Hi,
Lists,happy new year!
Probably a stupid question,but I can not solved it correctly.The ua can not register the openser normally.I think the 5 step runs well and the last is down.The debug shows two errors. The first error is " 0(5898) radius_is_user_in(): Failure" ;the other is " 0(5898) DEBUG:avpops:ops_check_avp: no src avp found".So please give me help and some suggestion.
And the fellowing is my configure file and debug infomation.Thanks!!
HTTP/SIP RADIUS
+-----+ (1) +-----+ +-----+
| |==========>| | | |
| | (2) | | | |
| |<==========| | | |
| | (3) | | | |
| |==========>| | | |
| A | | B | (4) | C |
| | | |---------->| |
| | | | (5) | |
| | | |<----------| |
| | (6) | | | |
| |<==========| | | |
+-----+ +-----+ +-----+
====> HTTP/SIP
----> RADIUS
I setup the system by using the document(http://www.openser.org/docs/openser-radius-1.0.x.html)
and my openser is openser-1.1.0-tls, the file openser.cfg is the same as the document.
#
#$Id$
#
# radius config script
#
# ----------- global configuration parameters ------------------------
debug=7 # debug level (cmd line: -dddddddddd)
fork=no
log_stderror=yes # (cmd line: -E)
check_via=no # (cmd. line: -v)
dns=no # (cmd. line: -r)
rev_dns=no # (cmd. line: -R)
port=5060
children=4
listen=udp:192.168.168.3
alias="swifton.org"
alias="192.168.168.3"
#fifo="/tmp/openser_fifo"
# ------------------ module loading ----------------------------------
[root@localhost openser]# cat openser.cfg
#
#$Id$
#
# radius config script
#
# ----------- global configuration parameters ------------------------
debug=7 # debug level (cmd line: -dddddddddd)
fork=no
log_stderror=yes # (cmd line: -E)
check_via=no # (cmd. line: -v)
dns=no # (cmd. line: -r)
rev_dns=no # (cmd. line: -R)
port=5060
children=4
listen=udp:192.168.168.3
alias="swifton.org"
alias="192.168.168.3"
#fifo="/tmp/openser_fifo"
# ------------------ module loading ----------------------------------
mpath="/usr/local/lib/openser/modules"
loadmodule "mysql.so"
loadmodule "sl.so"
loadmodule "tm.so"
loadmodule "rr.so"
loadmodule "maxfwd.so"
loadmodule "avpops.so"
loadmodule "usrloc.so"
loadmodule "registrar.so"
loadmodule "textops.so"
loadmodule "xlog.so"
loadmodule "uri.so"
loadmodule "acc.so"
loadmodule "auth.so"
loadmodule "auth_radius.so"
loadmodule "group_radius.so"
loadmodule "avp_radius.so"
# ----------------- setting module-specific parameters ---------------
# -- usrloc params --
#modparam("usrloc","db_url","mysql://openser:openserrw@localhost/openser")
modparam("usrloc", "db_mode", 2)
# -- acc params --
modparam("acc", "radius_flag", 1)
modparam("acc", "radius_missed_flag", 2)
modparam("acc", "log_flag", 1)
modparam("acc", "log_missed_flag", 1)
modparam("acc", "service_type", 15)
modparam("acc", "radius_extra", "Sip-Src-IP=$si;Sip-Src-Port=$sp")
modparam("acc|auth_radius|group_radius|avp_radius", "radius_config",
"/etc/radiusclient-ng/radiusclient.conf")
# -- group_radius params --
modparam("group_radius", "use_domain", 1)
# -- avpops params --
modparam("avpops", "avp_aliases", "day=i:101;time=i:102")
# -- rr params --
# add value to ;lr param to make some broken UAs happy
modparam("rr", "enable_full_lr", 1)
# ------------------------- request routing logic -------------------
# main routing logic
route{
# initial sanity checks -- messages with
# max_forwards==0, or excessively long requests
if (!mf_process_maxfwd_header("10")) {
