12 Apr
2005
12 Apr
'05
4:21 p.m.
> The thing is that I'm not seeing the Password
Attribute at
> the radius output ...
Lucas,
Your RADIUS server needs to implement the Digest algorithm.
Attributes are
non-standard and are NOT sent as vendor-encapsulated, but
wrapped in the
Digest-Attributes avpair. The RADIUS server thus needs to be
able to read
the digest-attributes, convert them to individual attributes
(as below) and
then implement the DIGEST authentication mechanism.
Translated: There is no password attribute.
g-)
ATTRIBUTE Digest-Response 206 string
ATTRIBUTE Digest-Attributes 207 string
ATTRIBUTE Digest-Realm 1063 string
ATTRIBUTE Digest-Nonce 1064 string
ATTRIBUTE Digest-Method 1065 string
ATTRIBUTE Digest-URI 1066 string
ATTRIBUTE Digest-QOP 1067 string
ATTRIBUTE Digest-Algorithm 1068 string
ATTRIBUTE Digest-Body-Digest 1069 string
ATTRIBUTE Digest-CNonce 1070 string
ATTRIBUTE Digest-Nonce-Count 1071 string
ATTRIBUTE Digest-User-Name 1072 string
Ok, thanx for the answer. Anyways, I think I'll need a little help with
this. I already loaded those attributes into my dictionary, both
dictionary.ser and dictionary.sip. Now, If I have no password assigned
to my user, Users can authenticate with no problems at all. Now, if I
assign password, I see the following ...
RADIUS OUTPUT:
radrecv: Access Request from host c0a801fd code=1, id=158, length=271
User-Name = "1991006(a)192.168.1.253"
Digest-Attributes = "\012\0111991006"
Digest-Attributes = "\001\017192.168.1.253"
Digest-Attributes = "\002*425bde0ae10d15c59c4e3a5c45288ed4175a8a2a"
Digest-Attributes = "\004\023sip:192.168.1.253"
Digest-Attributes = "\003\012REGISTER"
Digest-Response = "a341b3fdbacc4747b82e0718b31e627c"
Service-Type = Sip-Session
Sip-URI-User = "1991006"
Unknown-Attr-327681 =
"call-id=EAED054A3CA3478184AA441574592609(a)192.168.1.253"
NAS-IP-Address = 192.168.1.253
NAS-Port-Id = 5060
SQL: Attempting to reserve socket
SQL: Reserved socket 0
Username is now 1991006
Calling station Id is now 1991006
Calling station Id is now (null)
Sending Access Reject of id 158 to c0a801fd (nas linux)
Se envio Auth Reject
SQL: Socket 0 used for 0.61 seconds
SQL: Released socket 0
SER OUTPUT:
0(17666) get_hdr_field: cseq <CSeq>: <27392> <REGISTER>
0(17666) DEBUG: is_maxfwd_present: value = 70
0(17666) end of header reached, state=9
0(17666) parse_headers: flags=256
0(17666) DEBUG: get_hdr_body : content_length=0
0(17666) found end of header
0(17666) find_first_route(): No Route headers found
0(17666) loose_route(): There is no Route HF
0(17666) check_self - checking if host==us: 13==13 && [192.168.1.253]
== [192.168.1.253]
0(17666) check_self - checking if port 5060 matches port 5060
0(17666) check_nonce(): comparing
[425bde0ae10d15c59c4e3a5c45288ed4175a8a2a] and
[425bde0ae10d15c59c4e3a5c45288ed4175a8a2a]
0(17666) res: -2
0(17666) radius_authorize_sterman(): Failure
0(17666) build_auth_hf(): 'WWW-Authenticate: Digest
realm="192.168.1.253",
nonce="425bde0ae10d15c59c4e3a5c45288ed4175a8a2a"'
0(17666) parse_headers: flags=-1
0(17666) check_via_address(192.168.1.178, 192.168.1.178, 0)
0(17666) DEBUG:destroy_avp_list: destroing list (nil)
0(17666) receive_msg: cleaning up
Now, these are the questions:
1) What my radius is receiving, looks fine ?
2) What must my radius be capable of doing to authenticate users with
password ? I know you said it must resolve digest attributes, but, what
does it mean ? ( or please give me some place where to read something ).
3) I know my radius supports CHAP-MD5. Isn't it enough ?
The thing is I've using this radius for some time now, and have modified
it to help my needs. I know it's a bit old already (2002). Its ic-radius
and, according to its web page it does support digest. I think ...
Please, help me out with this one. Thanx very much
Regards,
Lucas
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.308 / Virus Database: 266.9.7 - Release Date: 12/04/2005