6 Aug
2010
6 Aug
'10
8:06 p.m.
Hello,
the radius client library has a file where you configure the servers,
have you configure it?
http://www.kamailio.org/docs/openser-radius-1.0.x.html#radiusclient_ng_serv…
Cheers,
Daniel
On 8/3/10 10:13 AM, Pratik Shrestha wrote:
Dear Daniel,
Yeah right. I totally forgot, its a reverse dns.
Now I checked the radius server in debug mode and I cannot see any
request from openser trying to connect to radius server. So, the
request from openser is not reaching the radius server.
Then I installed wireshark and checked the ip address 128.185.38.162
<http://128-185-38-162.totisp.net:1812> (radius server ip add) in the
server where openser was installed. There also I did not find any
entry related to 128.185.38.16 <http://128-185-38-162.totisp.net:1812>.
So, it seems my configuration is wrong. I am sending you the
configuration of openser.cfg and radiusclient.conf.
openser.cfg
SSH Secure Shell 3.2.3 (Build 279)
Copyright (c) 2000-2003 SSH Communications Security Corp -
http://www.ssh.com/
This copy of SSH Secure Shell is a non-commercial version.
This version does not include PKI and PKCS #11 functionality.
Linux isoftel-desktop 2.6.32-21-generic #32-Ubuntu SMP Fri Apr 16
08:10:02 UTC 2010 i686 GNU/Linux
Ubuntu 10.04 LTS
Welcome to Ubuntu!
* Documentation: https://help.ubuntu.com/
Last login: Tue Aug 3 10:35:05 2010 from 192.168.0.148
isoftel@isoftel-desktop:~$ cd /usr/local/etc/openser/
isoftel@isoftel-desktop:/usr/local/etc/openser$ cat openser.cfg
#
# $Id$
#
# radius config script
#
# ----------- global configuration parameters ------------------------
debug=6 # debug level (cmd line: -dddddddddd)
log_stderror=yes # (cmd line: -E)
check_via=no # (cmd. line: -v)
dns=no # (cmd. line: -r)
rev_dns=no # (cmd. line: -R)
port=5060
children=4
#listen=udp:localhost
#alias="kamailio.org <http://kamailio.org>"
fifo="/tmp/openser_fifo"
# ------------------ module loading ----------------------------------
mpath="/usr/local/lib/openser/modules"
loadmodule "mysql.so"
loadmodule "sl.so"
loadmodule "tm.so"
loadmodule "rr.so"
loadmodule "maxfwd.so"
loadmodule "avpops.so"
loadmodule "usrloc.so"
loadmodule "registrar.so"
loadmodule "textops.so"
loadmodule "xlog.so"
loadmodule "uri.so"
loadmodule "acc.so"
loadmodule "auth.so"
loadmodule "auth_radius.so"
loadmodule "group_radius.so"
loadmodule "avp_radius.so"
# ----------------- setting module-specific parameters ---------------
# -- usrloc params --
#modparam("usrloc","db_url","mysql://openser:openserrw@localhost/openser")
modparam("usrloc", "db_mode", 2)
# -- acc params --
modparam("acc", "radius_flag", 1)
modparam("acc", "radius_missed_flag", 2)
modparam("acc", "log_flag", 1)
modparam("acc", "log_missed_flag", 1)
modparam("acc", "service_type", 15)
modparam("acc", "radius_extra",
"Sip-Src-IP=$si;Sip-Src-Port=$sp")
modparam("acc|auth_radius|group_radius|avp_radius", "radius_config",
"/etc/radiusclient-ng/radiusclient.conf")
# -- group_radius params --
modparam("group_radius", "use_domain", 1)
# -- avpops params --
modparam("avpops", "avp_aliases", "day=i:101;time=i:102")
# -- rr params --
# add value to ;lr param to make some broken UAs happy
modparam("rr", "enable_full_lr", 1)