sl_send_reply("483","Too Many Hops");
exit;
};
if (msg:len >= 2048 ) {
sl_send_reply("513", "Message too big");
exit;
};
# check if user is suspended
if(is_method("REGISTER|INVITE|MESSAGE|OPTIONS|SUBSCRIBE"))
{
if (radius_is_user_in("From", "suspended")) {
sl_send_reply("403", "Forbidden - suspended");
exit;
};
};
# we record-route all messages -- to make sure that
# subsequent messages will go through our proxy; that's
# particularly good if upstream and downstream entities
# use different transport protocol
if (!method=="REGISTER")
record_route();
# subsequent messages withing a dialog should take the
# path determined by record-routing
if (loose_route()) {
# mark routing logic in request
append_hf("P-hint: rr-enforced\r\n");
if(is_method("BYE"))
{ # log it all the time
acc_rad_request("200 ok");
acc_log_request("200 ok");
}
route(1);
};
if(is_method("INVITE") && !has_totag())
{ # set the acc flags
setflag(1);
setflag(2);
};
if (!uri==myself) {
# check if user is allowed to do voip calls to other domains
if(is_method("INVITE|MESSAGE")) {
if (!radius_is_user_in("From", "voip")) {
sl_send_reply("403", "Forbidden VoIP");
exit;
};
};
# mark routing logic in request
append_hf("P-hint: outbound\r\n");
route(1);
};
# if the request is for other domain use UsrLoc
# (in case, it does not work, use the following command
# with proper names and addresses in it)
if (uri==myself) {
# authenticate registers
if (method=="REGISTER") {
if (!radius_www_authorize("swifton.org")) {
www_challenge("swifton.org", "0");
exit;
};
# check the src ip address
if(!avp_check("$avp(i:2)", "eq/$src_ip/ig"))
{
sl_send_reply("403", "Forbidden IP");
exit;
};
save("location");
exit;
};
# calls to pstn
if(uri=~"sip:00[1-9][0-9]+@") {
if(is_method("INVITE") && !has_totag()) {
if (!radius_is_user_in("From", "pstn")) {
sl_send_reply("403", "Forbidden PSTN");
exit;
};
};
# set gateway address
rewritehostport("10.10.10.10:5090");
route(1);
};
# load callee's avps
if(avp_load_radius("callee"))
{
# check if user has time filter enabled
if(avp_check("$avp(i:3)", "eq/i:1"))
{
# print time in an avp
avp_printf("$avp(i:100)", "$Tf");
# extract day
avp_subst("$avp(i:100)/$avp(i:101)", "/(.{3}) .+/*\1*/");
if(!avp_check("$avp(i:6)", "fm/$day")) {
sl_send_reply("403", "Forbidden - day");
exit;
};
# extract 'hours:minutes'
avp_subst("$avp(i:100)/$avp(i:102)", "/(.{10}) (.{5}):.+/\2/");
if((is_avp_set("$avp(i:4)") && avp_check("$avp(i:4)", "gt/$time"))
|| (is_avp_set("$avp(i:5)") && avp_check("$avp(i:5)", "lt/$time"))) {
sl_send_reply("403", "Forbidden - time");
exit;
};
};
};
......
route(1);
}
......
exit;
}
#
and the openser start as follows:
898) SIP Request:
898) method: <REGISTER>
898) uri: <sip:swifton.org>
898) version: <SIP/2.0>
898) parse_headers: flags=2
898) end of header reached, state=5
898) parse_headers: Via found, flags=2
898) parse_headers: this is the first via
898) After parse_msg...
898) preparing to run routing scripts...
898) parse_headers: flags=100
898) DEBUG:maxfwd:is_maxfwd_present: value = 70
898) parse_headers: flags=10
898) DEBUG: add_param: tag=f59c388b5de348778e76ebda993c2d8e
898) DEBUG: add_param: epid=b6757bf3fc
898) DEBUG:parse_to:end of header reached, state=29
898) DBUG:parse_to: display={}, ruri={sip:zhaoy@swifton.org}
898) radius_is_user_in(): Failure
898) parse_headers: flags=200
898) DEBUG:parse_to:end of header reached, state=10
......
