Yes, I ran into the same problem when I was writing the howto and it only happens if you run the client on the same host as the server, that's the reason why I told you to check your config for multiple entries for 127.0.0.1.
I think I should document this in FAQ.
Jan.
On 23-09 14:08, Steven R. Bunin wrote:
Jan,
You were right.. I had updated the client's password in the client file and not the client.conf file.. WOW!!.. I can't believe I missed that one.
Thank yous soooo much.. your a genious.
Steve
Jan Janak wrote:
Hello,
the error message below comes from radiusclient library and means that the radiusclient library was unable to verify __digest of RADIUS message__ (it is not related to SIP digest) because shared secrets of the client and server do not match.
Jan.
On 23-09 13:50, Steven R. Bunin wrote:
Jan,
Is there anything specific needed in the Freeradius configuartion for Digest Authentication. I ask this because SER is reporting "check_radius_reply: received invalid reply digest from RADIUS server".
I ran the test with radclient as suggested in the Radius-howto and it worked as expected.
steve
Jan Janak wrote:
I really don't know what to tell you more, there simply must be some problem in your setup because I am pretty sure that the radius code in ser works. Read ser-radius howto carefully and double check every step.
One last thing, you are running the server and client on the same host, double check that you don't have two entries for 127.0.0.1 or localhost in the configuration files of the server (one is there by default).
Also, do the test using radclient as described in ser-radius howto.
Jan.
On 23-09 13:25, Steven R. Bunin wrote:
Jan,
Just checked that and both my client and server files match in terms of the secret. I also did a test using XTradius on a different server. I need to update that XTradius with the ser dictionary and it might work, as of now the XTradius is saying it is not receiving a password.
Steve
Jan Janak wrote:
Check that you really configured the same shared secret in the radiusclient library and the radius server. I remember I had the same problem when I accidentally misconfigured the secret.
Jan.
On 23-09 13:11, Steven R. Bunin wrote: > Hi Jan, > > I am running freeradius with the -X and it is sending back whatever message I place in my > "Reply-message = ..." field. > > here is the output.. > > rlm_eap: EAP-Message not found > rlm_digest: Converting Digest-Attributes to something sane... > Digest-User-Name = "17182681152" > Digest-Realm = "sip2.solaas.com" > Digest-Nonce = "3f70740aca7efa44e94e91a8df73c19d5c4318fc" > Digest-URI = "sip:sip2.solaas.com" > Digest-Method = "REGISTER" > rlm_digest: Adding Auth-Type = DIGEST > Sending Access-Accept of id 138 to 127.0.0.1:33966 > rad_recv: Access-Request packet from host 127.0.0.1:33966, id=139, > length=227 > User-Name = "17182681152@sip2.solaas.com" > Digest-Attributes = 0x0a0d3137313832363831313532 > Digest-Attributes = 0x0111736970322e736f6c6161732e636f6d > Digest-Attributes = > 0x022a33663730373434376537393537646530346662333637643335373333643436613631366435616564 > Digest-Attributes = 0x04157369703a736970322e736f6c6161732e636f6d > Digest-Attributes = 0x030a5245474953544552 > Digest-Response = "1c54b2afbdd7ea6b401e20e056c22ebe" > Service-Type = IAPP-Register > X-Ascend-PW-Lifetime = 0x3137313832363831313532 > NAS-IP-Address = 127.0.0.1 > NAS-Port = 5060 > rlm_eap: EAP-Message not found > rlm_digest: Converting Digest-Attributes to something sane... > Digest-User-Name = "17182681152" > Digest-Realm = "sip2.solaas.com" > Digest-Nonce = "3f707447e7957de04fb367d35733d46a616d5aed" > Digest-URI = "sip:sip2.solaas.com" > Digest-Method = "REGISTER" > rlm_digest: Adding Auth-Type = DIGEST > Sending Access-Accept of id 139 to 127.0.0.1:33966 > > As you can see, there is an Access-Accept being sent.. but my Xten-Pro sipphone is receiving > an Unauthorized message from SER (based on my ethereal packet sniffer). > > Steve > > > Jan Janak wrote: > > > Hello, > > > > I suppose you are using freeradius server. Start it with -X option and > > see the output. > > > > Jan. > > > > On 23-09 13:01, Steven R. Bunin wrote: > > > I am also using Ser with Radius and finally got the Radiusclient, Radius and > > > Ser to all talk together. The only issue I have is that the radius server is > > > not sending back what the radiusclient it looking for in order to tell Ser to > > > authenticate the user (I hope that isn't too confusing). > > > > > > The lines affecting radius in my ser.cfg are > > > modparam("auth_radius","radius_config","/usr/local/etc/radiusclient/radiusclient.conf") > > > > > > route{ > > > log(1,"logging so message came in"); > > > > > > if (uri=~"solaas.com") { > > > log(1,"sip_2 ip came through"); > > > > > > if (method=="REGISTER") { > > > log(1,"register go through"); > > > > > > # Uncomment this if you want to use digest authentication > > > if (!radius_www_authorize("")) { > > > www_challenge("","0"); > > > log(1,"request came in"); > > > break; > > > }; > > > > > > save("location"); > > > break; > > > }; > > > } > > > > > > I can add my radiusclient.conf file if it will help you.. > > > > > > my users file for the radius server looks like this: > > > > > > xxxxxxxxxx@sip.server.com Auth-Type := Digest, User-Password == "1234" > > > Reply-Message = "Authenticated" > > > > > > Hope that helps and also let me know if anyone sees anything wrong with my > > > radius setup so I can finally authenticate. > > > > > > Steve > > > > > > > > > > > Message: 1 > > > > Date: Tue, 23 Sep 2003 11:24:11 -0500 > > > > From: "Steve Dolloff" sdolloff@noc.dls.net > > > > Subject: RE: [Serusers] Troubles setting up radius authentication > > > > To: "Jan Janak" jan@iptel.org > > > > Cc: Serusers serusers@lists.iptel.org > > > > Message-ID: > > > > ADCFA6B7CA0C754EB837B423E5A521D2543512@mailbox.noc.dls.net > > > > Content-Type: text/plain; charset="us-ascii" > > > > > > > > Yes, I have added the SIP definitions to the radiusclient library. It > > > > is the dictionary file defined in the radiusclient.conf file as > > > > /etc/sip_dictionary. It was created using the dictionary file from > > > > radiusclient and adding the information from the link that you refered > > > > to. > > > > > > > > ----------------------- > > > > > > > > Hello, > > > > > > > > if there is no radius traffic then radiusclient library has some > > > > problems when buiding the request. Did you extend your radius dictionary > > > > as described in http://iptel.org/ser/ser_radius.html ? > > > > > > > > Jan. > > > > > > > > On 23-09 10:38, Steve Dolloff wrote: > > > > > I am trying to switch from database authentication to radius > > > > > authentication. > > > > > > > > > > I have compiled and installed the module. > > > > > > > > > > I have added the following to my ser.cfg > > > > > > > > > > modparam("auth_radius", "radius_config", "/etc/ser/radiusclient.conf") > > > > > modparam("auth_radius", "service_type",15) > > > > > > > > > > if (method=="REGISTER") { > > > > > log(1,"authenticating"); > > > > > if (!radius_www_authorize("test.net")) > > > > { > > > > > log(1,"radius auth failure"); > > > > > www_challenge("test.net", > > > > "0"); > > > > > break; > > > > > }; > > > > > > > > > > I have configured the following in /etc/ser/radiusclient.conf > > > > > authserver radius1.test.net:1812 > > > > > authserver radius2.test.net:1812 > > > > > servers /etc/servers > > > > > dictionary /etc/sip_dictionary > > > > > > > > > > I have configured the following in /etc/servers > > > > > > > > > > Radius1.test.net secret > > > > > Radius2.test.net secret2 > > > > > > > > > > I get the following in my messages log. > > > > > > > > > > Sep 23 10:39:03 voip2 /usr/sbin/ser[25945]: authenticating > > > > > Sep 23 10:39:03 voip2 /usr/sbin/ser[25945]: radius auth failure > > > > > Sep 23 10:39:30 voip2 /usr/sbin/ser[25947]: authenticating > > > > > Sep 23 10:39:30 voip2 /usr/sbin/ser[25947]: radius auth failure > > > > > Sep 23 10:39:30 voip2 /usr/sbin/ser[25949]: authenticating > > > > > Sep 23 10:39:30 voip2 /usr/sbin/ser[25949]: radius auth failure > > > > > Sep 23 10:39:34 voip2 /usr/sbin/ser[25948]: authenticating > > > > > Sep 23 10:39:34 voip2 /usr/sbin/ser[25948]: radius auth failure > > > > > Sep 23 10:39:34 voip2 /usr/sbin/ser[25945]: authenticating > > > > > Sep 23 10:39:34 voip2 /usr/sbin/ser[25945]: radius auth failure > > > > > > > > > > And ngrep port 1812 shows no traffic at all. Where are these auth > > > > > request going? How can I get more debug info? > > > > > > > > > > Thanks for your help. > > > > > > > > > > Stephen > > > > > > > > > > > > > > > _______________________________________________ > > > > > Serusers mailing list > > > > > serusers@lists.iptel.org > > > > > http://lists.iptel.org/mailman/listinfo/serusers > > > >
-- Steven R. Bunin - Managing Partner
SOLAAS LLC 10 East 39th Street Suite 1125 New York, NY 10016 (+001) 212-532-6700 Cellular: 646-739-7000 Fax (+001) 212-532-6776
--
This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.