17 Nov
2004
17 Nov
'04
12:22 a.m.
Bruno,
Firstly, thanx for answering ...
I don't think digest support has to do with the attributes not being
recognized. I think it is something else ... But do not know what is it.
And I believe icradius supports digest auth, cause I made a test ... I
called from user 1992005 to user 1992003 ... Radius authenticated user
1992005 and called was established, so, SER also understood RADIUS
respones ... Look at radius output ...
radrecv: Access Request from host c0a801fd code=1, id=17, length=215
User-Name = "1992005(a)192.168.1.253"
Digest-Attributes = "\012\0111992005"
Digest-Attributes = "\001\017192.168.1.253"
Digest-Attributes = "\002*419a7a30c9fe08ae43336232e7b687fb633edbd6"
Digest-Attributes = "\004\033sip:1992003@192.168.1.253"
Digest-Attributes = "\003\010INVITE"
Digest-Response = "afae2bb3cf9dfb3a3d2dd10f5fd29132"
Service-Type = Sip-Session
Sip-Uri-User = "1992005"
NAS-IP-Address = 192.168.1.253
NAS-Port-Id = 5060
Username is now 1992005(a)192.168.1.253
Calling station Id is now (null)
credit_amount (19.00)
Sending Access Ack of id 17 to c0a801fd (nas linux)
Credit-Amount =
"V9:T102:L26:683332332d6372656469742d616d6f756e743d31392e3030"
Sending Access Accept of id 17 to c0a801b2 (nas lucas)
SQL: Socket 0 used for 0.75 seconds
SQL: Released socket 0
The thing here is why some attributes are recognized and other not. For
example: digest-respones, Sip-Uri-user (which are new attributes that I
added myself to the general dictionary, and got them from the
dictionary.ser) and are recognized. Some others not (digest-realm,
digest-nonce, etc, taken out from the same dictionary.ser) and are only
recognized as Digest-Attributes ... :S ... No idea ...
Any ideas ???
I'm playing with this right now, so I'll try
to comment a bit
Lucas Aimaretto wrote:
You know, after searching at
http://icradius.sourceforge.net/modules.php?name=Web_Links&l_op=viewlink
&cid=7 found that ...
"Description: icradius "REQUIRES" the following Perl Modules all of
which are available at the link above:
- Authen::RADIUS
- Digest::MD5
- Date::Calc
- Bit::Vector
- DBI
- DBD::mysql"
... So I believe, Icradius does support digest Authentication. In fact,
I have an utility for radius testing called NT-RADPING (really cool!!)
and did a test again user 1992005 ... Whatch out the RADIUS OUTPUT and
look at the CHAP-Password attribute ...
radrecv: Access Request from host c0a801b2 code=1, id=1, length=62
User-Name = "110"
CHAP-Password = "xt\265\256ohy\257xY\034\214x_X$\277"
Username is now 110
Calling station Id is now (null)
credit_amount (215.49)
Sending Access Ack of id 1 to c0a801b2 (nas lucas)
Credit-Amount =
"V9:T102:L27:683332332d6372656469742d616d6f756e743d3231352e3439"
Sending Access Accept of id 1 to c0a801b2 (nas lucas)
SQL: Socket 0 used for 0.48 seconds
SQL: Released socket 0
So you see, that I got an access-accept. In the utility I wrote down the
password as plain-text, but you see, at the radius output it is
encrypted.
... And this is the radclient OUTPUT ...
Received response ID 86, code 2, length = 52
Vendor-9-Attr-102 =
0x683332332d6372656469742d616d6f756e743d31392e3030
the correct response should be
Login OK: [test] (from client localhost port 0)
Sending Access-Accept of id 188 to 127.0.0.1:32769
Reply-Message = "Hello, test with digest"
if I recall correctly, IC-RADIUS is based on Cistron
RADIUS. Cistron RADIUS don't have digest auth support,
and it seems never will. Cistron's author recommend
to use FreeRADIUS instead, which has the Digest
support and correctly give the result shown above Questions:
1) Although I sent to radius diferent ATTRIBUTES, RADIUS recognized
all of them (except for one, Digest-Response) as Digest-Attributes.
Why is that?
may be because IC-RADIUS doesn't have digest support? hope this helps
Thanx!
Cheers
Regards,
!3runo
Lucas
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.786 / Virus Database: 532 - Release Date: 29/10/2004