# ------------------------- request routing logic -------------------
# main routing logic
route{
# initial sanity checks -- messages with
# max_forwards==0, or excessively long requests
if (!mf_process_maxfwd_header("10")) {
sl_send_reply("483","Too Many Hops");
exit;
};
if (msg:len >= 2048 ) {
sl_send_reply("513", "Message too big");
exit;
};
# check if user is suspended
if(is_method("REGISTER|INVITE|MESSAGE|OPTIONS|SUBSCRIBE"))
{
if (radius_is_user_in("From", "suspended")) {
sl_send_reply("403", "Forbidden - suspended");
exit;
};
};
# we record-route all messages -- to make sure that
# subsequent messages will go through our proxy; that's
# particularly good if upstream and downstream entities
# use different transport protocol
if (!method=="REGISTER")
record_route();
# subsequent messages withing a dialog should take the
# path determined by record-routing
if (loose_route()) {
# mark routing logic in request
append_hf("P-hint: rr-enforced\r\n");
if(is_method("BYE"))
{ # log it all the time
acc_rad_request("200 ok");
acc_log_request("200 ok");
}
route(1);
};
if(is_method("INVITE") && !has_totag())
{ # set the acc flags
setflag(1);
setflag(2);
};
if (!uri==myself) {
# check if user is allowed to do voip calls to other domains
if(is_method("INVITE|MESSAGE")) {
if (!radius_is_user_in("From", "voip")) {
sl_send_reply("403", "Forbidden VoIP");
exit;
};
};
# mark routing logic in request
append_hf("P-hint: outbound\r\n");
route(1);
};
# if the request is for other domain use UsrLoc
# (in case, it does not work, use the following command
# with proper names and addresses in it)
if (uri==myself) {
# authenticate registers
if (method=="REGISTER") {
if (!radius_www_authorize("")) {
www_challenge("", "1");
exit;
};
# check the src ip address
if(!avp_check("i:2", "eq/$src_ip/ig"))
{
sl_send_reply("403", "Forbidden IP");
exit;
};
save("location");
exit;
};
# calls to pstn
if(uri=~"sip:00[1-9][0-9]+@") {
if(is_method("INVITE") && !has_totag()) {
if (!radius_is_user_in("From", "pstn")) {
sl_send_reply("403", "Forbidden PSTN");
exit;
};
};
# set gateway address
rewritehostport("localhost:5090");
route(1);
};
# load callee's avps
if(avp_load_radius("callee"))
{
# check if user has time filter enabled
if(avp_check("i:3", "eq/i:1"))
{
# print time in an avp
avp_printf("i:100", "$Tf");
# extract day
avp_subst("i:100/i:101", "/(.{3}) .+/*\1*/");
if(!avp_check("i:6", "fm/$day")) {
sl_send_reply("403", "Forbidden - day");
exit;
};
# extract 'hours:minutes'
avp_subst("i:100/i:102", "/(.{10}) (.{5}):.+/\2/");
if((is_avp_set("i:4") && avp_check("i:4",
"gt/$time"))
|| (is_avp_set("i:5") && avp_check("i:5",
"lt/$time"))) {
sl_send_reply("403", "Forbidden - time");
exit;
};
};
};
# native SIP destinations are handled using our USRLOC DB
if (!lookup("location")) {
# log to acc as missed call
acc_rad_request("404 Not Found");
acc_log_request("404 Not Found");
sl_send_reply("404", "Not Found");
exit;
};
append_hf("P-hint: usrloc applied\r\n");
};
route(1);
}
# generic forward
route[1] {
# send it out now; use stateful forwarding as it works reliably
# even for UDP2TCP
if (!t_relay()) {
sl_reply_error();
};
exit;
