401 unauthorized

heitly · October 21, 2012, 1:06am

Switching from Trixbox to FreePBX because I need long term support. Issue has come up when calling an extension - no answer. Works in Trixbox but not FreePBX. Wireshark trace shows a “401 unauthorized” response to an INVITE whereas with Trixbox I receive the response “407 Proxy Identification Required”. Below is a trace with the invite message and the subsequent response. FreePBX is ver 2.10 running on Centos v5.8 Asterisk ver 1.8.16.0. TrixBox is ver 2.6.2.3 on Centos 5.3 using Asterisk v1.4.26.2.

I should also mention that the extension 1011 is a custom SIP device which doesn’t register with the server so when I run SIP SHOW PEERS on the CLI the status of the extensions are UNKNOWN. Any suggestions on what I could try?

FreePBX trace start

INVITE sip:[email protected]:5060;user=phone SIP/2.0
Via: SIP/2.0/UDP 10.0.0.212;branch=z9hG4bK56992aec14CDFCAB
From: “210” sip:[email protected];tag=C0EB91EE-CF399CAD
To: sip:[email protected];user=phone
CSeq: 1 INVITE
Call-ID: [email protected]
Contact: sip:[email protected]
Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, INFO, MESSAGE, SUBSCRIBE, NOTIFY, PRACK, UPDATE, REFER
User-Agent: PolycomSpectraLink-SL_8440-UA/4.0.0.27539
Accept-Language: en
Supported: 100rel,replaces
Allow-Events: conference,talk,hold
Max-Forwards: 70
Content-Type: application/sdp
Content-Length: 342

v=0
o=- 54166695 54166695 IN IP4 10.0.0.212
s=Polycom IP Phone
c=IN IP4 10.0.0.212
t=0 0
a=sendrecv
m=audio 2262 RTP/AVP 9 102 0 8 18 127
a=rtpmap:9 G722/8000
a=rtpmap:102 G7221/16000
a=fmtp:102 bitrate=32000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=no
a=rtpmap:127 telephone-event/8000
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 10.0.0.212;branch=z9hG4bK56992aec14CDFCAB;received=10.0.0.212
From: “210” sip:[email protected];tag=C0EB91EE-CF399CAD
To: sip:[email protected];user=phone;tag=as12fe44d3
Call-ID: [email protected]
CSeq: 1 INVITE
Server: FPBX-2.10.1(1.8.16.0)
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH
Supported: replaces, timer
WWW-Authenticate: Digest algorithm=MD5, realm=“asterisk”, nonce="7706eaa9"
Content-Length: 0

FreePBX Trace end

Trixbox Trace start

INVITE sip:[email protected]:5060;user=phone SIP/2.0
Via: SIP/2.0/UDP 10.0.0.212;branch=z9hG4bKf9eb6c8b3C75B1CA
From: “210” sip:[email protected];tag=F6062C8D-49522ACC
To: sip:[email protected];user=phone
CSeq: 1 INVITE
Call-ID: [email protected]
Contact: sip:[email protected]
Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, INFO, MESSAGE, SUBSCRIBE, NOTIFY, PRACK, UPDATE, REFER
User-Agent: PolycomSpectraLink-SL_8440-UA/4.0.0.27539
Accept-Language: en
Supported: 100rel,replaces
Allow-Events: conference,talk,hold
Max-Forwards: 70
Content-Type: application/sdp
Content-Length: 342

v=0
o=- 54166997 54166997 IN IP4 10.0.0.212
s=Polycom IP Phone
c=IN IP4 10.0.0.212
t=0 0
a=sendrecv
m=audio 2264 RTP/AVP 9 102 0 8 18 127
a=rtpmap:9 G722/8000
a=rtpmap:102 G7221/16000
a=fmtp:102 bitrate=32000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=no
a=rtpmap:127 telephone-event/8000
SIP/2.0 407 Proxy Authentication Required
Via: SIP/2.0/UDP 10.0.0.212;branch=z9hG4bKf9eb6c8b3C75B1CA;received=10.0.0.212
From: “210” sip:[email protected];tag=F6062C8D-49522ACC
To: sip:[email protected];user=phone;tag=as4fd12b06
Call-ID: [email protected]
CSeq: 1 INVITE
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO
Supported: replaces
Proxy-Authenticate: Digest algorithm=MD5, realm=“asterisk”, nonce="7de61d1d"
Content-Length: 0

TrixBox trace ends

dicko · October 21, 2012, 1:26am

You are apparently using md5 hash on your endpoint not the plaintext

http://www.voip-info.org/wiki/view/Asterisk+sip+md5secret

heitly · October 21, 2012, 1:40am

How did you determine that, I presume from the trace I supplied? Ok I read the link you provided and am confused. I actually have disabled passwords since these custom devices don’t login and register with FreePBX. So how do I switch my endpoint to plaintext with FreePBX? Thanks

dicko · October 21, 2012, 1:54am

You will have to do that in your endpoint, I have no experience with Polycom Spectralinks.

heitly · October 21, 2012, 1:58am

Spectralink extension works fine, I can call other sip clients like Xlite or PortGo with it. The problem is with my ext 1011 which is a custom device. It doesn’t register with the PBX and I have set no password for it. Strange as my identical Trixbox configuration works

dicko · October 21, 2012, 2:10am

Trixbox does not use FreePBX so it can’t be identical, so get help from them perhaps. Oh, they died didn’t they ;-).

