Hello,

you do checks for group membership and source IP. But I guess you didn't provision the user profile in Radius with appropriate values for group and src IP. See:

http://www.openser.org/docs/openser-radius-1.0.x.html#freeradius_users

You can skip group membership checks by removing
"if(!radius_is_user_in(..))" blocks.

Source IP checking you can disable by removing:

            # check the src ip address

            if(!avp_check("$avp(i:2)", "eq/$src_ip/ig"))

            {

                sl_send_reply("403", "Forbidden IP");

                exit;

            };


Cheers,
Daniel

On 01/03/07 17:07, buptzhaoyuan@sina.com wrote:

 Hi,

  Lists,happy new year! 

    Probably a stupid question,but I can not solved it correctly.The ua can not register the openser normally.I think the 5 step runs well and the last is down.The debug shows two errors. The first error is  " 0(5898) radius_is_user_in(): Failure" ;the other is " 0(5898) DEBUG:avpops:ops_check_avp: no src avp found".So please give me help and some suggestion.

    And the fellowing is my configure file and debug infomation.Thanks!!

      HTTP/SIP           RADIUS

 

    +-----+    (1)    +-----+           +-----+

    |     |==========>|     |           |     |

    |     |    (2)    |     |           |     |

    |     |<==========|     |           |     |

    |     |    (3)    |     |           |     |

    |     |==========>|     |           |     |

    |  A  |           |  B  |    (4)    |  C  |

    |     |           |     |---------->|     |

    |     |           |     |    (5)    |     |

    |     |           |     |<----------|     |

    |     |    (6)    |     |           |     |

    |     |<==========|     |           |     |

    +-----+           +-----+           +-----+

 

    ====> HTTP/SIP

    ----> RADIUS

 

    I setup the system by using the document(http://www.openser.org/docs/openser-radius-1.0.x.html)

 and my openser is openser-1.1.0-tls, the file openser.cfg is the same as the document.

 

#

#$Id$

#

# radius config script

#

 

# ----------- global configuration parameters ------------------------

 

debug=7            # debug level (cmd line: -dddddddddd)

        fork=no

        log_stderror=yes    # (cmd line: -E)

 

        check_via=no    # (cmd. line: -v)

        dns=no          # (cmd. line: -r)

        rev_dns=no      # (cmd. line: -R)

        port=5060

        children=4

        listen=udp:192.168.168.3

        alias="swifton.org"

        alias="192.168.168.3"

#fifo="/tmp/openser_fifo"

 

# ------------------ module loading ----------------------------------

[root@localhost openser]# cat openser.cfg

#

#$Id$

#

# radius config script

#

 

# ----------- global configuration parameters ------------------------

 

debug=7            # debug level (cmd line: -dddddddddd)

        fork=no

        log_stderror=yes    # (cmd line: -E)

 

        check_via=no    # (cmd. line: -v)

        dns=no          # (cmd. line: -r)

        rev_dns=no      # (cmd. line: -R)

        port=5060

        children=4

        listen=udp:192.168.168.3

        alias="swifton.org"

        alias="192.168.168.3"

#fifo="/tmp/openser_fifo"

 

# ------------------ module loading ----------------------------------

        mpath="/usr/local/lib/openser/modules"

 

        loadmodule "mysql.so"

        loadmodule "sl.so"

        loadmodule "tm.so"

        loadmodule "rr.so"

        loadmodule "maxfwd.so"

        loadmodule "avpops.so"

        loadmodule "usrloc.so"

        loadmodule "registrar.so"

        loadmodule "textops.so"

        loadmodule "xlog.so"

        loadmodule "uri.so"

        loadmodule "acc.so"

        loadmodule "auth.so"

        loadmodule "auth_radius.so"

        loadmodule "group_radius.so"

        loadmodule "avp_radius.so"

 

# ----------------- setting module-specific parameters ---------------

 

# -- usrloc params --

#modparam("usrloc","db_url","mysql://openser:openserrw@localhost/openser")

        modparam("usrloc", "db_mode", 2)

 

# -- acc params --

        modparam("acc", "radius_flag", 1)

        modparam("acc", "radius_missed_flag", 2)

        modparam("acc", "log_flag", 1)

        modparam("acc", "log_missed_flag", 1)

        modparam("acc", "service_type", 15)

        modparam("acc", "radius_extra", "Sip-Src-IP=$si;Sip-Src-Port=$sp")

        modparam("acc|auth_radius|group_radius|avp_radius", "radius_config",

                            "/etc/radiusclient-ng/radiusclient.conf")

 

# -- group_radius params --

        modparam("group_radius", "use_domain", 1)

 

# -- avpops params --

        modparam("avpops", "avp_aliases", "day=i:101;time=i:102")

 

# -- rr params --

# add value to ;lr param to make some broken UAs happy

        modparam("rr", "enable_full_lr", 1)

 

# -------------------------  request routing logic -------------------

 

# main routing logic

 

        route{

 

    # initial sanity checks -- messages with

    # max_forwards==0, or excessively long requests

    if (!mf_process_maxfwd_header("10")) {

        sl_send_reply("483","Too Many Hops");

        exit;

    };

 

    if (msg:len >=  2048 ) {

        sl_send_reply("513", "Message too big");

        exit;

    };

 

    # check if user is suspended

    if(is_method("REGISTER|INVITE|MESSAGE|OPTIONS|SUBSCRIBE"))

    {

        if (radius_is_user_in("From", "suspended")) {

            sl_send_reply("403", "Forbidden - suspended");

            exit;

        };

    };

   

    # we record-route all messages -- to make sure that

    # subsequent messages will go through our proxy; that's

    # particularly good if upstream and downstream entities

    # use different transport protocol

    if (!method=="REGISTER")

        record_route();

 

    # subsequent messages withing a dialog should take the

    # path determined by record-routing

    if (loose_route()) {

        # mark routing logic in request

        append_hf("P-hint: rr-enforced\r\n");

        if(is_method("BYE"))

        { # log it all the time

            acc_rad_request("200 ok");

            acc_log_request("200 ok");

        }

        route(1);

    };

 

    if(is_method("INVITE") && !has_totag())

    {   # set the acc flags

        setflag(1);

        setflag(2);

    };

 

    if (!uri==myself) {

        # check if user is allowed to do voip calls to other domains

        if(is_method("INVITE|MESSAGE")) {

            if (!radius_is_user_in("From", "voip")) {

                sl_send_reply("403", "Forbidden VoIP");

                exit;

            };

        };

        # mark routing logic in request

        append_hf("P-hint: outbound\r\n");

        route(1);

    };

 

    # if the request is for other domain use UsrLoc

    # (in case, it does not work, use the following command

    # with proper names and addresses in it)

    if (uri==myself) {

        # authenticate registers

        if (method=="REGISTER") {

            if (!radius_www_authorize("swifton.org")) {

                www_challenge("swifton.org", "0");

                exit;

            };

 

            # check the src ip address

            if(!avp_check("$avp(i:2)", "eq/$src_ip/ig"))

            {

                sl_send_reply("403", "Forbidden IP");

                exit;

            };

 

            save("location");

            exit;

        };

 

        # calls to pstn

        if(uri=~"sip:00[1-9][0-9]+@") {

            if(is_method("INVITE") && !has_totag()) {

                if (!radius_is_user_in("From", "pstn")) {

                    sl_send_reply("403", "Forbidden PSTN");

                    exit;

                };

            };

            # set gateway address

            rewritehostport("10.10.10.10:5090");

            route(1);

        };

       

        # load callee's avps

        if(avp_load_radius("callee"))

        {

            # check if user has time filter enabled

            if(avp_check("$avp(i:3)", "eq/i:1"))

            {

                # print time in an avp

                avp_printf("$avp(i:100)", "$Tf");

                # extract day

                avp_subst("$avp(i:100)/$avp(i:101)", "/(.{3}) .+/*\1*/");

                if(!avp_check("$avp(i:6)", "fm/$day")) {

                    sl_send_reply("403", "Forbidden - day");

                    exit;

                };

                # extract 'hours:minutes'

                avp_subst("$avp(i:100)/$avp(i:102)", "/(.{10}) (.{5}):.+/\2/");

                if((is_avp_set("$avp(i:4)") && avp_check("$avp(i:4)", "gt/$time"))

                || (is_avp_set("$avp(i:5)") && avp_check("$avp(i:5)", "lt/$time"))) {

                    sl_send_reply("403", "Forbidden - time");

                    exit;

                };

            };

        };

        ......

 

    route(1);

}

 

......

    exit;

}

#

 

and the openser start as follows:

898) SIP Request:

898)  method:  <REGISTER>

898)  uri:     <sip:swifton.org>

898)  version: <SIP/2.0>

898) parse_headers: flags=2

898) end of header reached, state=5

898) parse_headers: Via found, flags=2

898) parse_headers: this is the first via

898) After parse_msg...

898) preparing to run routing scripts...

