02-20-2014 02:41 AM - edited 03-16-2019 09:49 PM
Hello,
we would like to implement HTTP Authentication Digest for SIP messages in a trunk SIP between a Cisco 2851 and an Asterisk server.
We are using CUCM Express with 15.1(4)M (CME 8.6) as voice gateway to connect to PSTN.
According to Cisco documentation:
"To configure a gateway to use HTTP Authentication Digest, give the following command in each dial peer or SIP-UA configuration mode:
authentication username username password password [realm realm]."
The problem is that when call is from CISCO to ASTERISK, Asterisk sends a challenge to Cisco to do Authentication:
INVITE sip:968277830@10.1.32.70:5060 SIP/2.0
Via: SIP/2.0/UDP 10.0.70.11:5060;branch=z9hG4bK3E205D
Remote-Party-ID: "DN1001" <sip:1001@10.0.70.11>;party=calling;screen=no;privacy=off
From: "DN1001" <sip:1001@10.0.70.11>;tag=5317D4-2271
To: <sip:968277830@10.1.32.70>
Date: Thu, 20 Feb 2014 10:55:56 GMT
Call-ID: 6890E69B-995411E3-808DE206-4D0B76AC@10.0.70.11
Supported: 100rel,timer,resource-priority,replaces,sdp-anat
Min-SE: 1800
Cisco-Guid: 1679566433-2572423651-2156454406-1292596908
User-Agent: Cisco-SIPGateway/IOS-12.x
Allow: INVITE, OPTIONS, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY, INFO, REGISTER
CSeq: 101 INVITE
Max-Forwards: 70
Timestamp: 1392893756
Contact: <sip:1001@10.0.70.11:5060>
Expires: 180
Allow-Events: telephone-event
Content-Type: application/sdp
Content-Disposition: session;handling=required
Content-Length: 208
<--- Reliably Transmitting (no NAT) to 10.0.70.11:5060 --->
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 10.0.70.11:5060;branch=z9hG4bK3E205D;received=10.0.70.11
From: "DN1001" <sip:1001@10.0.70.11>;tag=5317D4-2271
To: <sip:968277830@10.1.32.70>;tag=as665c9410
Call-ID: 6890E69B-995411E3-808DE206-4D0B76AC@10.0.70.11
CSeq: 101 INVITE
Server: Asterisk PBX 11.7.0
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH
Supported: replaces, timer
WWW-Authenticate: Digest algorithm=MD5, realm="asterisk", nonce="559bd1d2"
Content-Length: 0
However, when call is for ASTERISK to Cisco, there is no challenge sent.
INVITE sip:1001@10.0.70.11 SIP/2.0
Via: SIP/2.0/UDP 10.1.32.70:5060;branch=z9hG4bK0c57d67c
Max-Forwards: 70
From: "JOSE MANUEL" <sip:968277447@10.1.32.70>;tag=as2f789a9f
To: <sip:1001@10.0.70.11>
Contact: <sip:968277447@10.1.32.70:5060>
Call-ID: 3a0729962d702b4056b6f9821f14917e@10.1.32.70:5060
CSeq: 102 INVITE
User-Agent: Asterisk PBX 11.7.0
Date: Thu, 20 Feb 2014 09:58:27 GMT
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH
Supported: replaces, timer
Content-Type: application/sdp
Content-Length: 282
<--- SIP read from UDP:10.0.70.11:60829 --->
SIP/2.0 100 Trying
Via: SIP/2.0/UDP 10.1.32.70:5060;branch=z9hG4bK0c57d67c
From: "JOSE MANUEL" <sip:968277447@10.1.32.70>;tag=as2f789a9f
To: <sip:1001@10.0.70.11>
Date: Thu, 20 Feb 2014 10:58:27 GMT
Call-ID: 3a0729962d702b4056b6f9821f14917e@10.1.32.70:5060
CSeq: 102 INVITE
Allow-Events: telephone-event
Server: Cisco-SIPGateway/IOS-12.x
Content-Length: 0
SIP/2.0 180 Ringing
Via: SIP/2.0/UDP 10.1.32.70:5060;branch=z9hG4bK0c57d67c
From: "JOSE MANUEL" <sip:968277447@10.1.32.70>;tag=as2f789a9f
To: <sip:1001@10.0.70.11>;tag=556830-757
Date: Thu, 20 Feb 2014 10:58:27 GMT
Call-ID: 3a0729962d702b4056b6f9821f14917e@10.1.32.70:5060
CSeq: 102 INVITE
Allow: INVITE, OPTIONS, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY, INFO, REGISTER
Allow-Events: telephone-event
Remote-Party-ID: "DN1001" <sip:1001@10.0.70.11>;party=called;screen=no;privacy=off
Contact: <sip:1001@10.0.70.11:5060>
Server: Cisco-SIPGateway/IOS-12.x
Content-Length: 0
My configuration in Cisco device is:
dial-peer voice 1 voip
description **Calls to ASTERISK **
destination-pattern 9T
session protocol sipv2
session target sip-server
codec g711ulaw
!
sip-ua
keepalive target ipv4:10.1.32.70
authentication username CCME password 7 070E234F4A realm asterisk
sip-server ipv4:10.1.32.70:5060
!
To avoid that the ASTERISK is blocked by Cisco TOLLFRAUD_APP I have added:
voice service voip
ip address trusted list
ipv4 10.1.32.70 255.255.255.255
allow-connections sip to sip
sip
registrar server
!
The issue is that I would like that Cisco also send a challenge to asterisk server to authenticate SIP messages.
Any ideas?.
Regards.
02-20-2014 04:28 AM
Did you try with "credentials username..." command under sip-ua config? with adequate parameters which coresponds to your environment in this command...
HTH,
Dragan
02-20-2014 04:43 AM
Hello,
yes, but credentials command configure credentials that are used when Cisco UA must register in a server.
I do not need register Cisco into Asterisk server. What I want is that Cisco authenticate SIP messages that receive. I know
that can be enough with TOLLFRAUD_AP where remote IP is checked, but I want to do something like others routing
protocols (as OSPF, BGP) where every message must be authenticated.
Thanks.
Regards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide