commande "credentials username USER001 password 0 PASSWORD realm sip.provider.com" not working

Unanswered Question

Hi,


I have an issue with configuring a SIP account. My provider wants the username and password to be cleartext. As far as I'm aware, this can be accomplished by configuring the sip-ua credentials with the password option 0 (zero). But when I try this, the password option is automatically set to 7 (which implies that the password should be encrypted).


This is what I do:


UC_520#config t
Enter configuration commands, one per line.  End with CNTL/Z.
UC_520(config)#sip
UC_520(config-sip-ua)#credentials username USER001 password 0 PASSWORD realm sip.provider.com
UC_520(config-sip-ua)#exit
UC_520(config)#exit
UC_520#write
Building configuration...
Compressed configuration from 56788 bytes to 23893 bytes[OK]
UC_520#sh configuration | begin sip-ua
sip-ua
credentials username USER001 password 7 00343235376C24342B realm sip.provider.com


Any idea's what I'm doing wrong, or is this just a bug?


Kind regards,


Frank

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marcos Hernandez Sat, 01/16/2010 - 10:10
User Badges:
  • Blue, 1500 points or more

The encryption in IOS determines how the password is stored and displayed on the system, not how it is exchanged in the MD5 Digest authentication. What error are you receiving when trying to authenticate? Can you provide the "debug ccsip message"?


Marcos

Marcos Hernandez Sat, 01/16/2010 - 10:20
User Badges:
  • Blue, 1500 points or more

The IOS version is also important, as Steve suggests. We used to have a bug where IOS would display the password in clear text, but think it was already encrypted. This would cause registration issues since the password used would be wrong. But again, this has nothing to do with the Digest authentication.


Marcos

Steven DiStefano Sat, 01/16/2010 - 10:37
User Badges:
  • Blue, 1500 points or more

Yes, thats where I was heading....but your right Marcos.  debug ccsip messages of the registration would help for sure.


I also saw an old bug where if the credentials were read from startup, even though showed clear text, it was encrypted.  But that was fixed a long time ago too.


Steve

Steve, Marcos,


Thank you for the fast reply. The version I'm using is 12.4(22)YB4.


The main question is not (yet) if the SIP setup negotiation is working, but why the password 0 option isn't working. According to the documentation that I read it should be. If I try it to use the option 0, it's automatically changed to option 7 in the configuration. I'm wondering why that is.


My SIP provider only has experience with Asterix systems and he told me that for those systems they require that the password and username are send as plain text. I presume that I need password option 0 to accomplish this, or am I wrong?


Frank

Steven DiStefano Sat, 01/16/2010 - 14:55
User Badges:
  • Blue, 1500 points or more

OK, so your fairly recent IOS (not the latest 15.0(1)XA, which is available in the UC 500 8.0.0 bundle FYI), but I am not surbe that was a supported release for UC500?  WHat bubdle are yuo using?   But this is moot since you should have all the latest bug fixes for problems I saw in earlier IOS.


What you may want to do, is what Marcos suggested and post it for us.


#term mon

#debug ccsip messages


Wait to see some REGISTRATION messages, or make a call, since if a UAC is not registered, the INVITE should be challenged and then credentials are passed.


We can see whats happening on the wire this way and see if the CLI is security only (so it cant be viewed in a 'show run') but actually gets passed in plain text....


# un all  <---turns of all debugging

John Platts Sat, 01/16/2010 - 19:57
User Badges:
  • Silver, 250 points or more

I know that credentials username USER001 password 0 PASSWORD realm sip.provider.com changes to credentials username USER001 password 7 00343235376C24342B realm sip.provider.com. This is actually the expected behavior, and the 7 indicates that the password is an encoded password. Cisco IOS is able to decode the encoded password.

Marcos Hernandez Mon, 01/18/2010 - 07:16
User Badges:
  • Blue, 1500 points or more

This is not what the "0" means. According to the documentation:



"0" : For all platforms except the Cisco 7600 series router, specifies that the clear-text password immediately following this value is MD5 encrypted.


For the Cisco 7600 series router, specifies that the clear-text password immediately following this value is not encrypted.


"5" : MD5-encrypted text string, which will be stored as the encrypted user password.


"7": Weak, reversible algorithm.


To use 7 or 5, here are the commands:


UC500(config)#username ggg password ?

  0     Specifies an UNENCRYPTED password will follow

  7     Specifies a HIDDEN password will follow

  LINE  The UNENCRYPTED (cleartext) user password


UC500(config)#username ggg secret ?

  0     Specifies an UNENCRYPTED secret will follow

  5     Specifies a HIDDEN secret will follow

  LINE  The UNENCRYPTED (cleartext) user secret


Actions

This Discussion

Related Content