Re: [SR-Users] n00b question -- RADIUS authentication.

5 May 2014


      Hello,
you should just use www_challenge() to send back the 401 response.
Here is a old tutorial, from the time when the project was named 
openser, but could be a good reading anyhow:
- http://www.kamailio.org/docs/openser-radius-1.0.x.html
The authentication part is pretty much the same.
Cheers,
Daniel
On 05/05/14 12:00, Måns Nilsson wrote:
...
[first post to list]
Greetings,
I'm in the process of getting a Kamailio 3.3.2 installation authenticating
its SIP accounts against a RADIUS database. There are -- at the moment --
no plans to do any fancy accounting nor any authorisation beyond simple
authentication.
I've set up and tested a FreeRadius 2.2.3_1 server on a dedicated server.
After a fairly steep learning curve involving RADIUS dictionaries I've
come so far that kamailio sends out a RADIUS Access-Request message
that is received by FreeRadius, processed, and returned to Kamailio
which promptly ignores it and continues to send 401 to the client;
the SIP message exchange with the client being:
(some identifing info has been redacted)
...
REGISTER sip:my.domain SIP/2.0
<	SIP/2.0 401 Unauthorized
   	Via: SIP/2.0/UDP 10.25.191.24:41688;branch=z9hG4bK-d8754z-eac09e6c626d4c4d-1---d8754z-;rport=41688
...
REGISTER sip:my.domain SIP/2.0
Via: SIP/2.0/UDP 10.25.191.24:41688;branch=z9hG4bK-d8754z-4f25c643f4b93465-1---d8754z-;rport

<	SIP/2.0 401 Unauthorized
   	Via: SIP/2.0/UDP 10.25.191.24:41688;branch=z9hG4bK-d8754z-4f25c643f4b93465-1---d8754z-;rport=41688
The RADIUS exchange:
10:07:10.861063 IP (tos 0x0, ttl 64, id 14964, offset 0, flags [none], proto UDP (17), length 270)
     10.24.194.198.63712 > 10.24.194.196.1812: [udp sum ok] RADIUS, length: 242
   Access Request (1), id: 0x05, Authenticator: 4215e95809551826eda76972be4106c4
     Username Attribute (1), length: 18, Value: mtu-06@my.domain
       0x0000:  6d74 752d 3036 4069 706b 2e73 722e 7365
     Unknown Attribute (207), length: 10, Value:
       0x0000:  0a08 6d74 752d 3036
     Unknown Attribute (207), length: 13, Value:
       0x0000:  010b 6970 6b2e 7372 2e73 65
     Unknown Attribute (207), length: 36, Value:
       0x0000:  0222 5532 6448 326c 4e6e 5271 3677 4353
       0x0010:  6463 6775 5056 3050 516e 3936 324d 5635
       0x0020:  6d34
     Unknown Attribute (207), length: 17, Value:
       0x0000:  040f 7369 703a 6970 6b2e 7372 2e73 65
     Unknown Attribute (207), length: 12, Value:
       0x0000:  030a 5245 4749 5354 4552
     Unknown Attribute (207), length: 8, Value:
       0x0000:  0506 6175 7468
     Unknown Attribute (207), length: 12, Value:
       0x0000:  090a 3030 3030 3030 3031
     Unknown Attribute (207), length: 36, Value:
       0x0000:  0822 3933 3832 3333 3333 3530 3162 3238
       0x0010:  6439 3236 3739 3863 3964 3038 6539 3134
       0x0020:  3733
     Unknown Attribute (206), length: 34, Value:
       0x0000:  3538 3665 3336 3763 3230 3163 3137 6438
       0x0010:  6261 3265 3830 3533 3763 6433 3562 3761
     Service Type Attribute (6), length: 6, Value: #15
       0x0000:  0000 000f
     Unknown Attribute (208), length: 8, Value:
       0x0000:  6d74 752d 3036
     NAS Port Attribute (5), length: 6, Value: 5060
       0x0000:  0000 13c4
     NAS IP Address Attribute (4), length: 6, Value: 10.24.194.198
       0x0000:  c079 c2c6
10:07:10.863964 IP (tos 0x0, ttl 64, id 28916, offset 0, flags [none], proto UDP (17), length 48)
     10.24.194.196.1812 > 10.24.194.198.63712: [bad udp cksum 0x06ac -> 0x44c0!] RADIUS, length: 20
   Access Accept (2), id: 0x05, Authenticator: 8f07de871a066aacfbe822e20a9b96c1
The RADIUS part of the Kamailio config is:
if (is_method("REGISTER") || from_uri==myself)
   #if (is_method("REGISTER") )
   {
   	
         	# authenticate requests
   	xlog("L_INFO", "authenticate [$fd]\n");
   	### RADIUS ###
   	if (!radius_www_authorize("my.domain")) {
   	   $var(ret) = $rc;
   	   xlog("L_INFO", "response code: [$var(ret)]\n");
   	   switch ($var(ret)) {
   	    case -7:
       	    	 send_reply("500", "Server Internal Error");
       		 exit;
                     case -1:
       	    	 send_reply("400", "Bad Request");
       		 exit;
         	    default:
         	    };
         	    if (defined($avp(digest_challenge)) &&
                        ($avp(digest_challenge) != "")) {
             	    append_to_reply("$avp(digest_challenge)");
         	};
   	send_reply("401", "Unauthorized");
                 exit;
   	};
   	# user authenticated - remove auth header
   	if(!is_method("REGISTER|PUBLISH"))
   		consume_credentials();
   }
Any clues? What is missing from my narrative?

SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-- 
Daniel-Constantin Mierla - http://www.asipto.com
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

Re: [SR-Users] n00b question -- RADIUS authentication.