13 Apr
2005
13 Apr
'05
6:59 a.m.
See inline.
Lucas Aimaretto wrote:
This might confuse the radius server.
Except from that, it looks ok.
Unknown-Attr-327681 =
"call-id=EAED054A3CA3478184AA441574592609(a)192.168.1.253"
> The thing
is that I'm not seeing the Password Attribute at
> the radius output ...
Lucas,
Your RADIUS server needs to implement the Digest algorithm.
Attributes are
non-standard and are NOT sent as vendor-encapsulated, but
wrapped in the
Digest-Attributes avpair. The RADIUS server thus needs to be
able to read
the digest-attributes, convert them to individual attributes
(as below) and
then implement the DIGEST authentication mechanism.
Translated: There is no password attribute.
g-)
ATTRIBUTE Digest-Response 206 string
ATTRIBUTE Digest-Attributes 207 string
ATTRIBUTE Digest-Realm 1063 string
ATTRIBUTE Digest-Nonce 1064 string
ATTRIBUTE Digest-Method 1065 string
ATTRIBUTE Digest-URI 1066 string
ATTRIBUTE Digest-QOP 1067 string
ATTRIBUTE Digest-Algorithm 1068 string
ATTRIBUTE Digest-Body-Digest 1069 string
ATTRIBUTE Digest-CNonce 1070 string
ATTRIBUTE Digest-Nonce-Count 1071 string
ATTRIBUTE Digest-User-Name 1072 string
Ok, thanx for the answer. Anyways, I think I'll need a little help
with this. I already loaded those attributes into my dictionary, both
dictionary.ser and dictionary.sip. Now, If I have no password assigned
to my user, Users can authenticate with no problems at all. Now, if I
assign password, I see the following ...
RADIUS OUTPUT:
radrecv: Access Request from host c0a801fd code=1, id=158, length=271
User-Name = "1991006(a)192.168.1.253"
Digest-Attributes = "\012\0111991006"
Digest-Attributes = "\001\017192.168.1.253"
Digest-Attributes = "\002*425bde0ae10d15c59c4e3a5c45288ed4175a8a2a"
Digest-Attributes = "\004\023sip:192.168.1.253"
Digest-Attributes = "\003\012REGISTER"
Digest-Response = "a341b3fdbacc4747b82e0718b31e627c"
Service-Type = Sip-Session
Sip-URI-User = "1991006"
Unknown-Attr-327681 =
"call-id=EAED054A3CA3478184AA441574592609(a)192.168.1.253"
NAS-IP-Address = 192.168.1.253
NAS-Port-Id = 5060
SQL: Attempting to reserve socket
SQL: Reserved socket 0
Username is now 1991006
Calling station Id is now 1991006
Calling station Id is now (null)
Sending Access Reject of id 158 to c0a801fd (nas linux)
Se envio Auth Reject
SQL: Socket 0 used for 0.61 seconds
SQL: Released socket 0
SER OUTPUT:
0(17666) get_hdr_field: cseq <CSeq>: <27392> <REGISTER>
0(17666) DEBUG: is_maxfwd_present: value = 70
0(17666) end of header reached, state=9
0(17666) parse_headers: flags=256
0(17666) DEBUG: get_hdr_body : content_length=0
0(17666) found end of header
0(17666) find_first_route(): No Route headers found
0(17666) loose_route(): There is no Route HF
0(17666) check_self - checking if host==us: 13==13 && [192.168.1.253]
== [192.168.1.253]
0(17666) check_self - checking if port 5060 matches port 5060
0(17666) check_nonce(): comparing
[425bde0ae10d15c59c4e3a5c45288ed4175a8a2a] and
[425bde0ae10d15c59c4e3a5c45288ed4175a8a2a]
0(17666) res: -2
0(17666) radius_authorize_sterman(): Failure
0(17666) build_auth_hf(): 'WWW-Authenticate: Digest
realm="192.168.1.253",
nonce="425bde0ae10d15c59c4e3a5c45288ed4175a8a2a"' 0(17666)
parse_headers: flags=-1 0(17666) check_via_address(192.168.1.178,
192.168.1.178, 0) 0(17666) DEBUG:destroy_avp_list: destroing list
(nil) 0(17666) receive_msg: cleaning up
Now, these are the questions:
1) What my radius is receiving, looks fine ? 2) What must my radius be capable of doing to
authenticate users with
password ? I know you said it must resolve digest attributes, but,
what does it mean ? ( or please give me some place where to read
something ).
Well, do you want the RFC? ;-) (search for http digest) It's more an
implementation issue.
3) I know my radius supports CHAP-MD5. Isn't it enough ?
Nope. Digest as another algorithm than CHAP that can use MD5 too
The thing is I've using this radius for some time now, and have
modified it to help my needs. I know it's a bit old already (2002).
Its ic-radius and, according to its web page it does support digest.
I think ...
Well, it must both support digest and the bit special way the
*-digest-attritbutes are wrapped into the Digest-Attributes attribute.
I don't know ic-radius. We have implemented digest for our own (commercial)
RADIUS server.
freeRADIUS is your best bet, or the support forum for ic-radius.
g-)