here you have my notes for Kamailio 1.4
Hope this help.
Regards Luciano
Digest Autenticacion of users using Kamailio and freeRADIUS =============================================
freeRADIUS -----------------
- Add Kamailio host to freeRadius clients.conf
- Include dictionary with kamailio avps.
- Enable digest module in freeRadius
http://wiki.freeradius.org/Digest
- Add users to freeRadius users file
1001@lucio01.net Auth-Type := Digest, Cleartext-Password := "test123" Reply-Message = "Authenticated", Sip-Avp += "category:prepaid"
1002@lucio01.net Auth-Type := Digest, Cleartext-Password := "test123" Reply-Message = "Authenticated", Sip-Avp += "category:postpaid"
Kamailio (1.4) ---------------------
- Make sure radiusclient-ng is installed and configured in the machine running Kamailio. See radiusclient-ng_install_notes
- How to configure for authentication using radius loadmodule "auth_radius.so" modparam("auth_radius", "radius_config", "/usr/local/etc/radiusclient-ng/radiusclient.conf") radius_www_authorize("lucio01.net") radius_proxy_authorize("lucio01.net")
- How to get and use Sip-Avp loadmodule "avp_radius.so" loadmodule "avpops.so"
xlog("category = $avp(s:category)"); if (avp_check("$avp(s:category)", "eq/s:prepaid/ig"))
radiusclient-ng_install_notes -----------------------------------------
- Install radiusclent-ng from source
~# tar xvfz radiusclient-ng-X.Y.Z.tar.gz ~# cd radiusclient-ng-X.Y.Z ~# ./configure ~# make ~# make install
- Configure authentication and accounting servers this client comunicates with.
Edit /usr/local/etc/radiusclient-ng/radiusclient.conf and set address of authentication and accounting servers
authserver homero.lucio01.net acctserver homero.lucio01.net
- Configure shared secret to be used with servers this client comunicates with.
Edit /usr/local/etc/radiusclient-ng/servers and add shared secret for each server the client comunicates with.
homero.lucio01.net testing123
- Create dictionary to be used with kamailio and sippy b2bua
Create a dictionary file and add the following attributes and values used in kamailio and sippy b2bua
VENDOR Cisco 9 ATTRIBUTE Cisco-AVPair 1 string Cisco ATTRIBUTE h323-remote-address 23 string Cisco ATTRIBUTE h323-conf-id 24 string Cisco ATTRIBUTE h323-setup-time 25 string Cisco ATTRIBUTE h323-call-origin 26 string Cisco ATTRIBUTE h323-call-type 27 string Cisco ATTRIBUTE h323-connect-time 28 string Cisco ATTRIBUTE h323-disconnect-time 29 string Cisco ATTRIBUTE h323-disconnect-cause 30 string Cisco ATTRIBUTE h323-voice-quality 31 string Cisco ATTRIBUTE h323-ivr-out 32 string Cisco ATTRIBUTE h323-credit-time 102 string Cisco ATTRIBUTE h323-return-code 103 string Cisco ATTRIBUTE h323-redirect-number 106 string Cisco ATTRIBUTE h323-preferred-lang 107 string Cisco ATTRIBUTE h323-billing-model 109 string Cisco ATTRIBUTE h323-currency 110 string Cisco
