Re: [Serusers] Seruser - Radius authentication

Hello, the error message below comes from radiusclient library and means that the radiusclient library was unable to verify __digest of RADIUS message__ (it is not related to SIP digest) because shared secrets of the client and server do not match. Jan. On 23-09 13:50, Steven R. Bunin wrote: > Jan, > > Is there anything specific needed in the Freeradius configuartion for Digest Authentication. I ask this > because SER is reporting "check_radius_reply: received invalid reply digest from RADIUS server". > > I ran the test with radclient as suggested in the Radius-howto and it worked as expected. > > steve > > Jan Janak wrote: > > > I really don't know what to tell you more, there simply must be some > > problem in your setup because I am pretty sure that the radius code in > > ser works. Read ser-radius howto carefully and double check every step. > > > > One last thing, you are running the server and client on the same host, > > double check that you don't have two entries for 127.0.0.1 or localhost > > in the configuration files of the server (one is there by default). > > > > Also, do the test using radclient as described in ser-radius howto. > > > > Jan. > > > > On 23-09 13:25, Steven R. Bunin wrote: > > > Jan, > > > > > > Just checked that and both my client and server files match in terms of the secret. I also did a > > > test using XTradius on a different server. I need to update that XTradius with the ser dictionary > > > and it might work, as of now the XTradius is saying it is not receiving a password. > > > > > > Steve > > > > > > Jan Janak wrote: > > > > > > > Check that you really configured the same shared secret in the > > > > radiusclient library and the radius server. I remember I had the same > > > > problem when I accidentally misconfigured the secret. > > > > > > > > Jan. > > > > > > > > On 23-09 13:11, Steven R. Bunin wrote: > > > > > Hi Jan, > > > > > > > > > > I am running freeradius with the -X and it is sending back whatever message I place in my > > > > > "Reply-message = ..." field. > > > > > > > > > > here is the output.. > > > > > > > > > > rlm_eap: EAP-Message not found > > > > > rlm_digest: Converting Digest-Attributes to something sane... > > > > > Digest-User-Name = "17182681152" > > > > > Digest-Realm = "sip2.solaas.com" > > > > > Digest-Nonce = "3f70740aca7efa44e94e91a8df73c19d5c4318fc" > > > > > Digest-URI = "sip:sip2.solaas.com" > > > > > Digest-Method = "REGISTER" > > > > > rlm_digest: Adding Auth-Type = DIGEST > > > > > Sending Access-Accept of id 138 to 127.0.0.1:33966 > > > > > rad_recv: Access-Request packet from host 127.0.0.1:33966, id=139, > > > > > length=227 > > > > > User-Name = "17182681152(a)sip2.solaas.com" > > > > > Digest-Attributes = 0x0a0d3137313832363831313532 > > > > > Digest-Attributes = 0x0111736970322e736f6c6161732e636f6d > > > > > Digest-Attributes = > > > > > 0x022a33663730373434376537393537646530346662333637643335373333643436613631366435616564 > > > > > Digest-Attributes = 0x04157369703a736970322e736f6c6161732e636f6d > > > > > Digest-Attributes = 0x030a5245474953544552 > > > > > Digest-Response = "1c54b2afbdd7ea6b401e20e056c22ebe" > > > > > Service-Type = IAPP-Register > > > > > X-Ascend-PW-Lifetime = 0x3137313832363831313532 > > > > > NAS-IP-Address = 127.0.0.1 > > > > > NAS-Port = 5060 > > > > > rlm_eap: EAP-Message not found > > > > > rlm_digest: Converting Digest-Attributes to something sane... > > > > > Digest-User-Name = "17182681152" > > > > > Digest-Realm = "sip2.solaas.com" > > > > > Digest-Nonce = "3f707447e7957de04fb367d35733d46a616d5aed" > > > > > Digest-URI = "sip:sip2.solaas.com" > > > > > Digest-Method = "REGISTER" > > > > > rlm_digest: Adding Auth-Type = DIGEST > > > > > Sending Access-Accept of id 139 to 127.0.0.1:33966 > > > > > > > > > > As you can see, there is an Access-Accept being sent.. but my Xten-Pro sipphone is receiving > > > > > an Unauthorized message from SER (based on my ethereal packet sniffer). > > > > > > > > > > Steve > > > > > > > > > > > > > > > Jan Janak wrote: > > > > > > > > > > > Hello, > > > > > > > > > > > > I suppose you are using freeradius server. Start it with -X option and > > > > > > see the output. > > > > > > > > > > > > Jan. > > > > > > > > > > > > On 23-09 13:01, Steven R. Bunin wrote: > > > > > > > I am also using Ser with Radius and finally got the Radiusclient, Radius and > > > > > > > Ser to all talk together. The only issue I have is that the radius server is > > > > > > > not sending back what the radiusclient it looking for in order to tell Ser to > > > > > > > authenticate the user (I hope that isn't too confusing). > > > > > > > > > > > > > > The lines affecting radius in my ser.cfg are > > > > > > > modparam("auth_radius","radius_config","/usr/local/etc/radiusclient/radiusclient.conf") > > > > > > > > > > > > > > route{ > > > > > > > log(1,"logging so message came in"); > > > > > > > > > > > > > > if (uri=~"solaas.com") { > > > > > > > log(1,"sip_2 ip came through"); > > > > > > > > > > > > > > if (method=="REGISTER") { > > > > > > > log(1,"register go through"); > > > > > > > > > > > > > > # Uncomment this if you want to use digest authentication > > > > > > > if (!radius_www_authorize("")) { > > > > > > > www_challenge("","0"); > > > > > > > log(1,"request came in"); > > > > > > > break; > > > > > > > }; > > > > > > > > > > > > > > save("location"); > > > > > > > break; > > > > > > > }; > > > > > > > } > > > > > > > > > > > > > > I can add my radiusclient.conf file if it will help you.. > > > > > > > > > > > > > > my users file for the radius server looks like this: > > > > > > > > > > > > > > xxxxxxxxxx(a)sip.server.com Auth-Type := Digest, User-Password == "1234" > > > > > > > Reply-Message = "Authenticated" > > > > > > > > > > > > > > Hope that helps and also let me know if anyone sees anything wrong with my > > > > > > > radius setup so I can finally authenticate. > > > > > > > > > > > > > > Steve > > > > > > > > > > > > > > > > > > > > > > > Message: 1 > > > > > > > > Date: Tue, 23 Sep 2003 11:24:11 -0500 > > > > > > > > From: "Steve Dolloff" <sdolloff(a)noc.dls.net> > > > > > > > > Subject: RE: [Serusers] Troubles setting up radius authentication > > > > > > > > To: "Jan Janak" <jan(a)iptel.org> > > > > > > > > Cc: Serusers <serusers(a)lists.iptel.org> > > > > > > > > Message-ID: > > > > > > > > <ADCFA6B7CA0C754EB837B423E5A521D2543512(a)mailbox.noc.dls.net> > > > > > > > > Content-Type: text/plain; charset="us-ascii" > > > > > > > > > > > > > > > > Yes, I have added the SIP definitions to the radiusclient library. It > > > > > > > > is the dictionary file defined in the radiusclient.conf file as > > > > > > > > /etc/sip_dictionary. It was created using the dictionary file from > > > > > > > > radiusclient and adding the information from the link that you refered > > > > > > > > to. > > > > > > > > > > > > > > > > ----------------------- > > > > > > > > > > > > > > > > Hello, > > > > > > > > > > > > > > > > if there is no radius traffic then radiusclient library has some > > > > > > > > problems when buiding the request. Did you extend your radius dictionary > > > > > > > > as described in http://iptel.org/ser/ser_radius.html ? > > > > > > > > > > > > > > > > Jan. > > > > > > > > > > > > > > > > On 23-09 10:38, Steve Dolloff wrote: > > > > > > > > > I am trying to switch from database authentication to radius > > > > > > > > > authentication. > > > > > > > > > > > > > > > > > > I have compiled and installed the module. > > > > > > > > > > > > > > > > > > I have added the following to my ser.cfg > > > > > > > > > > > > > > > > > > modparam("auth_radius", "radius_config", "/etc/ser/radiusclient.conf") > > > > > > > > > modparam("auth_radius", "service_type",15) > > > > > > > > > > > > > > > > > > if (method=="REGISTER") { > > > > > > > > > log(1,"authenticating"); > > > > > > > > > if (!radius_www_authorize("test.net")) > > > > > > > > { > > > > > > > > > log(1,"radius auth failure"); > > > > > > > > > www_challenge("test.net", > > > > > > > > "0"); > > > > > > > > > break; > > > > > > > > > }; > > > > > > > > > > > > > > > > > > I have configured the following in /etc/ser/radiusclient.conf > > > > > > > > > authserver radius1.test.net:1812 > > > > > > > > > authserver radius2.test.net:1812 > > > > > > > > > servers /etc/servers > > > > > > > > > dictionary /etc/sip_dictionary > > > > > > > > > > > > > > > > > > I have configured the following in /etc/servers > > > > > > > > > > > > > > > > > > Radius1.test.net secret > > > > > > > > > Radius2.test.net secret2 > > > > > > > > > > > > > > > > > > I get the following in my messages log. > > > > > > > > > > > > > > > > > > Sep 23 10:39:03 voip2 /usr/sbin/ser[25945]: authenticating > > > > > > > > > Sep 23 10:39:03 voip2 /usr/sbin/ser[25945]: radius auth failure > > > > > > > > > Sep 23 10:39:30 voip2 /usr/sbin/ser[25947]: authenticating > > > > > > > > > Sep 23 10:39:30 voip2 /usr/sbin/ser[25947]: radius auth failure > > > > > > > > > Sep 23 10:39:30 voip2 /usr/sbin/ser[25949]: authenticating > > > > > > > > > Sep 23 10:39:30 voip2 /usr/sbin/ser[25949]: radius auth failure > > > > > > > > > Sep 23 10:39:34 voip2 /usr/sbin/ser[25948]: authenticating > > > > > > > > > Sep 23 10:39:34 voip2 /usr/sbin/ser[25948]: radius auth failure > > > > > > > > > Sep 23 10:39:34 voip2 /usr/sbin/ser[25945]: authenticating > > > > > > > > > Sep 23 10:39:34 voip2 /usr/sbin/ser[25945]: radius auth failure > > > > > > > > > > > > > > > > > > And ngrep port 1812 shows no traffic at all. Where are these auth > > > > > > > > > request going? How can I get more debug info? > > > > > > > > > > > > > > > > > > Thanks for your help. > > > > > > > > > > > > > > > > > > Stephen > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > > Serusers mailing list > > > > > > > > > serusers(a)lists.iptel.org > > > > > > > > > http://lists.iptel.org/mailman/listinfo/serusers > > > > > > > > >