News:

On Tuesday September 6th the forum will be down for maintenance from 9:30 PM to 11:59 PM PDT

Main Menu

OBi200: How to set separate UserID and AuthID?

Started by sdMark, September 06, 2018, 01:09:39 PM

Previous topic - Next topic

sdMark

My OBi200 is running firmware 3.2.2 (Build: 5898EX). One of my providers is a 3CX PBX. I just applied Service Pack 6 (SP6) to 3CX 15.5. This version includes some security enhancements, including that the SIP authentication ID no longer matches the extension number (UserID) by default and should rather be a long, complex string.

A working registration packet from a Yealink T42G phone looks like this. The phone puts its "User Name" field in the To string as 100@, and it puts "Register Name" (AuthID) in the username field:

To: "Some User" <sip:100@192.168.1.100:5060>
Contact: <sip:100@192.168.1.141:5060>
Proxy-Authorization: Digest username="fVV42urelv43", realm="3CXPhoneSystem", nonce="414d535c11a2150414:b6079c70777d800cf16db07a22969e4c", uri="sip:192.168.1.100:5060", response="8d5eb24b9e98a74dcfb22728aacaf799", algorithm=MD5
User-Agent: Yealink SIP-T42G 29.81.250.3

And here is a similar packet from the OBi. Because the OBi uses user ID 110 for both fields, 3CX responds with a 404 User Unknown and registration fails:

To: <sip:110@192.168.1.100>
      SIP to address: sip:110@192.168.1.100
Via: SIP/2.0/UDP 192.168.1.144:5082;branch=z9hG4bK-fbdfe999;rport
Proxy-Authorization: Digest algorithm=MD5,nonce="414d535c11a20cac22:ac75829dda23a26dfee061db913da5b1",realm="3CXPhoneSystem",
response="6439eeed4f3b318d5430650a333de313",uri="sip:192.168.1.100:5060",username="110"
User-Agent: OBIHAI/OBi200-3.2.2.5898

How can I tell the OBi to use a different value for AuthID than UserID? I see the X_ContactUserID field, but this is not about Contact header, it's about the username included in Proxy-Authorization.

Thanks,

Mark

A_Friend

It's in the Voice Services settings.  Click on the SP(n) in question, scroll down to the SIP Credentials section, where you'll find AuthUserName.

Hope this helps.

sdMark

Thanks, I see AuthUserName. Where is the other field? I need one field for UserID (often Extension or User Name) and a different field for AuthID (or Register Name). They are, I have learned, not always the same.

SteveInWA

Quote from: A_Friend on September 06, 2018, 04:53:35 PM
It's in the Voice Services settings.  Click on the SP(n) in question, scroll down to the SIP Credentials section, where you'll find AuthUserName.

Hope this helps.


The setting is "X_ContactUserID".  Using the OBiTALK portal, click on your OBiTALK device, then get into Expert Configuration mode.  Go to the "Voice Services" section, then to the SPx you are using (e.g. "SP1 Service").  The setting is under SIP Credentials, and it's called X_ContactUserID.

sdMark

Thanks Steve. It ain't pretty but I think it works. I put the extension (UserID) in X_ContactUserID and "1ComplexID" in AuthUserName. The "1ComplexID" got unnecessarily inserted in the From and To headers but since it is also in the Proxy-Authorization header, authentication worked.

From: <sip:1ComplexID@192.168.1.100>;tag=SP3e5da6d13fafabe9
To: <sip:1ComplexID@192.168.1.100>
Via: SIP/2.0/UDP 192.168.1.144:5082;branch=z9hG4bK-87ff5dc5;rport
Proxy-Authorization: Digest algorithm=MD5,nonce="414d535c11a285f015:16dba14b579a034fb03058554368b414",realm="3CXPhoneSystem",
response="29991f370f798812c2b326b668f8c32d",uri="sip:192.168.1.100:5060",username="1ComplexID"
User-Agent: OBIHAI/OBi200-3.2.2.5898
Contact: <sip:110@192.168.1.144:5082>;expires=60;+sip.instance="<urn:uuid:00000000-0000-0000-0000-9cadef601e4b>"



sdMark

#5
Oops, not so fast.

3CX sends back 200 OK and the OBi thinks it is registered. However the 3CX dashboard says it is NOT registered and will not put calls through to extension 110. My hunch is that the presence of "1ComplexID" in the From and To headers is throwing it off.

Sigh. Isn't there a standard that governs this stuff?

Fortunately, 3CX (still) allows overriding its setting with the less secure AuthID = UserID. When I do that, it still registers and it shows green in the 3CX dashboard.

ProfTech

Not to steer you in the wrong direction but there is a field in the Obi "SIP Credentials" section called "URI". Would filling that in [possibly in addition to the X_ContactUser field] help you?

sdMark

#7
@ProfTech, you are absolutely right. I just noticed that this morning. While in OBiTalk, I hovered over the question mark next to URI and read, "URI is normally used when the service provider requires a SIP AuthID to be used." Aha!

From the description of the URI parameter on page 115 of the admin manual:

QuoteThis parameter affects the way the AOR [Address of Record] is formed by the device in outbound SIP Requests. The AOR has the format: user@domain.
If the value of URI is empty, device gets the user portion of its AOR from the AuthUserName, and the domain portion the value of ITSP Profile's UserAgentDomain if it is not empty, or that of the ProxyServer otherwise.
If the value URI is not empty and does not contain "@", it is used as the user portion of the AOR while the domain portion is formed the usual way.
...
Note: In all cases, device uses AuthUserName and AuthUserPassword to compute authorization if challenged by a 401 or 407 response.

So the answer is not AuthUserName or X_ContactUserID. There is no need for OBi Expert config. In OBiTalk, just put the UserID ("110") in the URI field and the AuthID ("1ComplexID") in the Username field and voila! the OBi sends the correct packet in response to the 407 Proxy Authentication Required challenge:

From: <sip:110@192.168.1.100>;tag=SP37fff1fcbfe7f43f5
To: <sip:110@192.168.1.100>
Via: SIP/2.0/UDP 192.168.1.144:5082;branch=z9hG4bK-bae52b76;rport
Proxy-Authorization: Digest algorithm=MD5,nonce="414d535c11a34a3d28:325d88862ac6bacc590028a4698b6aa0",realm="3CXPhoneSystem",
response="6c7b0f74e9262732e9e0958cad0fa857",uri="sip:192.168.1.100:5060",username="1ComplexID"
User-Agent: OBIHAI/OBi200-3.2.2.5898
Contact: <sip:110@192.168.1.144:5082>;expires=60;+sip.instance="<urn:uuid:00000000-0000-0000-0000-9cadef601e4b>"

The issue with not putting an extension-to-extension call through was my fault. I was trying to dial out on the wrong line.

A_Friend

Good work!

Sorry about the misdirection, and thanks for the education.

sdMark

No worries - actually AuthUserID is used, but it can stay behind scenes if you use OBiTalk.