2 Mar
2011
2 Mar
'11
7:40 p.m.
Hello,
On 2/28/11 10:44 AM, Pablo Ros wrote:
I am trying to authenticate through radius (info in
LDAP database). I
am using kamailio 3.1
First of all I would like to clear up an issue:
As shown the way to do the authentication is done with:
*Code:*
if (! radius_www_authorize("uu.net <http://uu.net>")) {
www_challenge("uu.net <http://uu.net>", "0");
return;
}
first, if you don't have the above block in main request route block,
replace 'return' with 'exit'.
Ok, when I installed openser I did it with kamailio
"flavour" so it
was using the auth_radius module belonging to it.
Does anyone know which would be the correct way to do the challenge to
the user cause is was not working at all. The radius client does not
even send it.
IIRC, even for RADIUS, the challenge is built by Kamailio auth module,
nothing exchanged with the RADIUS server for challenge.
I got stuck some time till I just decided to load the
module from ser
modules folder and then freeradius server started to get correctly my
requests. Actually I can even see it authenticates them correctly.
Can you update kamailio default config where you replace auth_db module
with auth_radius (from modules_k), and inside the routing blocks use:
- www_radius_authorize() instead of www_authorize()
- proxy_radius_authorize() instead of proxy_authorize()
Then start it with:
kamailio -E -ddd
and see if you see any hint/error there. Then run a test call and watch
the logs, you should see some errors if communication with radius is not
happening. If you don't understand exactly what happened, send those
messages here.
Cheers,
Daniel
However Openser/Kamailio doesn't seem to see the same and it doesn't
saves location.
*Code:*
route[AUTH] {
#!ifdef WITH_AUTH
# Primeramente comprobamos si pertenece a nuestro dominio; si no ya no
hace falta comprobar credenciales.
if (uri==myself)
{
if (is_method("REGISTER"))
{
xlog("L_NOTICE","KAM-INFO: r[AUTH] - REGISTER
- User info: ($fu):($si)>\n");
if (!radius_www_authorize("i2cat.net
<http://i2cat.net>")){
route(RADIUS);
#www_challenge("i2cat.net
<http://i2cat.net>","0");
exit;
}
}
if ($au!=$tU)
{
sl_send_reply("403","Forbidden auth ID");
exit;
}
} else {
#!ifdef WITH_IPAUTH
if(allow_source_address())
{
# source IP allowed
return;
}
#!endif
# authenticate if from local subscriber
if (from_uri==myself)
{
if (!proxy_authorize("$fd", "subscriber")) {
proxy_challenge("$fd", "0");
exit;
}
if (is_method("PUBLISH"))
{
if ($au!=$tU) {
sl_send_reply("403","Forbidden
auth ID");
exit;
}
} else {
if ($au!=$fU) {
sl_send_reply("403","Forbidden
auth ID");
exit;
}
}
consume_credentials();
# caller authenticated
} else {
# caller is not local subscriber, then check
if it calls
# a local destination, otherwise deny, not an
open relay here
if (!uri==myself)
{
sl_send_reply("403","Not relaying");
exit;
}
}
}
#!endif
return;
}
Before doing the challenge then it just goes throught:
*Code:*
route[RADIUS]
{
sl_send_reply("100", "Trying");
append_to_reply("Expires: 600\r\n");
append_to_reply("Min-Expires: 240\r\n");
xlog("L_NOTICE","KAM-INFO: RADIUS AUTHENTICATION - AUTHORIZING USER
$fU - <$fu>:<$si>\n");
xlog("L_NOTICE","KAM-INFO: CHALLENGING. - RETCODE-> $rc \n");
www_challenge("i2cat.net <http://i2cat.net>", "0");
switch($rc){
case -5:
xlog("L_INFO", "-> 500: internal server error");
sl_send_reply("500", "Internal Server Error");
case -4:
xlog("L_INFO", "-> 404: credentials not found");
sl_send_reply("404", "Credentials Not Found");
case -3:
xlog("L_INFO", "-> 400: bad request - stale nonce");
sl_send_reply("400", "Bad Request");
case -2:
xlog("L_INFO", "-> 401: invalid password");
sl_send_reply("401", "Invalid Password");
case -1:
xlog("L_INFO", "-> 401: invalid user");
sl_send_reply("401", "Invalid User");
default:
xlog("L_INFO", "-> 401: unauthorized");
sl_send_reply("401", "Unauthorized");
}
}
Buuuuuuuuuuuuut... I got that in the debug of Kamailio:
*Code:*
4(31099) DEBUG: auth [api.c:95]: auth: digest-algo: MD5 parsed value: 1
4(31099) DEBUG: auth_radius [sterman.c:271]:
radius_authorize_sterman(): Success
4(31099) WARNING: auth_radius [authorize.c:89]: RADIUS server did not
send SER-UID attribute in digest authentication reply
4(31099) DEBUG: auth [challenge.c:102]: build_challenge_hf:
realm='i2cat.net <http://i2cat.net>'
4(31099) DEBUG: auth [challenge.c:113]: build_challenge_hf: qop='auth'
4(31099) DEBUG: auth [challenge.c:236]: auth: 'WWW-Authenticate:
Digest realm="i2cat.net <http://i2cat.net>",
nonce="TWZJLk1mSAKFVzL0b+dVPzkuyyAnZHQs", qop="auth"
I guess it has something to do with this SER-UID attribute and thus
something about the dictonary? It is weird seeing that the radius
server says 'ok' but then openser is not authenticating it.
I need some clues! Thank you!.
--
Pablo Ros
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla
http://www.asipto.com