# # Experiment SIP-specific attributes: # These attributes are tied between client & server # ATTRIBUTE Sip-Method 101 integer ATTRIBUTE Sip-Response-Code 102 integer ATTRIBUTE Sip-CSeq 103 string ATTRIBUTE Sip-To-Tag 104 string ATTRIBUTE Sip-From-Tag 105 string ATTRIBUTE Sip-Branch-ID 106 string ATTRIBUTE Sip-Translated-Request-URI 107 string ATTRIBUTE Sip-Source-IP-Address 108 ipaddr ATTRIBUTE Sip-Source-Port 109 integer ATTRIBUTE Sip-User-ID 110 string ATTRIBUTE Sip-User-Realm 111 string ATTRIBUTE Sip-User-Nonce 112 string ATTRIBUTE Sip-User-Method 113 string ATTRIBUTE Sip-User-Digest-URI 114 string ATTRIBUTE Sip-User-Nonce-Count 115 string ATTRIBUTE Sip-User-QOP 116 string ATTRIBUTE Sip-User-Opaque 117 string ATTRIBUTE Sip-User-Response 118 string ATTRIBUTE Sip-User-CNonce 119 string
ATTRIBUTE Sip-URI-User 208 string ATTRIBUTE Sip-Group 211 string ATTRIBUTE Sip-RPId 213 string
#### Kamailio #### ATTRIBUTE SIP-AVP 225 string # Proprietary, avp_radius
ATTRIBUTE Digest-Response 206 string ATTRIBUTE Digest-Attributes 207 string ATTRIBUTE Digest-Realm 1063 string ATTRIBUTE Digest-Nonce 1064 string ATTRIBUTE Digest-Method 1065 string ATTRIBUTE Digest-URI 1066 string ATTRIBUTE Digest-QOP 1067 string ATTRIBUTE Digest-Algorithm 1068 string ATTRIBUTE Digest-Body-Digest 1069 string ATTRIBUTE Digest-CNonce 1070 string ATTRIBUTE Digest-Nonce-Count 1071 string ATTRIBUTE Digest-User-Name 1072 string ATTRIBUTE Digest-User-Password 1073 string
# # Integer Translations #
# SIP types VALUE Sip-Method Other 0 VALUE Sip-Method Invite 1 VALUE Sip-Method Cancel 2 VALUE Sip-Method Ack 3 VALUE Sip-Method Bye 4
VALUE Sip-Response-Code Other 0 VALUE Sip-Response-Code Invite 1 VALUE Sip-Response-Code Cancel 2 VALUE Sip-Response-Code Ack 3 VALUE Sip-Response-Code Bye 4
# User Types VALUE Service-Type Authenticate-Only 8 VALUE Service-Type Call-Check 10 VALUE Service-Type Group-Check 12 VALUE Service-Type Sip-Session 15 VALUE Service-Type Authorize-Only 17 VALUE Service-Type SIP-Caller-AVPs 30 # Proprietary, avp_radius VALUE Service-Type SIP-Callee-AVPs 31 # Proprietary, avp_radius
# Status Types VALUE Acct-Status-Type Failed 15
- Include dictionary defined in previous step to be used by radiusclient-ng
Add to the end of radiusclient-ng dictionary file (/usr/local/etc/radiusclient-ng/dictionary) an include directive for the file created in the previous step $INCLUDE dictionary.luciano
On Fri, Aug 6, 2010 at 7:06 AM, Daniel-Constantin Mierla miconda@gmail.com wrote:
Hello,
the radius client library has a file where you configure the servers, have you configure it? http://www.kamailio.org/docs/openser-radius-1.0.x.html#radiusclient_ng_serve...
Cheers, Daniel
On 8/3/10 10:13 AM, Pratik Shrestha wrote:
Dear Daniel, Yeah right. I totally forgot, its a reverse dns. Now I checked the radius server in debug mode and I cannot see any request from openser trying to connect to radius server. So, the request from openser is not reaching the radius server. Then I installed wireshark and checked the ip address 128.185.38.162 (radius server ip add) in the server where openser was installed. There also I did not find any entry related to 128.185.38.16. So, it seems my configuration is wrong. I am sending you the configuration of openser.cfg and radiusclient.conf. openser.cfg SSH Secure Shell 3.2.3 (Build 279) Copyright (c) 2000-2003 SSH Communications Security Corp - http://www.ssh.com/ This copy of SSH Secure Shell is a non-commercial version. This version does not include PKI and PKCS #11 functionality.
