Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

HTTP Authentication Digest for SIP messages in a trunk SIP CUCME

Hello,

we would like to implement HTTP Authentication Digest for SIP messages in a trunk SIP between a Cisco 2851 and an Asterisk server.

We are using CUCM Express with 15.1(4)M (CME 8.6) as voice gateway to connect to PSTN.

According to Cisco documentation:

"To configure a gateway to use HTTP Authentication Digest, give the following command in each dial peer or SIP-UA configuration mode:

authentication username username password password [realm realm]."

The problem is that when call is from CISCO to ASTERISK, Asterisk sends a challenge to Cisco to do Authentication:

INVITE sip:968277830@10.1.32.70:5060 SIP/2.0

Via: SIP/2.0/UDP 10.0.70.11:5060;branch=z9hG4bK3E205D

Remote-Party-ID: "DN1001" <sip:1001@10.0.70.11>;party=calling;screen=no;privacy=off

From: "DN1001" <sip:1001@10.0.70.11>;tag=5317D4-2271

To: <sip:968277830@10.1.32.70>

Date: Thu, 20 Feb 2014 10:55:56 GMT

Call-ID: 6890E69B-995411E3-808DE206-4D0B76AC@10.0.70.11

Supported: 100rel,timer,resource-priority,replaces,sdp-anat

Min-SE: 1800

Cisco-Guid: 1679566433-2572423651-2156454406-1292596908

User-Agent: Cisco-SIPGateway/IOS-12.x

Allow: INVITE, OPTIONS, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY, INFO, REGISTER

CSeq: 101 INVITE

Max-Forwards: 70

Timestamp: 1392893756

Contact: <sip:1001@10.0.70.11:5060>

Expires: 180

Allow-Events: telephone-event

Content-Type: application/sdp

Content-Disposition: session;handling=required

Content-Length: 208

<--- Reliably Transmitting (no NAT) to 10.0.70.11:5060 --->

SIP/2.0 401 Unauthorized

Via: SIP/2.0/UDP 10.0.70.11:5060;branch=z9hG4bK3E205D;received=10.0.70.11

From: "DN1001" <sip:1001@10.0.70.11>;tag=5317D4-2271

To: <sip:968277830@10.1.32.70>;tag=as665c9410

Call-ID: 6890E69B-995411E3-808DE206-4D0B76AC@10.0.70.11

CSeq: 101 INVITE

Server: Asterisk PBX 11.7.0

Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH

Supported: replaces, timer

WWW-Authenticate: Digest algorithm=MD5, realm="asterisk", nonce="559bd1d2"

Content-Length: 0

However, when call is for ASTERISK to Cisco, there is no challenge sent.

INVITE sip:1001@10.0.70.11 SIP/2.0

Via: SIP/2.0/UDP 10.1.32.70:5060;branch=z9hG4bK0c57d67c

Max-Forwards: 70

From: "JOSE MANUEL" <sip:968277447@10.1.32.70>;tag=as2f789a9f

To: <sip:1001@10.0.70.11>

Contact: <sip:968277447@10.1.32.70:5060>

Call-ID: 3a0729962d702b4056b6f9821f14917e@10.1.32.70:5060

CSeq: 102 INVITE

User-Agent: Asterisk PBX 11.7.0

Date: Thu, 20 Feb 2014 09:58:27 GMT

Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH

Supported: replaces, timer

Content-Type: application/sdp

Content-Length: 282

<--- SIP read from UDP:10.0.70.11:60829 --->

SIP/2.0 100 Trying

Via: SIP/2.0/UDP 10.1.32.70:5060;branch=z9hG4bK0c57d67c

From: "JOSE MANUEL" <sip:968277447@10.1.32.70>;tag=as2f789a9f

To: <sip:1001@10.0.70.11>

Date: Thu, 20 Feb 2014 10:58:27 GMT

Call-ID: 3a0729962d702b4056b6f9821f14917e@10.1.32.70:5060

CSeq: 102 INVITE

Allow-Events: telephone-event

Server: Cisco-SIPGateway/IOS-12.x

Content-Length: 0

SIP/2.0 180 Ringing

Via: SIP/2.0/UDP 10.1.32.70:5060;branch=z9hG4bK0c57d67c

From: "JOSE MANUEL" <sip:968277447@10.1.32.70>;tag=as2f789a9f

To: <sip:1001@10.0.70.11>;tag=556830-757

Date: Thu, 20 Feb 2014 10:58:27 GMT

Call-ID: 3a0729962d702b4056b6f9821f14917e@10.1.32.70:5060

CSeq: 102 INVITE

Allow: INVITE, OPTIONS, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY, INFO, REGISTER

Allow-Events: telephone-event

Remote-Party-ID: "DN1001" <sip:1001@10.0.70.11>;party=called;screen=no;privacy=off

Contact: <sip:1001@10.0.70.11:5060>

Server: Cisco-SIPGateway/IOS-12.x

Content-Length: 0

My configuration in Cisco device is:

dial-peer voice 1 voip

description **Calls to ASTERISK **

destination-pattern 9T

session protocol sipv2

session target sip-server

codec g711ulaw

!

sip-ua

keepalive target ipv4:10.1.32.70

authentication username CCME password 7 070E234F4A realm asterisk

  sip-server ipv4:10.1.32.70:5060

!

To avoid that the ASTERISK is blocked by Cisco TOLLFRAUD_APP I have added:

voice service voip

ip address trusted list

  ipv4 10.1.32.70 255.255.255.255

allow-connections sip to sip

sip

  registrar server

!

The issue is that I would like that Cisco also send a challenge to asterisk server to authenticate SIP messages.

Any ideas?.

Regards.

2 REPLIES
Silver

HTTP Authentication Digest for SIP messages in a trunk SIP CUCME

Did you try with "credentials username..." command under sip-ua config? with adequate parameters which coresponds to your environment in this command...

HTH,
Dragan

HTH, Dragan

HTTP Authentication Digest for SIP messages in a trunk SIP CUCME

Hello,

yes, but credentials command configure credentials that are used when Cisco UA must register in a server.

I do not need register Cisco into Asterisk server. What I want is that Cisco authenticate SIP messages that receive. I know
that can be enough with TOLLFRAUD_AP where remote IP is checked, but I want to do something like others routing
protocols (as OSPF, BGP) where every message must be authenticated.

Thanks.

Regards.

691
Views
0
Helpful
2
Replies
CreatePlease to create content