one string in Option 66
in a customers router.

I have a ticket open with Polycom regarding just now - it seems to
work now when you provision by hand by typing in values in the bootrom
using HTTP with basic authentication.

R



On Fri, Jun 27, 2008 at 11:07 AM, Alexander Lopez <Alex.Lopez at opsys.com> wrote:
> I could never get the http stuff to work, I tried Ftp like what you have
>
>
> ftp://user:password@server/customomer
>
> It worked fine for me the first time, and I just ran with it. Has worked
> without an issue since day one.  If FTP not an option for you????
>
> Alex
>
>> -----Original Message-----
>> From: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-
>> bounces at lists.digium.com] On Behalf Of Robert McNaught
>> Sent: Friday, June 27, 2008 1:20 PM
>> To: Asterisk Users Mailing List - Non-Commercial Discussion
>> Subject: [asterisk-users] polycom with http/https basic authentication
>>
>> Hi,
>>
>> I apologize that this is not directly associated with Asterisk, I have
>> been trying to solve this, but not having any luck.
>>
>> Does anyone have a setup with http or https with basic authentication
>> for provisioning Polycom Phones.  We use edgemarc 4500 routers and use
>> Option 66 to auto-provision phones using DHCP.  I am trying to set up
>> an apache server with subdirectories for different customers protected
>> by a username and password so that their phones can only access their
>> own directory.
>>
>> The string I am putting in Option 66 is:
>>
>> "http://username:password@http.server.com/dir1/"
>>
>> This is packet dumps of the polycom phone trying to grab files from
>> the server - using basic authentication - I have set up .htaccess
>> files which work correctly when pulling down files using firefox.
>>
>> GET FILE WITH POLYCOM
>> [root at server3 ~]# ngrep -q 'HTTP/1.[01]'
>> interface: eth0 (XXX.XXX.XXX.XXX/255.255.254.0)
>> match: HTTP/1.[01]
>>
>> T XXX.XXX.XXX.XXX:1024 -> XXX.XXX.XXX.XXX [AP]
>>   GET /dir1/2345-12200-002.bootrom.ld HTTP/1.1..Host:
>> http.server.com..Accept: */*..U
>>   ser-Agent: FileTransport
> PolycomSoundPointIP-SPIP_320-UA/4.0.0.0423....
>>
>> T XXX.XXX.XXX.XXX:80 -> XXX.XXX.XXX.XXX:1024 [AP]
>>   HTTP/1.1 401 Authorization Required..Date: Fri, 27 Jun 2008 16:46:59
>> GMT..Server: A
>>   pache/2.0.61 (Unix) mod_ssl/2.0.61 OpenSSL/0.9.8b
>> mod_auth_passthrough/2.1 mod_bwli
>>   mited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5..WWW-Authenticate: Basic
>> realm="Restricted
>>    Area"..Content-Length: 703..Content-Type: text/html;
>> charset=iso-8859-1....<!DOCTY
>>   PE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>401
>> Authorization R
>>   equired</title>.</head><body>.<h1>Authorization
>> Required</h1>.<p>This server could
>>   not verify that you.are authorized to access the document.requested.
>>  Either you su
>>   pplied the wrong.credentials (e.g., bad password), or your.browser
>> doesn't understa
>>   nd how to supply.the credentials required.</p>.<p>Additionally, a
>> 404 Not Found.err
>>   or was encountered while trying to use an ErrorDocument to handle
>> the request.</p>.
>>   <hr>.<address>Apache/2.0.61 (Unix) mod_ssl/2.0.61 OpenSSL/0.9.8b
>> mod_auth_passthrou
>>   gh/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5 Server at
>> prov.xiptel.net P
>>   ort 80</address>.</body></html>.
>>
>> T XXX.XXX.XXX.XXX:1025 -> XXX.XXX.XXX.XXX:80 [AP]
>>   GET /dir1/bootrom.ld HTTP/1.1..Host: http.server.com..Accept:
>> */*..User-Agent: File
>>   Transport PolycomSoundPointIP-SPIP_320-UA/4.0.0.0423....
>>
>>
>>
>> USING FIREFOX
>> [root at server3 ~]# ngrep -q 'HTTP/1.[01]'
>> interface: eth0 (69.73.146.0/255.255.254.0)
>> match: HTTP/1.[01]
>>
>> T XXX.XXX.XXX.XXX:57773 -> XXX.XXX.XXX.XXX:80 [AP]
>>   GET /dir1/2345-11300-010.bootrom.ld HTTP/1.1..Host:
>> http.server.com..User-Agent: Mo
>>   zilla/5.0 (X11; U; Linux i686; en-US; rv:1.9) Gecko/2008061015
>> Firefox/3.0..Accept:
>>
>>
> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8..Accept-
>> Language:
>>   en-us,en;q=0.5..Accept-Encoding: gzip,deflate..Accept-Charset:
>> ISO-8859-1,utf-8;q=0
>>   .7,*;q=0.7..Keep-Alive: 300..Connection: keep-alive..Referer:
>> http://prov.xiptel.ne
>>   t/dir1/..Cookie: logintheme=cpanel; cprelogin=no;
