[asterisk-users] chan_sip doesn't authenticate on INVITE from a Dial() command

Sun Oct 25 12:43:01 CDT 2020

On Sunday 25 October 2020 at 16:27:00, Antony Stone wrote:

> Hi.
> 
> I'm trying to get Asterisk 13 to authenticate when it sends an INVITE, and
> for some reason it's simply not doing it.

I've made a bit of progress - I can now get it to authenticate, although it's 
still not dialling on to the correct number.

> I've even resorted to reading the source code to try and work out what I'm
> doing wrong...
> 
> In channels/chan_sip.c I find:
> 
>  * SIP Dial string syntax:
>  *     SIP/devicename
>  * or SIP/username at domain (SIP uri)
>  * or
> SIP/username[:password[:md5secret[:authname[:transport]]]]@host[:port] *
> or SIP/devicename/extension
>  * or SIP/devicename/extension/IPorHost
>  * or SIP/username at domain//IPorHost
>  * and there is an optional [!dnid] argument you can append to alter the
>  * To: header.
> 
> (Note: I don't think I have ever seen that optional "!dnid" argument
> documented anywhere...?)
> 
> So, the version with the username and password looks to me like what I
> want...
> 
> Dial(SIP/${SIPuser}:${SIPpass}@${SIPhost})  or else
> Dial(SIP/${SIPuser}:${SIPpass}@${SIPhost}!${SIPdial})
> 
> would seem to be what I need (I need to authenticate to SIPhost with the
> credentials SIPuser and SIPpass and I want to dial on to SIPdial).

It turns out that the username needs to be included twice (!?), as in:

Dial(SIP/${SIPuser}:${SIPpass}::${SIPuser}@${SIPhost}/${SIPdial})

It seems that both 'username' and 'authname' need to be supplied...

> If I do a packet capture on this machine to show what it's actually sending
> out to SIPhost, I see three packets:
> 
> 1 0.000000000  192.0.2.29 → 203.0.113.56 SIP/SDP 960 Request: INVITE
> sip:9411 at the.remote.ser.ver
> 
> 2 0.007364024 203.0.113.56 → 192.0.2.29  SIP 558 Status: 401 Unauthorized
> 
> 3 0.007552844  192.0.2.29 → 203.0.113.56 SIP 485 Request: ACK
> sip:9411 at the.remote.ser.ver
> 
> and that's it.

Now, at least, this is followed up by an attempt to authenticate, however it 
fails.

chan_sip.c:23875 handle_response_invite: Received response: "Forbidden" from 
'"Antony Stone" <sip:Polycom650 at 198.51.100.29>;tag=as6c2ed50a'

> So, what am I doing wrong - how can I get Asterisk to actually use the
> credentials which I've supplied in the Dial() command?

I think my question has now changed to "how can I get Asterisk to use the 
credentials and successfully authenticate, then dial on to the number I need?"

> Thanks for any help :)
> 
> 
> Antony.

-- 
"It wouldn't be a good idea to talk about him behind his back in front of 
him."

 - murble

                                                   Please reply to the list;
                                                         please *don't* CC me.