Chan_sip Doesn’t Authenticate On INVITE From A Dial() Command
Hi.
I’m trying to get Asterisk 13 to authenticate when it sends an INVITE, and for some reason it’s simply not doing it.
I’ve even resorted to reading the source code to try and work out what I’m doing wrong…
In channels/chan_sip.c I find:
* SIP Dial string syntax:
* SIP/devicename
* or SIP/username@domain (SIP uri)
* or SIP/username[:password[:md5secret[:authname[:transport]]]]@host[:port]
* or SIP/devicename/extension
* or SIP/devicename/extension/IPorHost
* or SIP/username@domain//IPorHost
* and there is an optional [!dnid] argument you can append to alter the
* To: header.
(Note: I don’t think I have ever seen that optional “!dnid” argument documented anywhere…?)
So, the version with the username and password looks to me like what I want…
Dial(SIP/${SIPuser}:${SIPpass}@${SIPhost}) or else Dial(SIP/${SIPuser}:${SIPpass}@${SIPhost}!${SIPdial})
would seem to be what I need (I need to authenticate to SIPhost with the credentials SIPuser and SIPpass and I want to dial on to SIPdial).
However, doing this results in the NOTICE message:
chan_sip.c:23862 handle_response_invite: Failed to authenticate on INVITE to
‘”Antony Stone”
The first thing which puzzles me about this is that 198.51.100.29 is the IP
address of the telephone I dialled *in* to the context with in order to cause the Dial() command to get processed (and Polycom650 is indeed the username of the telephone).
This has nothing at all to do with the username and password I’m trying to authenticate with at the remote server.
If I do a packet capture on this machine to show what it’s actually sending out to SIPhost, I see three packets:
1 0.000000000 192.0.2.29 → 203.0.113.56 SIP/SDP 960 Request: INVITE
sip:9411@the.remote.ser.ver
2 0.007364024 203.0.113.56 → 192.0.2.29 SIP 558 Status: 401 Unauthorized
3 0.007552844 192.0.2.29 → 203.0.113.56 SIP 485 Request: ACK
sip:9411@the.remote.ser.ver
and that’s it.
Asterisk sends the (unauthorised) INVITE, as normal, the remote server understandably says “401 Unauthorised” in response, to which I expect Asterisk to say “ACK” and then repeat the INVITE with the authentication included, but it does nothing after the ACK – it doesn’t even try to authenticate.
If I create a stanza in sip.conf such as:
[RemoteServer]
type=peer fromuser=9411
secret=3ce12cda9d host=the.remote.ser.ver
and change the Dial() to:
Dial(SIP/RemoteServer/${SIPdial})
then all works, and the packet capture shows me exactly the same as above, but then followed by a fourth packet, which is the INVITE complete with authentication (which of course works).
However, creating stanzas in sip.conf is not an option for me, since I need to be able to dial out using account credentials which are going to be passed in to the dialplan as variables from an AMI Originate request (I’m creating this dialplan in order to check whether credentials which have been supplied to me are in fact correct and allow me to place a call).
So, what am I doing wrong – how can I get Asterisk to actually use the credentials which I’ve supplied in the Dial() command?
Thanks for any help 🙂
Antony.
—
I conclude that there are two ways of constructing a software design: One way is to make it so simple that there are _obviously_ no deficiencies, and the other way is to make it so complicated that there are no _obvious_
deficiencies.
– C A R Hoare
Please reply to the list;
please *don’t* CC me.
—
2 thoughts on - Chan_sip Doesn’t Authenticate On INVITE From A Dial() Command
I’ve made a bit of progress – I can now get it to authenticate, although it’s still not dialling on to the correct number.
It turns out that the username needs to be included twice (!?), as in:
Dial(SIP/${SIPuser}:${SIPpass}::${SIPuser}@${SIPhost}/${SIPdial})
It seems that both ‘username’ and ‘authname’ need to be supplied…
Now, at least, this is followed up by an attempt to authenticate, however it fails.
chan_sip.c:23875 handle_response_invite: Received response: “Forbidden” from;tag=as6c2ed50a’
‘”Antony Stone”
I think my question has now changed to “how can I get Asterisk to use the credentials and successfully authenticate, then dial on to the number I need?”
—
“It wouldn’t be a good idea to talk about him behind his back in front of him.”
– murble
Please reply to the list;
please *don’t* CC me.
—
For anyone else trying to do this, I’ve finally achieved it 🙂
It turns out not even to need to !dnid option…
Set(CALLERID(num)=${SIPuser})
Dial(SIP/${SIPdial}:${SIPpass}::${SIPuser}@${SIPhost})
The CallerID setting is necessary otherwise Asterisk will send the authentication request, but the Dial request will get rejected with a 403
Forbidden, because the username will be the inbound Caller ID from the original call.
I hope this helps others avoid spending as much time as I have trying to work this out. Anyone in charge of Asterisk documentation is very welcome indeed to quote this as an example on pages such as https://wiki.asterisk.org/wiki/display/AST/Asterisk+13+Application_Dial
Best regards,
Antony.
—
There are 10 types of people in the world:
those who understand binary notation, and those who don’t.
Please reply to the list;
please *don’t* CC me.
—