01-16-2010 08:31 AM - edited 03-21-2019 02:02 AM
Hi,
I have an issue with configuring a SIP account. My provider wants the username and password to be cleartext. As far as I'm aware, this can be accomplished by configuring the sip-ua credentials with the password option 0 (zero). But when I try this, the password option is automatically set to 7 (which implies that the password should be encrypted).
This is what I do:
UC_520#config t
Enter configuration commands, one per line. End with CNTL/Z.
UC_520(config)#sip
UC_520(config-sip-ua)#credentials username USER001 password 0 PASSWORD realm sip.provider.com
UC_520(config-sip-ua)#exit
UC_520(config)#exit
UC_520#write
Building configuration...
Compressed configuration from 56788 bytes to 23893 bytes[OK]
UC_520#sh configuration | begin sip-ua
sip-ua
credentials username USER001 password 7 00343235376C24342B realm sip.provider.com
Any idea's what I'm doing wrong, or is this just a bug?
Kind regards,
Frank
01-16-2010 09:57 AM
What IOS version are you running?
01-16-2010 10:10 AM
The encryption in IOS determines how the password is stored and displayed on the system, not how it is exchanged in the MD5 Digest authentication. What error are you receiving when trying to authenticate? Can you provide the "debug ccsip message"?
Marcos
01-16-2010 10:20 AM
The IOS version is also important, as Steve suggests. We used to have a bug where IOS would display the password in clear text, but think it was already encrypted. This would cause registration issues since the password used would be wrong. But again, this has nothing to do with the Digest authentication.
Marcos
01-16-2010 10:37 AM
Yes, thats where I was heading....but your right Marcos. debug ccsip messages of the registration would help for sure.
I also saw an old bug where if the credentials were read from startup, even though showed clear text, it was encrypted. But that was fixed a long time ago too.
Steve
01-16-2010 01:39 PM
Steve, Marcos,
Thank you for the fast reply. The version I'm using is 12.4(22)YB4.
The main question is not (yet) if the SIP setup negotiation is working, but why the password 0 option isn't working. According to the documentation that I read it should be. If I try it to use the option 0, it's automatically changed to option 7 in the configuration. I'm wondering why that is.
My SIP provider only has experience with Asterix systems and he told me that for those systems they require that the password and username are send as plain text. I presume that I need password option 0 to accomplish this, or am I wrong?
Frank
01-16-2010 02:55 PM
OK, so your fairly recent IOS (not the latest 15.0(1)XA, which is available in the UC 500 8.0.0 bundle FYI), but I am not surbe that was a supported release for UC500? WHat bubdle are yuo using? But this is moot since you should have all the latest bug fixes for problems I saw in earlier IOS.
What you may want to do, is what Marcos suggested and post it for us.
#term mon
#debug ccsip messages
Wait to see some REGISTRATION messages, or make a call, since if a UAC is not registered, the INVITE should be challenged and then credentials are passed.
We can see whats happening on the wire this way and see if the CLI is security only (so it cant be viewed in a 'show run') but actually gets passed in plain text....
# un all <---turns of all debugging
01-16-2010 07:57 PM
I know that credentials username USER001 password 0 PASSWORD realm sip.provider.com changes to credentials username USER001 password 7 00343235376C24342B realm sip.provider.com. This is actually the expected behavior, and the 7 indicates that the password is an encoded password. Cisco IOS is able to decode the encoded password.
01-18-2010 07:16 AM
This is not what the "0" means. According to the documentation:
"0" : For all platforms except the Cisco 7600 series router, specifies that the clear-text password immediately following this value is MD5 encrypted.
For the Cisco 7600 series router, specifies that the clear-text password immediately following this value is not encrypted.
"5" : MD5-encrypted text string, which will be stored as the encrypted user password.
"7": Weak, reversible algorithm.
To use 7 or 5, here are the commands:
UC500(config)#username ggg password ?
0 Specifies an UNENCRYPTED password will follow
7 Specifies a HIDDEN password will follow
LINE The UNENCRYPTED (cleartext) user password
UC500(config)#username ggg secret ?
0 Specifies an UNENCRYPTED secret will follow
5 Specifies a HIDDEN secret will follow
LINE The UNENCRYPTED (cleartext) user secret
07-12-2018 05:19 PM
Hi guys,
I have the same problem happens here. After change the password 0 it change to encrypted. I am using ISR4331 with SIP trunk VMAX.
07-12-2018 05:55 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide