asterisk users - Oct 2006 - connecting multiple servers with iax - authentication fails

Hello!

I'm having a problem which actually looks banal. I'm trying to
connect 3 servers via iax with each other. However, i've not been
successfull so far. Asterisk always tries to authenticate the calling
user with the credentials of the last entry in iax.conf, not the ones
that would actually belong to the calling user.

e.g. Server1 has peer/user entries for Server2 and Server3(in this
order), Server2 now tries to call Server1, but is asked for the
credentials of Server3(Because Server3 is the last entry in iax.conf),
which doesn't work of course.

The IAX debug for this example is attached(iax_server2.txt).

Please also take a look at the attached iax.conf-files for each server,
maybe i've missed some setting...

Currently i workaround this issue by using the same secret for all
servers, this is not very practicable however...

The asterisk versions in use are 1.2.9.1 on server3 and server2 and
1.4.0-beta2 on server1.

This guy seems to have had the same problem, unfortunately he received
no answer:
http://lists.digium.com/pipermail/asterisk-users/2003-August/011960.html


thx 
christian
-------------- next part --------------
[general]
register => server3:12345678@server2.domain.org
bindport=4569                   ; bindport and bindaddr may be specified

bindaddr=10.1.99.157
bandwidth=high
allow=all
disallow=lpc10

jitterbuffer=no
forcejitterbuffer=no
autokill=yes


[server3]
type=peer
auth=md5
user=server3
secret=thirdsecret321
qualify=yes
host=XXX.XXX.XXX.XXX
context=iax_server3

[server3]
type=user
auth=md5
user=server3
secret=thirdsecret321
qualify=yes
host=XXX.XXX.XXX.XXX
context=iax_server3



[server2]
type=peer
auth=md5
user=server2
secret=othersecret123
qualify=yes
host=XXX.XXX.XXX.XXX
context=iax_server3

[server2]
type=user
auth=md5
user=server2
secret=othersecret123
qualify=yes
host=XXX.XXX.XXX.XXX
context=iax_server3
-------------- next part --------------
[general]
bindport=4569
bindaddr=213.208.4.99
bandwidth=high
allow=all
disallow=lpc10
jitterbuffer=no
forcejitterbuffer=no
tos=lowdelay
autokill=yes

[server1]
type=user
auth=md5
user=server1
secret=othersecret123
qualify=yes
host=dynamic
context=iax_server3

[server1]
type=peer
auth=md5
user=server1
secret=othersecret123
qualify=yes
host=dynamic
context=iax_server3


[server3]
type=user
auth=md5
user=mgw1
secret=12345678
qualify=yes
host=XXX.XXX.XXX.XXX
context=iax_server3

[server3]
type=peer
auth=md5
user=server3
secret=12345678
qualify=yes
host=XXX.XXX.XXX.XXX
context=iax_server3
-------------- next part --------------
[general]
bindport=4569
bindaddr=0.0.0.0
delayreject=yes
bandwidth=high
allow=all                        ; same as bandwidth=high
allow=alaw
disallow=ulaw
disallow=lpc10                  ; Icky sound quality...  Mr. Roboto.
jitterbuffer=no
forcejitterbuffer=no




[server1]
type=peer
auth=md5
secret=thirdsecret321                  ; redundant when already embedded in Dial
string
qualify=yes
host=81.XXX.XXX.XXX
user=server1       ; redundant when already embedded in Dial string
context=iax_server1

[server1]
type=user
auth=md5
secret=thirdsecret321                  ; redundant when already embedded in Dial
string
qualify=yes
host=81.XXX.XXX.XXX
user=server1       ; redundant when already embedded in Dial string
context=iax_server1




[server2]
type=peer
auth=md5
secret=12345678                  ; redundant when already embedded in Dial
string
qualify=yes
host=XXX.XXX.XXX.XXX
user=server2       ; redundant when already embedded in Dial string
context=iax_server3 ;yes, this context is the same as in iax.conf.server2.txt


[server2]
type=user
auth=md5
secret=12345678                  ; redundant when already embedded in Dial
string
qualify=yes
host=XXX.XXX.XXX.XXX
user=server2       ; redundant when already embedded in Dial string
context=iax_server3 ;yes, this context is the same as in iax.conf.server2.txt
-------------- next part --------------
Rx-Frame Retry[ No] -- OSeqno: 000 ISeqno: 000 Type: IAX     Subclass: NEW    
   Timestamp: 00015ms  SCall: 00006  DCall: 00000 [81.XXX.XXX.XXX:4569]
   VERSION         : 2
   CALLED NUMBER   : 004989153213126
   CODEC_PREFS     : ()
   CALLING NUMBER  : 49896272423
   CALLING PRESNTN : 34
   CALLING TYPEOFN : 0
   CALLING TRANSIT : 0
   CALLING NAME    : server1
   LANGUAGE        : en
   FORMAT          : 4
   CAPABILITY      : 4194175
   ADSICPE         : 2
   DATE TIME       : 2006-10-09  17:18:34

Tx-Frame Retry[000] -- OSeqno: 000 ISeqno: 001 Type: IAX     Subclass: AUTHREQ
   Timestamp: 00002ms  SCall: 00030  DCall: 00006 [81.XXX.XXX.XXX:4569]
   AUTHMETHODS     : 2
   CHALLENGE       : 757581300
   USERNAME        : server3

Rx-Frame Retry[ No] -- OSeqno: 001 ISeqno: 001 Type: IAX     Subclass: AUTHREP
   Timestamp: 00040ms  SCall: 00006  DCall: 00030 [81.XXX.XXX.XXX:4569]
   MD5 RESULT      : 94975d6e1044df7ddcafee71463fbfd9
server2*CLI> 
Oct  9 17:15:53 NOTICE[11866]: chan_iax2.c:7229 socket_read: Host 81.XXX.XXX.XXX
failed to authenticate as server1
Tx-Frame Retry[000] -- OSeqno: 001 ISeqno: 002 Type: IAX     Subclass: REJECT 
   Timestamp: 00027ms  SCall: 00030  DCall: 00006 [81.XXX.XXX.XXX:4569]
   CAUSE           : No authority found
   CAUSE CODE      : 50
server2*CLI>

> e.g. Server1 has peer/user entries for Server2 and Server3(in this
> order), Server2 now tries to call Server1, but is asked for the
> credentials of Server3(Because Server3 is the last entry in iax.conf),
> which doesn't work of course.
i beg your pardon, actually the description of the attached debug goes
like this:

e.g. Server2 has peer/user entries for Server1 and Server3(in this
order), Server1 now tries to call Server2, but is asked for the
credentials of Server3(Because Server3 is the last entry in iax.conf
of Server2)...

On 9 Oct 2006, at 17:36, Benko wrote:
> Hello!
>
> I'm having a problem which actually looks banal. I'm trying to
> connect 3 servers via iax with each other. However, i've not been
> successfull so far. Asterisk always tries to authenticate the calling
> user with the credentials of the last entry in iax.conf, not the ones
> that would actually belong to the calling user.
>
> e.g. Server1 has peer/user entries for Server2 and Server3(in this
> order), Server2 now tries to call Server1, but is asked for the
> credentials of Server3(Because Server3 is the last entry in iax.conf),
> which doesn't work of course.
>
> The IAX debug for this example is attached(iax_server2.txt).
>
> Please also take a look at the attached iax.conf-files for each  
> server,
> maybe i've missed some setting...
>
> Currently i workaround this issue by using the same secret for all
> servers, this is not very practicable however...
>
> The asterisk versions in use are 1.2.9.1 on server3 and server2 and
> 1.4.0-beta2 on server1.
>
> This guy seems to have had the same problem, unfortunately he received
> no answer:
> http://lists.digium.com/pipermail/asterisk-users/2003-August/ 
> 011960.html
>
>
> thx
> christian
> <iax.conf.server1.txt>
> <iax.conf.server2.txt>
> <iax.conf.server3.txt>
> <iax_debug_server2.txt>
It is a bit hard to tell what is going on because you have blanked the
IP addresses in the config files to all the same value.
If you specify an IP address in the host= line , asterisk will use
the from IP address of a 'new' to try and find a matching entry, and
ignore the username sent in the message.

At a guess you have the IP addresses of  servers 1 or 3  wrong in  
iax.conf on server2

Tim.

Tim Panton

www.mexuar.com