This is basically a continuation of this forum post in FreePBX:
Using FreePBX 13 with A Mock Cellular Network
The reason I am moving over to this forum is because:
- I am considering backing off the GUI due to configuration limitations using FreePBX, and
- Because I need clarification on Asterisk’s SIP Authentication configurations.
To be clear, the issue I am having is that I am trying to connect a cellphone (not through softclient but through VoLTE) to a SIP server.In particular, the FreePBX installation that I am using rejects the cell phone because of mismatched authentication headers (thus throwing 401 Unauthorized). Because the cell phones are expected to use a static authentication parameters that are already established, the 401 messages have no effect in causing the cell phones to conform to Asterisk’s/FreePBX’s default md5 authentication scheme.
So to be clear, my question is:
Is there any way to modify the asterisk Asterisk configuration files (for Asterisk or FreePBX) so that authentication is either disabled, or configured to match that of the cell phones?
If you need a better understanding of the setup, check the link above or feel free to respond if you can’t find it here…
You haven’t said whether you are using chan_sip, or chan_pjsip. To disable it on chan_sip, either only provide a remotesecret, or don’t provide a secret at all.
I believe the only authentication scheme supported by Asterisk is the mandatory one, so anything that can only authenticate in another way is broken.
I am trying to use pjsip with FreePBX at the moment.
Here is the Authentication Header from the Cell phone:
Authorization: Digest nonce=“”,uri=“sip:ims.mnc01.mcc001.3gppnetwork.org”,realm=“ims.mnc01.mcc001.3gppnetwork.org”,username="001010123456789@ims.mnc01.mcc001.3gppnetwork.org",response=“”
Authentication Scheme: Digest
Nonce Value: “”
Authentication URI: “sip:ims.mnc01.mcc001.3gppnetwork.org”
Realm: “ims.mnc01.mcc001.3gppnetwork.org”
Username: “001010123456789@ims.mnc01.mcc001.3gppnetwork.org”
Digest Authentication Response: “”
Is there any way to match that Authentication header in Asterisk? If not, that’s all I need to know.
That’s broken. Without a random nonce it is totally vulnerable to a replay attack. Asterisk is not going to send an empty nonce as that is a stupid thing to do.
Sending a digest with an empty secret is also not very sensible. Even with an empty secret and empty nonce, the response would not be empty, so this is a guaranteed failure.
If the client doesn’t want to authenticate, it should not send any Authorisation header at all.