}
radiusclient-ng.conf
# General settings
# specify which authentication comes first respectively which
# authentication is used. possible values are: "radius" and "local".
# if you specify "radius,local" then the RADIUS server is asked
# first then the local one. if only one keyword is specified only
# this server is asked.
auth_order radius
#add 'local' with comma
# maximum login tries a user has
login_tries 4
# timeout for all login tries
# if this time is exceeded the user is kicked out
login_timeout 60
# name of the nologin file which when it exists disables logins.
# it may be extended by the ttyname which will result in
# a terminal specific lock (e.g. /etc/nologin.ttyS2 will disable
# logins on /dev/ttyS2)
nologin /etc/nologin
# name of the issue file. it's only display when no username is passed
# on the radlogin command line
issue /etc/radiusclient-ng/issue
# RADIUS settings
# RADIUS server to use for authentication requests. this config
# item can appear more then one time. if multiple servers are
# defined they are tried in a round robin fashion if one
# server is not answering.
# optionally you can specify a the port number on which is remote
# RADIUS listens separated by a colon from the hostname. if
# no port is specified /etc/services is consulted of the radius
# service. if this fails also a compiled in default is used.
authserver 128.185.38.162
# RADIUS server to use for accouting requests. All that I
# said for authserver applies, too.
#
acctserver 128.185.38.162
# file holding shared secrets used for the communication
# between the RADIUS client and server
servers /etc/radiusclient-ng/servers
# dictionary of allowed attributes and values
# just like in the normal RADIUS distributions
dictionary /etc/radiusclient-ng/dictionary
# program to call for a RADIUS authenticated login
login_radius /usr/sbin/login.radius
# file which holds sequence number for communication with the
# RADIUS server
seqfile /var/run/radius.seq
# file which specifies mapping between ttyname and NAS-Port attribute
mapfile /etc/radiusclient-ng/port-id-map
# default authentication realm to append to all usernames if no
# realm was explicitly specified by the user
# the radiusd directly form Livingston doesnt use any realms, so leave
# it blank then
default_realm
# time to wait for a reply from the RADIUS server
radius_timeout 10
# resend request this many times before trying the next server
radius_retries 3
# local address from which radius packets have to be sent
bindaddr localhost
#change with 'localhost'
# LOCAL settings
# program to execute for local login
# it must support the -f flag for preauthenticated login
login_local /bin/login
I have edited servers file also with the servername and secret.
Thank you very much.
Regards,
Pratik
On Mon, Aug 2, 2010 at 11:26 PM, Daniel-Constantin Mierla
<miconda(a)gmail.com <mailto:miconda@gmail.com>> wrote:
Hello,
On 8/2/10 12:36 PM, Pratik Shrestha wrote:
--
Daniel-Constantin Mierla
http://www.asipto.com/
Dear Daniel,
Now the new issue. Seems now openser is trying to talk with
radius server. But still I am getting the one error in syslog
which is as follows.
rc_send_server: no reply from RADIUS server
128-185-38-162.totisp.net:1812
<http://128-185-38-162.totisp.net:1812>
Actually I have written only 128.185.38.162 in auth_server in
radiusclient.conf. I don't know how this totisp.net
<http://totisp.net> is added. I haven't mentioned it anywhere.
probably reverse dns is done in the library, it is not relevant
anyhow. Can you start radius server in debug mode and see if it
got some request? You can also do a ngrep/wireshark on port 1812
of your radius server to watch for network packets coming from
kamailio.
Cheers,
Daniel
Please help me.
Thanks.
Regards,
Pratik
On Mon, Aug 2, 2010 at 11:44 AM, Pratik Shrestha
<pratikdbl(a)gmail.com <mailto:pratikdbl@gmail.com>> wrote:
Dear Daniel,
Before I work for the new version, I am first trying to
configure old version of openser and radius. I am using
openser version 1.0.1 and radius client version 0.5.1 and I
am following the tutorial given in
http://kamailio.net/docs/openser-radius-1.0.x.html.
My freeradius server is in another machine and when I use
radclient to check the user I made, I get the "Authenticated"
message.
But when I use X-lite and connect to openser, it seems
openser is not talking with freeradius servers. I am sure the
"secret" I am using is right as I have already tested from
radclient. The log which I am getting in openser is as shown
below
9(1986) SIP Request:
9(1986) method: <REGISTER>
9(1986) uri: <sip:192.168.0.56>
9(1986) version: <SIP/2.0>
9(1986) parse_headers: flags=2
9(1986) Found param type 232, <branch> =
<z9hG4bK-d8754z-c33212005635f16c-1---d8754z->; state=6
9(1986) Found param type 235, <rport> = <n/a>; state=17
9(1986) end of header reached, state=5
9(1986) parse_headers: Via found, flags=2
9(1986) parse_headers: this is the first via
9(1986) After parse_msg...
9(1986) preparing to run routing scripts...
