Jim, Sorry for the delay on this.
I wouldn't normally expect authentication to be performed at the I-CSCF as well as the S-CSCF - the I-CSCF should just look up where the subscriber is located and forward the request on. Sprout determines whether the I-CSCF or S-CSCF should be invoked by looking at the SIP URI in the top Route header (or which port it was received on). What does this Route header contain? Apart from that, more detailed logs would be useful - in particular, it would be useful to see exactly what the Bria is sending, and what is being sent between Bono, the I-CSCF and the S-CSCF. Hopefully the logs just around the time that the REGISTER happens shouldn't be too verbose! Incidentally, you can disable nonce count support in Clearwater by setting "nonce_count_supported=N" (see http://clearwater.readthedocs.io/en/latest/Clearwater_Configuration_Options_Reference.html for more details). I'm not sure that will solve your problem, though. Thanks, Matt From: Clearwater [mailto:[email protected]] On Behalf Of Jim Page Sent: 21 September 2017 15:38 To: [email protected] Subject: Re: [Project Clearwater] Looping authentication with Bria Hi Clearwater people I could really do with your help with the below. I have a pretty much bog standard setup, standard build with chef in AWS, plus an openimscore HSS instance. I am currently unable to get any sip devices to register due to an apparent issue nonce counting. Can you help? In parallel I am trying to hack the code to work around the issue … but I can’t believe this isn’t a common scenario with a simple solution … ? Thanks in advance … Jim RedMatter Ltd Jim Page VP Mobile Services +44 (0)333 150 1666 +44 (0)7870 361412 [email protected]<mailto:[email protected]> On 17 Sep 2017, at 18:38, Jim Page <[email protected]<mailto:[email protected]>> wrote: Hi There I initially set up my IMS in an AWS VPC, using chef. It worked out of the box without an HSS, I was able to use Ellis to provision accounts and they registered no problem using Bria 4. I decided to add an HSS (using ‘knife box’ to add an openimscore HSS instance) so that I can test our application servers. Now that I have the HSS integrated (there were niggles in the installation), I provisioned a new user on the HSS but the Bria phone will not authenticate, and a feedback loop is generated on the first REGISTER attempt. The problem seems to be related to nonce counting. The process seems to go like this: UE REGISTER -> Bono Bono REGISTER -> icscf No Authorization. Challenge is built, and IMPI is created with nc=1, and stored icscf 401 -> Bono Bono 401 -> UE UE builds an Authorisation header UE REGISTER -> Bono Bono REGISTER -> icscf The Authorisation header contains nc=000001. IMPI is loaded and validation is successful. IMPI is stored with nc=2, log line 'Debug authenticationsproutlet.cpp:1033: Storing challenge because nonce counts are supported’ icscf REGISTER -> scscf-proxy The Authorisation header still contains nc=000001. IMPI is loaded, but log line says: 'Info authenticationsproutlet.cpp:971: Nonce count supplied (1) is lower than expected (2) - ignore it’ The Authorisation header is ignored and another 401 challenge is issued, and the UE responds …. and this causes a loop scscf-proxy 401 -> icscf icscf 401 -> Bono Bono 401 -> UE There seems to be a fundamental flaw here. The IMPI nc is incrementing, but the Authorisation header is not. I can’t see how this can work unless icscf increments nc in the authorisation header before sending it to the scscf Also please note: I disabled nonce_count_supported in shared_config, but the result was a log line ‘nonce count is supplied but not supported’ (or words to that effect) and the Authorisation header is again ignored, and there is a loop. How to move forward from here? I have searched in vain for a way to disable nonce count in Bria 4. I can provide logs if helpful, but they are long and I don’t want to clog everyone’s inbox. Kind regards Jim RedMatter Ltd Jim Page VP Mobile Services +44 (0)333 150 1666 +44 (0)7870 361412 [email protected]<mailto:[email protected]> _______________________________________________ Clearwater mailing list [email protected]<mailto:[email protected]> http://lists.projectclearwater.org/mailman/listinfo/clearwater_lists.projectclearwater.org
_______________________________________________ Clearwater mailing list [email protected] http://lists.projectclearwater.org/mailman/listinfo/clearwater_lists.projectclearwater.org