Seriously though, you will need to have the device correctly registered with Asterisk to be able to call it, that’s just how it works.

If you know the md5 hash of the phone you can put it in the password for that extension, if you don’t then you can’t.

heitly · October 21, 2012, 12:23pm

Actualy Trixbox does use FreePBX so it is identical and the reason I am switching to FreePBX is for future support. And devices do not have to be registered with Asterisk to call them so I don’t agree with your comment that it is how things work. The devices I am connecting to don’t have passwords, either MD5 or plaintext.

dicko · October 21, 2012, 4:05pm

We will have to disagree on Trickybox using FreePBX, the stole and rebranded FreePBX some years and versions ago and modified it in many ways. If you are using no authority between your phones and your server you are just waiting for a disaster.

Tone Lewis has written a script for the orphaned in the thread on this forum:-

http://www.freepbx.org/forum/freepbx/general-help/the-official-end-of-trixbox-ce

SkykingOH · October 21, 2012, 4:08pm

Couple of things, trixbox forked FreePBX long ago.

It’s really no matter because you are talking about Asterisk functionality, has nothing to do with FreePBX. This is all related to the newer Asterisk.

The SIP trace you sent was for a Polycom device. At least that’s what the UA says in your trace. Am I missing something.

If this device is on another network did you perhaps forget to update the localnet field, or not fill it in at all? Check SIP settings, that would cause this issue.

If the device is across NAT then the router(s) could be at fault.

Lastly, you don’t need to register if the device has a fixed IP. With a fixed IP no security issues as no other host can authenticate.

heitly · October 21, 2012, 7:31pm

dicko -
This is again why I switched to FreePBX in the first place to get support. So far you haven’t answered my question which was why FreePBX didn’t work whereas Trixbox did. See the trace above and tell me what is different between to two invite sessions and why the FreePBX trace returns “401 Unauthorized” and Trixbox returns “407 Proxy Identification Required”. I do believe SkykingOH may be on to something though and will investigate further

heitly · October 21, 2012, 7:42pm

SkykingOH thanks for your reply.
All of the devices are on the same subnet however I am using VMware if that makes a difference. The Polycom device is the only initiating device I have for testing purposes and is identical for both installs of FreePBX and TrixBox.

I have not set any parameters for localnet but can try to update it and see if that helps.

As you suggest I also suspect there are some default SIP settings on FreePBX which are different than default on Trixbox.

The endpoint I am trying to connect is always at a fixed IP address. I would best describe it as a door phone with no keypad on it.

dicko · October 21, 2012, 8:39pm

As SkyKingOH said, this has nothing really to do with FreePBX except how the GUI wrires out Asterisk’s sip.conf and it’s inclusions, it is to do with the SIP protocol and how, in this casem Asterisk follows it.

Perhaps
http://www.voip-info.org/wiki/view/SIP+Authentication ?

heitly · October 21, 2012, 11:29pm

That link is interesting, appears RFC3261 changed the SIP authentication from RFC2543. Is Asterisk 1.8.16.0 using RFC3261? If so then that could explain the differences I am experiencing.

SkykingOH · October 22, 2012, 5:13am

I can’t stop focusing on networking issues or peer config, Can you please explain exactly what you are doing? Polycom does not make a door phone that I am aware of. Also if you have the peer setup wrong and are not registering it could be a simple peer mismatch. Asterisk insecure behavior has changed significantly in 1.8.

Your SIP trace is inconclusive, it simply shows that Asterisk peer settings don’t match what the device is sending.

heitly · October 22, 2012, 2:35pm

The Polycom device is a wireless handset, the door phone device is from another manufacturer.
I think the problem is caused by a SIP setting “alwaysauthreject=yes”. I have tried to find a way to disable this setting but can’t figure out how to disable this
http://www.freepbx.org/v2/ticket/3600
Does anyone know how I can set alwaysauthreject=no for testing purposes?

SkykingOH · October 22, 2012, 7:02pm

“Another vendor” on the door phone? CCan you please be precise along with the configs as II requested?

Any sip.conf setting can be overiden in sip_general_ccustom.coiI

heitly · October 22, 2012, 10:57pm

Sorry wasn’t trying to be vague but for sake of simplicity I described it as a door phone but it is actually a nurse call patient station which is connected through a nurse call patient station gateway.

My theory didn’t work, I added the line alwaysauthreject=no to sip_general_custom.conf and the same results. Also received the same 401 Unauthorized message between 2 working SIP softphone extensions so I have to admit I did not identify my problem well.