9(1986) parse_headers: flags=100
9(1986) DEBUG:maxfwd:is_maxfwd_present: value = 70
9(1986) parse_headers: flags=10
9(1986) DEBUG:parse_to:end of header reached, state=9
9(1986) DEBUG: get_hdr_field: <To> [44];
uri=[sip:101%40kamailio.org
<http://40kamailio.org>@192.168.0.56 <http://192.168.0.56>]
9(1986) DEBUG: to body ["101"<sip:101%40kamailio.org
<http://40kamailio.org>@192.168.0.56 <http://192.168.0.56>>
]
9(1986) DEBUG: add_param: tag=cc6e4259
9(1986) DEBUG:parse_to:end of header reached, state=29
9(1986) radius_is_user_in(): Failure
9(1986) parse_headers: flags=200
9(1986) get_hdr_field: cseq <CSeq>: <2> <REGISTER>
9(1986) DEBUG: get_hdr_body : content_length=0
9(1986) found end of header
9(1986) find_first_route: No Route headers found
9(1986) loose_route: There is no Route HF
9(1986) grep_sock_info - checking if host==us: 12==9 &&
[192.168.0.56] == [127.0.0.1]
9(1986) grep_sock_info - checking if port 5060 matches port 5060
9(1986) grep_sock_info - checking if host==us: 12==12 &&
[192.168.0.56] == [192.168.0.56]
9(1986) grep_sock_info - checking if port 5060 matches port 5060
9(1986) grep_sock_info - checking if host==us: 12==9 &&
[192.168.0.56] == [127.0.0.1]
9(1986) grep_sock_info - checking if port 5060 matches port 5060
9(1986) grep_sock_info - checking if host==us: 12==12 &&
[192.168.0.56] == [192.168.0.56]
9(1986) grep_sock_info - checking if port 5060 matches port 5060
9(1986) check_nonce(): comparing
[4c5649b2d78b205e6a5ca1c6dcdc54b84445dd9c] and
[4c5649b2d78b205e6a5ca1c6dcdc54b84445dd9c]
9(1986) ERROR:auth_radius:radius_authorize_sterman: rc_auth
failed
9(1986) build_auth_hf(): 'WWW-Authenticate: Digest
realm="192.168.0.56",
nonce="4c5649b2d78b205e6a5ca1c6dcdc54b84445dd9c"
'
9(1986) parse_headers: flags=ffffffffffffffff
9(1986) check_via_address(192.168.0.148, 192.168.182.3, 0)
9(1986) DEBUG:destroy_avp_list: destroying list (nil)
9(1986) receive_msg: cleaning up
At freeradius also, no request goes from openser.
Please advise me how to get rid of this problem.
Best Regards,
Pratik
On Wed, Jul 28, 2010 at 5:56 PM, Pratik Shrestha
<pratikdbl(a)gmail.com <mailto:pratikdbl@gmail.com>> wrote:
Thanks a lot. I will give it a try
Pratik
On Wed, Jul 28, 2010 at 3:48 PM, Daniel-Constantin Mierla
<miconda(a)gmail.com <mailto:miconda@gmail.com>> wrote:
Hello,
On 7/22/10 6:06 AM, Pratik Shrestha wrote:
Dear All,
I am very new to OpenSer. I want to use latest
version of OpenSer with Radius. I need the
documentation/tutorial on how to do this.
Googling, Ionly found for the old version. Please
help me.
indeed, there is a rather old version:
http://www.kamailio.org/docs/openser-radius-1.0.x.html
What I can say now is that you can skip the part of
installing kamailio and use next link instead:
http://www.kamailio.org/dokuwiki/doku.php/install:kamailio-3.0.x-from-git
Radius client library is now in most of common Linux
distributions, so you can install it with the package
manager (you need the devel headers as well, the -dev
package).
FreeRadius configuration should be more or less the same.
The config of kamailio has changed quite a lot. Use
the default one from kamailio, follow the WITH_AUTH
define conditions and replace auth_db with
auth_radius modules and functions. Also, the rest of
radius modules were merged into misc_radius. For
enabling radius acc, you need to recompile acc module
after editing the Makefile in module directory.
Hope it helps to start, ask here if you get stuck.
Cheers,
Daniel
--
Daniel-Constantin Mierla
http://www.asipto.com/
--
Daniel-Constantin Mierla
http://www.asipto.com/