PJSIP auth 401 and 407 with different user/pass than sip

GreenFroggy · November 10, 2025, 8:37am

Hi

On past my trunk was with same user/password for sip and auth 401 and 407 , but since some days ago provider changed, and now are different, so my trunk dont connected.

I cant found any post trying to modify .

thanks for any indication

jcolp · November 10, 2025, 8:38am

I don’t understand what this means exactly. You’re going to need to explain/clarify more.

GreenFroggy · November 10, 2025, 7:56pm

My provider changed config and now use different user ( same password ) for sip credentials and for 401 and 407 auth response.

For example

sip user:user1 pass:pass1

auth 401 and 407 user: user11 pass:pass1 ( maybe on future use different password too)

Im with pjsip trunk and dont undestand/know how can have the correct config now.

The service is with proxy too

thanks on advance

jcolp · November 10, 2025, 7:58pm

I still don’t really grasp what this means. What is a “sip credential” within this?

Do you mean that there is one username+password for outbound registration to their server, and another username+password for outbound calls to them?

GreenFroggy · November 10, 2025, 9:03pm

sip credentials and 401/407 auth ( i think WWW-Authenticate ) with other credentials

SIP 401 authentication

SIP 407 authentication

david55 · November 10, 2025, 9:21pm

To make any sense of this, I need to delete all references to “SIP credentials”.

Although it is possible to require different authentication against a proxy and the final UAS, I’m pretty sure that would break the system for most simple users of the provider. I don’t know it if is even possible on typical phones, and if it is, I suspect most people will not know how.

My first thought is that you have configured a proxy when there is no actual proxy, or you have misconfigured a proxy. Both are quite common mistakes, although people often get away with the first one. chan_pjsip needs proxies specifying as though they were in a Record-Route header, there is an extra option, “;hide”, for when the proxy doesn’t actually want to appear in the request, which is sometime needed. The semicolons need to be escaped with backslashes.

If you really are getting both, the credentials to use are determined by the realm they specify. I think I know how to do this on chan_sip, but have never done it, and never seen anyone here needing to do it. I presume it can be done on chan_pjsip, but I would need to trawl the documentation to confirm that, and work out how do do it.

david55 · November 10, 2025, 9:29pm

The Google search engine AI, says you can have multiple values for outbound-auth, with different realms, and PJSIP Authentication - Asterisk Documentation is, at least, not inconsistent with that, but neither seems to give a concrete example, and the AI should never be relied on without testing or good sources.

GreenFroggy · November 10, 2025, 9:29pm

You are right, its with proxy.

Everythink working fine 2 or 3 years, but now the provider changed auth 401 - 407 password and i dont know how to do.

The service is sbc ucaas with proxy.

david55 · November 10, 2025, 9:33pm

I imagine you would need to uses custom overrides, as I don’t think FreePBX will give you the necessary control through the GUI.

GreenFroggy · November 10, 2025, 10:07pm

yes, i think that

Some one with similar config to know how to setup ?

thanks

Stewart1 · November 11, 2025, 3:40am

So I assume that you put the “sip credential” in Username, the “401/407 auth” in Auth username and the password in Secret, but it doesn’t register.

Turn on pjsip logger, wait for a registration attempt and post the REGISTER and any associated responses.

Redact as you like, but make it clear what each redacted value stands for.

david55 · November 11, 2025, 12:05pm

What I believe, subject to the logs, is that he gets a 407 on the initial request, and when he provides credentials for that, he then gets a 401, which requires different credentials. This is the general case if you get 407, at all. In fact it is possible to receive more than one 407 challenge if there are multiple proxies involved. However, I think it is very rare in the real world of what are referred to as providers, here.

I believe the FreePBX GUI only allows you to specify one set of credentials, so if a proxy challenges, and its credentials differ from those from the UAS, you can’t satisfy both conditions using the GUI.

In chan_sip, and raw Asterisk, you would handle this with one or more authentication sections, in sip.conf.

github.com/asterisk/asterisk

configs/samples/sip.conf.sample

19


      
          [authentication]
          ; Global credentials for outbound calls, i.e. when a proxy challenges your
          ; Asterisk server for authentication. These credentials override
          ; any credentials in peer/register definition if realm is matched.
          ;
          ; This way, Asterisk can authenticate for outbound calls to other
          ; realms. We match realm on the proxy challenge and pick an set of
          ; credentials from this list
          ; Syntax:
          ;        auth = <user>:<secret>@<realm>
          ;        auth = <user>#<md5secret>@<realm>
          ; Example:
          ;auth=mark:[email protected]
          ;
          ; You may also add auth= statements to [peer] definitions
          ; Peer auth= override all other authentication settings if we match on realm

From the AI result, and the article, I referenced above, it looks like, with chan_pjsip, you can have either multiple outbound_auth lines, or multiple values for outbound_auth, but I am not certain of the details, and this would involve using appropriate *custom.conf files, as I think it is beyond the scope of the GUI.