Linux isoftel-desktop 2.6.32-21-generic #32-Ubuntu SMP Fri Apr 16 08:10:02 UTC 2010 i686 GNU/Linux Ubuntu 10.04 LTS Welcome to Ubuntu! * Documentation: https://help.ubuntu.com/ Last login: Tue Aug 3 10:35:05 2010 from 192.168.0.148 isoftel@isoftel-desktop:~$ cd /usr/local/etc/openser/ isoftel@isoftel-desktop:/usr/local/etc/openser$ cat openser.cfg # # $Id$ # # radius config script # # ----------- global configuration parameters ------------------------ debug=6 # debug level (cmd line: -dddddddddd) log_stderror=yes # (cmd line: -E) check_via=no # (cmd. line: -v) dns=no # (cmd. line: -r) rev_dns=no # (cmd. line: -R) port=5060 children=4 #listen=udp:localhost #alias="kamailio.org" fifo="/tmp/openser_fifo" # ------------------ module loading ---------------------------------- mpath="/usr/local/lib/openser/modules" loadmodule "mysql.so" loadmodule "sl.so" loadmodule "tm.so" loadmodule "rr.so" loadmodule "maxfwd.so" loadmodule "avpops.so" loadmodule "usrloc.so" loadmodule "registrar.so" loadmodule "textops.so" loadmodule "xlog.so" loadmodule "uri.so" loadmodule "acc.so" loadmodule "auth.so" loadmodule "auth_radius.so" loadmodule "group_radius.so" loadmodule "avp_radius.so" # ----------------- setting module-specific parameters --------------- # -- usrloc params -- #modparam("usrloc","db_url","mysql://openser:openserrw@localhost/openser") modparam("usrloc", "db_mode", 2) # -- acc params -- modparam("acc", "radius_flag", 1) modparam("acc", "radius_missed_flag", 2) modparam("acc", "log_flag", 1) modparam("acc", "log_missed_flag", 1) modparam("acc", "service_type", 15) modparam("acc", "radius_extra", "Sip-Src-IP=$si;Sip-Src-Port=$sp") modparam("acc|auth_radius|group_radius|avp_radius", "radius_config", "/etc/radiusclient-ng/radiusclient.conf") # -- group_radius params -- modparam("group_radius", "use_domain", 1) # -- avpops params -- modparam("avpops", "avp_aliases", "day=i:101;time=i:102") # -- rr params -- # add value to ;lr param to make some broken UAs happy modparam("rr", "enable_full_lr", 1) # ------------------------- request routing logic ------------------- # main routing logic route{ # initial sanity checks -- messages with # max_forwards==0, or excessively long requests if (!mf_process_maxfwd_header("10")) { sl_send_reply("483","Too Many Hops"); exit; }; if (msg:len >= 2048 ) { sl_send_reply("513", "Message too big"); exit; }; # check if user is suspended if(is_method("REGISTER|INVITE|MESSAGE|OPTIONS|SUBSCRIBE")) { if (radius_is_user_in("From", "suspended")) { sl_send_reply("403", "Forbidden - suspended"); exit; }; };
# we record-route all messages -- to make sure that # subsequent messages will go through our proxy; that's # particularly good if upstream and downstream entities # use different transport protocol if (!method=="REGISTER") record_route(); # subsequent messages withing a dialog should take the # path determined by record-routing if (loose_route()) { # mark routing logic in request append_hf("P-hint: rr-enforced\r\n"); if(is_method("BYE")) { # log it all the time acc_rad_request("200 ok"); acc_log_request("200 ok"); } route(1); }; if(is_method("INVITE") && !has_totag()) { # set the acc flags setflag(1); setflag(2); }; if (!uri==myself) { # check if user is allowed to do voip calls to other domains if(is_method("INVITE|MESSAGE")) { if (!radius_is_user_in("From", "voip")) { sl_send_reply("403", "Forbidden VoIP"); exit; }; }; # mark routing logic in request append_hf("P-hint: outbound\r\n"); route(1); }; # if the request is for other domain use UsrLoc # (in case, it does not work, use the following command # with proper names and addresses in it) if (uri==myself) { # authenticate registers if (method=="REGISTER") { if (!radius_www_authorize("")) { www_challenge("", "1"); exit; }; # check the src ip address if(!avp_check("i:2", "eq/$src_ip/ig")) { sl_send_reply("403", "Forbidden IP"); exit; }; save("location"); exit; }; # calls to pstn if(uri=~"sip:00[1-9][0-9]+@") { if(is_method("INVITE") && !has_totag()) { if (!radius_is_user_in("From", "pstn")) { sl_send_reply("403", "Forbidden PSTN"); exit; }; }; # set gateway address rewritehostport("localhost:5090"); route(1); };
# load callee's avps if(avp_load_radius("callee")) { # check if user has time filter enabled if(avp_check("i:3", "eq/i:1")) { # print time in an avp avp_printf("i:100", "$Tf"); # extract day avp_subst("i:100/i:101", "/(.{3}) .+/*\1*/"); if(!avp_check("i:6", "fm/$day")) { sl_send_reply("403", "Forbidden - day"); exit; }; # extract 'hours:minutes' avp_subst("i:100/i:102", "/(.{10}) (.{5}):.