898) parse_headers: flags=100

898) DEBUG:maxfwd:is_maxfwd_present: value = 70

898) parse_headers: flags=10

898) DEBUG: add_param: tag=f59c388b5de348778e76ebda993c2d8e

898) DEBUG: add_param: epid=b6757bf3fc

898) DEBUG:parse_to:end of header reached, state=29

898) DBUG:parse_to: display={}, ruri={sip:zhaoy@swifton.org}

898) radius_is_user_in(): Failure

898) parse_headers: flags=200

898) DEBUG:parse_to:end of header reached, state=10

......

 0(5898) grep_sock_info - checking if host==us: 11==13 &&  [swifton.org] == [192.168.168.3]

 0(5898) grep_sock_info - checking if port 5060 matches port 5060

 0(5898) grep_sock_info - checking if host==us: 11==13 &&  [swifton.org] == [192.168.168.3]

 0(5898) grep_sock_info - checking if port 5060 matches port 5060

 0(5898) check_nonce(): comparing [459bb612ad569015987d4849d1ae603515f32e6b] and

 [459bb612ad569015987d4849d1ae603515f32e6b]

 0(5898) DEBUG:auth_radius:radius_authorize_sterman: Success

 0(5898) DEBUG:auth_radius:generate_avps: getting SIP AVPs from avpair 225

 0(5898) DEBUG:auth_radius:extract_avp: string is <Sip-Group:voip>

 0(5898) DEBUG:auth_radius:extract_avp: AVP name is <Sip-Group>

 0(5898) DEBUG:auth_radius:extract_avp: AVP val is <voip>

 0(5898) DEBUG:auth_radius:generate_avps: AVP 'Sip-Group'/0='voip'/0 has been added

 0(5898) DEBUG:avpops:ops_check_avp: no src avp found

 0(5898) parse_headers: flags=ffffffffffffffff

 0(5898) check_via_address(192.168.168.30, 192.168.168.30, 0)

 0(5898) DEBUG:destroy_avp_list: destroying list 0x422bc440

 0(5898) receive_msg: cleaning up

 

the freeradius debug infomation as follows:

 

er-Name = "zhaoy@swifton.org"
        Digest-Attributes = 0x0a077a68616f79
        Digest-Attributes = 0x010d73776966746f6e2e6f7267
        Digest-Attributes = 0x022a34353962623631326164353639303135393837643438343964316165363033353135663332653662
        Digest-Attributes = 0x04117369703a73776966746f6e2e6f7267
        Digest-Attributes = 0x030a5245474953544552
        Digest-Response = "2ead4f5b9d78013a35f2eb7a792971a5"
        Service-Type = Sip-Session
        Sip-Uri-User = "zhaoy"
        NAS-Port = 5060
        NAS-IP-Address = 192.168.168.3
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 167
  modcall[authorize]: module "preprocess" returns ok for request 167
  modcall[authorize]: module "chap" returns noop for request 167
  modcall[authorize]: module "mschap" returns noop for request 167
    rlm_digest: Converting Digest-Attributes to something sane...
        Digest-User-Name = "zhaoy"
        Digest-Realm = "swifton.org"
        Digest-Nonce = "459bb612ad569015987d4849d1ae603515f32e6b"
        Digest-URI = "sip:swifton.org"
        Digest-Method = "REGISTER"
rlm_digest: Adding Auth-Type = DIGEST
  modcall[authorize]: module "digest" returns ok for request 167
 .......

Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 167
A1 = zhaoy:swifton.org:zhaoy
A2 = REGISTER:sip:swifton.org
H(A1) = eff77a9105c5c0973492694f59c944f2
H(A2) = d3add39dad2709bea55016ba79eb675a
KD = eff77a9105c5c0973492694f59c944f2:459bb612ad569015987d4849d1ae603515f32e6b:d3add39dad2709bea55016ba79eb675a
EXPECTED 2ead4f5b9d78013a35f2eb7a792971a5
RECEIVED 2ead4f5b9d78013a35f2eb7a792971a5
  modcall[authenticate]: module "digest" returns ok for request 167
modcall: group authenticate returns ok for request 167
radius_xlat:  'Authenticated'
Login OK: [zhaoy@swifton.org] (from client openser port 5060)
Sending Access-Accept of id 13 to 192.168.168.3:33101
        SIP-AVP = "Sip-Group:voip"
        Reply-Message = "Authenticated"
        Sip-Group = "voip"
Finished request 167

    and my MSN:buptzhaoyuan@sina.com .I am nice to communicate with you!



-------------------------------------------------------------------
惠普商用台式机dc5750,高性能,低功耗!( http://ad4.sina.com.cn/sina/limeng3/mail_zhuiyu/2006/mail_zhuiyu_20061225.html )

===================================================================
注册新浪2G免费邮箱( http://mail.sina.com.cn/chooseMode.html

_______________________________________________ Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users