I have an issue with configuring a SIP account. My provider wants the username and password to be cleartext. As far as I'm aware, this can be accomplished by configuring the sip-ua credentials with the password option 0 (zero). But when I try this, the password option is automatically set to 7 (which implies that the password should be encrypted).
This is what I do:
Enter configuration commands, one per line. End with CNTL/Z.
UC_520(config-sip-ua)#credentials username USER001 password 0 PASSWORD realm sip.provider.com
Compressed configuration from 56788 bytes to 23893 bytes[OK]
UC_520#sh configuration | begin sip-ua
credentials username USER001 password 7 00343235376C24342B realm sip.provider.com
Any idea's what I'm doing wrong, or is this just a bug?
The encryption in IOS determines how the password is stored and displayed on the system, not how it is exchanged in the MD5 Digest authentication. What error are you receiving when trying to authenticate? Can you provide the "debug ccsip message"?
The IOS version is also important, as Steve suggests. We used to have a bug where IOS would display the password in clear text, but think it was already encrypted. This would cause registration issues since the password used would be wrong. But again, this has nothing to do with the Digest authentication.
Yes, thats where I was heading....but your right Marcos. debug ccsip messages of the registration would help for sure.
I also saw an old bug where if the credentials were read from startup, even though showed clear text, it was encrypted. But that was fixed a long time ago too.
Thank you for the fast reply. The version I'm using is 12.4(22)YB4.
The main question is not (yet) if the SIP setup negotiation is working, but why the password 0 option isn't working. According to the documentation that I read it should be. If I try it to use the option 0, it's automatically changed to option 7 in the configuration. I'm wondering why that is.
My SIP provider only has experience with Asterix systems and he told me that for those systems they require that the password and username are send as plain text. I presume that I need password option 0 to accomplish this, or am I wrong?
OK, so your fairly recent IOS (not the latest 15.0(1)XA, which is available in the UC 500 8.0.0 bundle FYI), but I am not surbe that was a supported release for UC500? WHat bubdle are yuo using? But this is moot since you should have all the latest bug fixes for problems I saw in earlier IOS.
What you may want to do, is what Marcos suggested and post it for us.
#debug ccsip messages
Wait to see some REGISTRATION messages, or make a call, since if a UAC is not registered, the INVITE should be challenged and then credentials are passed.
We can see whats happening on the wire this way and see if the CLI is security only (so it cant be viewed in a 'show run') but actually gets passed in plain text....
# un all <---turns of all debugging
I know that credentials username USER001 password 0 PASSWORD realm sip.provider.com changes to credentials username USER001 password 7 00343235376C24342B realm sip.provider.com. This is actually the expected behavior, and the 7 indicates that the password is an encoded password. Cisco IOS is able to decode the encoded password.
This is not what the "0" means. According to the documentation:
"0" : For all platforms except the Cisco 7600 series router, specifies that the clear-text password immediately following this value is MD5 encrypted.
For the Cisco 7600 series router, specifies that the clear-text password immediately following this value is not encrypted.
"5" : MD5-encrypted text string, which will be stored as the encrypted user password.
"7": Weak, reversible algorithm.
To use 7 or 5, here are the commands:
UC500(config)#username ggg password ?
0 Specifies an UNENCRYPTED password will follow
7 Specifies a HIDDEN password will follow
LINE The UNENCRYPTED (cleartext) user password
UC500(config)#username ggg secret ?
0 Specifies an UNENCRYPTED secret will follow
5 Specifies a HIDDEN secret will follow
LINE The UNENCRYPTED (cleartext) user secret
I have the same problem happens here. After change the password 0 it change to encrypted. I am using ISR4331 with SIP trunk VMAX.