Hi Bogdan,
thanks a lot for your response!
So... you're exactly saying where I run into. ;)
Did you read my last mails with the subject "consume_credentials doesn't work
with auth_radius module"?
Maybe you can help me just by telling me what's the way people do in production.
So... concerning my current configuration, I think I have the clue right now,
what the problem is.
If an unauthorized INVITE comes in, my SER does radius_proxy_authorize() - no
problem here. But, to the 200 OK (Call answered), the ACK of my client also
contains the proxy authorization credentials, which is loose-routed. And now,
the is_present_hf("Proxy-Authorization") function returns true (which is
correct if the UAC includes the credentials in the ACK), but
consume_credentials() returns an error, because it doesn't know that it has
verified (and marked) the credentials before.
How to proceed in this case....
-----Original Message-----
From: [email protected] [mailto:[email protected]]
Sent: Thursday, January 22, 2009 8:41 AM
To: Robert Borz
Cc: [email protected]
Subject: Re: [OpenSIPS-Users] Contents of ACK in up-to-date RFC 3261
Hi Robert,
Robert Borz wrote:
> Just had a look at RFC 3261... 269 pages... well, looks for a hard work for
> one day... but it isn't written to understand and answer my dumb questions
> within one or two hours. ;)
>
indeed, the RFC3261 is like a novel :).....
> So, just want to know which contents in an ACK message are allowed in which
> case...
>
> Especially, I'm interested in which contents in an ACK are allowed in a
> response to a 200 OK (after INVITE)... is the Proxy-Authorization header
> field allowed in an ACK as response to a 200 OK of an INVITE?
>
yes, it is optional - see the RFC3261, section 20.1 , page 163 - Table 3
> Maybe someone read my previous two mails, I'm a little confused right now...
>
> I detected different behaviour between different UACs, which is nothing
> unusual for me (I'm just a developer, too).
>
> X-Lite for example includes the digest-credentials in an ACK packet in the
> Proxy-Authorization header field, whereas the snom-softphone does not.
> The Ekige softphone for windows also includes the Proxy-Authorization header
> field.
>
> So, which behaviour is standard? It would be great to get any help from
> you... just to spare the time reading the whole RFC... :-(
>
well, all are correct, as the header presence in the ACK request is
optional....
My understanding on the RFC (on the auth matter) is that if the INVITE
has an "Proxy-Authorization" headers, the ACK should also contain
one...but it is not a must, it is a recommendation. The idea is, if the
proxy asked for auth for INVITE, it might ask for the ACK also....but as
you cannot challenge the ACK, the client should pre-fill the auth in ACK.
Regards,
Bogdan
> <lying>But, I don’t mind reading it...</lying> ;-P
>
>
> Robert.
>
>
> _______________________________________________
> Users mailing list
> [email protected]
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
_______________________________________________
Users mailing list
[email protected]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