> cpsession=closed....
>>
>> T XXX.XXX.XXX.XXX:80 -> XXX.XXX.XXX.XXX:57773 [AP]
>>   HTTP/1.1 401 Authorization Required..Date: Fri, 27 Jun 2008 16:36:20
>> GMT..Server: A
>>   pache/2.0.61 (Unix) mod_ssl/2.0.61 OpenSSL/0.9.8b
>> mod_auth_passthrough/2.1 mod_bwli
>>   mited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5..WWW-Authenticate: Basic
>> realm="Restricted
>>    Area"..Content-Length: 703..Keep-Alive: timeout=15,
>> max=100..Connection: Keep-Aliv
>>   e..Content-Type: text/html; charset=iso-8859-1....<!DOCTYPE HTML
>> PUBLIC "-//IETF//D
>>   TD HTML 2.0//EN">.<html><head>.<title>401 Authorization
>> Required</title>.</head><bo
>>   dy>.<h1>Authorization Required</h1>.<p>This server could not verify
>> that you.are au
>>   thorized to access the document.requested.  Either you supplied the
>> wrong.credentia
>>   ls (e.g., bad password), or your.browser doesn't understand how to
>> supply.the crede
>>   ntials required.</p>.<p>Additionally, a 404 Not Found.error was
>> encountered while t
>>   rying to use an ErrorDocument to handle the
>> request.</p>.<hr>.<address>Apache/2.0.6
>>   1 (Unix) mod_ssl/2.0.61 OpenSSL/0.9.8b mod_auth_passthrough/2.1
>> mod_bwlimited/1.4 F
>>   rontPage/5.0.2.2635 PHP/5.2.5 Server at prov.xiptel.net Port
>> 80</address>.</body></
>>   html>.
>>
>> T XXX.XXX.XXX.XXX:57773 -> XXX.XXX.XXX.XXX:80 [AP]
>>   GET /dir1/2345-11300-010.bootrom.ld HTTP/1.1..Host:
>> http.server.com..User-Agent: Mo
>>   zilla/5.0 (X11; U; Linux i686; en-US; rv:1.9) Gecko/2008061015
>> Firefox/3.0..Accept:
>>
>>
> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8..Accept-
>> Language:
>>   en-us,en;q=0.5..Accept-Encoding: gzip,deflate..Accept-Charset:
>> ISO-8859-1,utf-8;q=0
>>   .7,*;q=0.7..Keep-Alive: 300..Connection: keep-alive..Referer:
>> http://prov.xiptel.ne
>>   t/dir1/..Cookie: logintheme=cpanel; cprelogin=no;
>> cpsession=closed..Authorization:
>>   Basic ZGlyMTppcGd2MTMxNA==....
>>
>>
>> As you can see, the server responds asking for authorization
>> credentials, which are not responded to by the Polycom in its next
>> HTTP message, whereas with a browser, when I type in my username and
>> password in the dialog box, a response is made.
>>
>> I have been assured by Polycom that basic authentication works with
>> their new models of phones - I am using a ip320.  Further their admin
>> guide states:
>>
>> "The protocol that will be used to transfer files from the boot server
>> depends on
>> several factors including the phone model and whether the bootROM or
> SIP
>> application stage of provisioning is in progress. By default, the
> phones
>> are
>> shipped with FTP enabled as the provisioning protocol. If an
> unsupported
>> protocol is specified, this may result in a defined behavior (see the
>> table below
>> for details of which protocol the phone will use). The Specified
> Protocol
>> listed
>> in the table can be selected in the Server Type field or the Server
>> Address can
>> include a transfer protocol, for example http://usr:pwd@server (refer
> to
>> Server Menu on page 3-9). The boot server address can be an IP
> address,
>> domain string name, or URL. The boot server address can also be
> obtained
>> through DHCP. Configuration file names in the <Ethernet address>.cfg
> file
>> can include a transfer protocol, for example
>> https://usr:pwd@server/dir/file.cfg. If a user name and password are
>> specified as part of the server address or file name, they will be
>> used only if the
>> server supports them."
>>
>>
>> Anyone familiar with this situation, or have a different Option 66
>> string?  or any troubleshooting tips
>>
>> Thanks
>>
>> Robert
>>
>> _______________________________________________
>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>
>> AstriCon 2008 - September 22 - 25 Phoenix, Arizona
>> Register Now: http://www.astricon.net
>>
>> asterisk-users mailing list
>> To UNSUBSCRIBE or update options visit:
>>    http://lists.digium.com/mailman/listinfo/asterisk-users
>
> _______________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> AstriCon 2008 - September 22 - 25 Phoenix, Arizona
> Register Now: http://www.astricon.net
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
>

More information about the asterisk-users mailing list