0(5898) grep_sock_info - checking if host==us: 11==13 && [swifton.org] == [192.168.168.3]
0(5898) grep_sock_info - checking if port 5060 matches port 5060
0(5898) grep_sock_info - checking if host==us: 11==13 && [swifton.org] == [192.168.168.3]
0(5898) grep_sock_info - checking if port 5060 matches port 5060
0(5898) check_nonce(): comparing [459bb612ad569015987d4849d1ae603515f32e6b] and
[459bb612ad569015987d4849d1ae603515f32e6b]
0(5898) DEBUG:auth_radius:radius_authorize_sterman: Success
0(5898) DEBUG:auth_radius:generate_avps: getting SIP AVPs from avpair 225
0(5898) DEBUG:auth_radius:extract_avp: string is <Sip-Group:voip>
0(5898) DEBUG:auth_radius:extract_avp: AVP name is <Sip-Group>
0(5898) DEBUG:auth_radius:extract_avp: AVP val is <voip>
0(5898) DEBUG:auth_radius:generate_avps: AVP 'Sip-Group'/0='voip'/0 has been added
0(5898) DEBUG:avpops:ops_check_avp: no src avp found
0(5898) parse_headers: flags=ffffffffffffffff
0(5898) check_via_address(192.168.168.30, 192.168.168.30, 0)
0(5898) DEBUG:destroy_avp_list: destroying list 0x422bc440
0(5898) receive_msg: cleaning up
the freeradius debug infomation as follows:
Digest-Attributes = 0x0a077a68616f79
Digest-Attributes = 0x010d73776966746f6e2e6f7267
Digest-Attributes = 0x022a34353962623631326164353639303135393837643438343964316165363033353135663332653662
Digest-Attributes = 0x04117369703a73776966746f6e2e6f7267
Digest-Attributes = 0x030a5245474953544552
Digest-Response = "2ead4f5b9d78013a35f2eb7a792971a5"
Service-Type = Sip-Session
Sip-Uri-User = "zhaoy"
NAS-Port = 5060
NAS-IP-Address = 192.168.168.3
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 167
modcall[authorize]: module "preprocess" returns ok for request 167
modcall[authorize]: module "chap" returns noop for request 167
modcall[authorize]: module "mschap" returns noop for request 167
rlm_digest: Converting Digest-Attributes to something sane...
Digest-User-Name = "zhaoy"
Digest-Realm = "swifton.org"
Digest-Nonce = "459bb612ad569015987d4849d1ae603515f32e6b"
Digest-URI = "sip:swifton.org"
Digest-Method = "REGISTER"
rlm_digest: Adding Auth-Type = DIGEST
modcall[authorize]: module "digest" returns ok for request 167
.......
modcall: entering group authenticate for request 167
A1 = zhaoy:swifton.org:zhaoy
A2 = REGISTER:sip:swifton.org
H(A1) = eff77a9105c5c0973492694f59c944f2
H(A2) = d3add39dad2709bea55016ba79eb675a
KD = eff77a9105c5c0973492694f59c944f2:459bb612ad569015987d4849d1ae603515f32e6b:d3add39dad2709bea55016ba79eb675a
EXPECTED 2ead4f5b9d78013a35f2eb7a792971a5
RECEIVED 2ead4f5b9d78013a35f2eb7a792971a5
modcall[authenticate]: module "digest" returns ok for request 167
modcall: group authenticate returns ok for request 167
radius_xlat: 'Authenticated'
Login OK: [zhaoy@swifton.org] (from client openser port 5060)
Sending Access-Accept of id 13 to 192.168.168.3:33101
SIP-AVP = "Sip-Group:voip"
Reply-Message = "Authenticated"
Sip-Group = "voip"
Finished request 167