Well, actually I can try.
What will be the main goal of this edition?
Now I'm trying to find all features (about Radius) that have any influence
on authentication process.
And one more question, is it possible to discuss the refurbish actions of
the article not at sr-list, but in personal mailing?
2017-05-22 9:56 GMT+03:00 Donat Zenichev <donat.zenichev(a)gmail.com>om>:
What did you mean, when you ask for
'backend'?
If you meant an storage, so it's not a .txt users file, I'm using db -
radcheck table.
So guys, the I've solved the problem.
It wasn't consisted of kamailio functions or radius configuration.
So you're free to use: www_challenge("$fd", "1"), until
up radius_www_authorize("$fd","$fU") comes up.
Qop parameter does what he does and changes nothing within radius
authentication process.
My problem was about username column in radcheck table.
It's not enough to insert an username, you ought to use full URI, like:
username(a)my.proxy.domain
Also don't forget about attributes of the row that belongs to a certain
user agent.
So my part of table for one of users looks like that:
;-----------------------------------------------------------
--------------------------------------------------------;
;---id---;---username-------;------attribute---------;------
op-------;----------value---------------------;
;-----------------------------------------------------------
--------------------------------------------------------;
;__1__;__ua(a)dom.com_;__User-Password_;___==_____;_____hereuapassowrd____;
;__2__;__ua@dom.com_;__Auth-Type_____;___:=______;_____Digest____________;
;__....
Actually, I don't know why, but there is just a few articles all over the
net, that describes a bit the functionality and processing with auth_radius
module.
I hope my case will be useful for others, who uses kamailio + radius/db
But I have a problem how to request AVPs for a certain user from RADIUS, I
found some solutions with SIP-AVP attribute, but still haven't done it.
Now I have to databases, one for Kamailio (that contains users AVPs, that
Kamailio gets by avp_db_query) and second for users credentials (that are
used while authorization on INVITE, REGISTER requests).
And as for the future, I have a goal to store passwords in ha1, haven't
started to discover this.
2017-05-18 17:11 GMT+03:00 Donat Zenichev <donat.zenichev(a)gmail.com>om>:
Hi all.
Have a problem with radius authorization.
I'm using auth_radius.so
modparams, only path to client file:
modparam("auth_radius", "radius_config",
"/etc/radiusclient/radiusclien
t.conf")
Freeradius installed and is working properly, radtest authentication from
kamailio host succeed .
How authorization block looks like:
if (!is_present_hf("Authorization")) {
xlog("L_NOTICE", "----- Athorization HF is not found - passing the
challenge -----\n");
if (nat_uac_test("2")) {
force_rport();
}
www_challenge("$fd", "1");
exit;
if (!radius_www_authorize("$fd","$fU")) {
if (nat_uac_test("2")) {
force_rport();
}
xlog("L_NOTICE", "----- Registeration $au@$ar ($fU) from $si:$sp
Rejected. Code: $rc -----\n");
sl_send_reply("401","Unauthorized");
exit;
Radius log is filled by rows like:
Auth: [digest] Cleartext-Password or Digest-HA1 is required for
authentication.
Tried to use radius_www_authorize without $fU - didn't change anything.
Tried to use www_challenge without qop - didn't change anything.
So, this solution is quite simple, but I have a fail while digest
authentication.
Any ideas?
--
--
BR, Donat Zenichev
Wnet VoIP team
Tel: +380(44) 5-900-808
http://wnet.ua
--
--
BR, Donat Zenichev
Wnet VoIP team
Tel: +380(44) 5-900-808
http://wnet.ua