+/\2/"); if((is_avp_set("i:4") && avp_check("i:4", "gt/$time")) || (is_avp_set("i:5") && avp_check("i:5", "lt/$time"))) { sl_send_reply("403", "Forbidden - time"); exit; }; }; };
# native SIP destinations are handled using our USRLOC DB if (!lookup("location")) { # log to acc as missed call acc_rad_request("404 Not Found"); acc_log_request("404 Not Found"); sl_send_reply("404", "Not Found"); exit; }; append_hf("P-hint: usrloc applied\r\n"); }; route(1); } # generic forward route[1] { # send it out now; use stateful forwarding as it works reliably # even for UDP2TCP if (!t_relay()) { sl_reply_error(); }; exit; }
radiusclient-ng.conf # General settings # specify which authentication comes first respectively which # authentication is used. possible values are: "radius" and "local". # if you specify "radius,local" then the RADIUS server is asked # first then the local one. if only one keyword is specified only # this server is asked. auth_order radius #add 'local' with comma # maximum login tries a user has login_tries 4 # timeout for all login tries # if this time is exceeded the user is kicked out login_timeout 60 # name of the nologin file which when it exists disables logins. # it may be extended by the ttyname which will result in # a terminal specific lock (e.g. /etc/nologin.ttyS2 will disable # logins on /dev/ttyS2) nologin /etc/nologin # name of the issue file. it's only display when no username is passed # on the radlogin command line issue /etc/radiusclient-ng/issue # RADIUS settings # RADIUS server to use for authentication requests. this config # item can appear more then one time. if multiple servers are # defined they are tried in a round robin fashion if one # server is not answering. # optionally you can specify a the port number on which is remote # RADIUS listens separated by a colon from the hostname. if # no port is specified /etc/services is consulted of the radius # service. if this fails also a compiled in default is used. authserver 128.185.38.162 # RADIUS server to use for accouting requests. All that I # said for authserver applies, too. # acctserver 128.185.38.162 # file holding shared secrets used for the communication # between the RADIUS client and server servers /etc/radiusclient-ng/servers # dictionary of allowed attributes and values # just like in the normal RADIUS distributions dictionary /etc/radiusclient-ng/dictionary # program to call for a RADIUS authenticated login login_radius /usr/sbin/login.radius # file which holds sequence number for communication with the # RADIUS server seqfile /var/run/radius.seq # file which specifies mapping between ttyname and NAS-Port attribute mapfile /etc/radiusclient-ng/port-id-map # default authentication realm to append to all usernames if no # realm was explicitly specified by the user # the radiusd directly form Livingston doesnt use any realms, so leave # it blank then default_realm # time to wait for a reply from the RADIUS server radius_timeout 10 # resend request this many times before trying the next server radius_retries 3 # local address from which radius packets have to be sent bindaddr localhost #change with 'localhost' # LOCAL settings # program to execute for local login # it must support the -f flag for preauthenticated login login_local /bin/login
I have edited servers file also with the servername and secret. Thank you very much. Regards, Pratik On Mon, Aug 2, 2010 at 11:26 PM, Daniel-Constantin Mierla miconda@gmail.com wrote:
Hello,
On 8/2/10 12:36 PM, Pratik Shrestha wrote:
Dear Daniel, Now the new issue. Seems now openser is trying to talk with radius server. But still I am getting the one error in syslog which is as follows.
rc_send_server: no reply from RADIUS server 128-185-38-162.totisp.net:1812
Actually I have written only 128.185.38.162 in auth_server in radiusclient.conf. I don't know how this totisp.net is added. I haven't mentioned it anywhere.
probably reverse dns is done in the library, it is not relevant anyhow. Can you start radius server in debug mode and see if it got some request? You can also do a ngrep/wireshark on port 1812 of your radius server to watch for network packets coming from kamailio.
Cheers, Daniel
Please help me. Thanks.
Regards, Pratik
On Mon, Aug 2, 2010 at 11:44 AM, Pratik Shrestha pratikdbl@gmail.com wrote:
Dear Daniel,
Before I work for the new version, I am first trying to configure old version of openser and radius. I am using openser version 1.0.1 and radius client version 0.5.1 and I am following the tutorial given in http://kamailio.net/docs/openser-radius-1.0.x.html.
My freeradius server is in another machine and when I use radclient to check the user I made, I get the "Authenticated" message. But when I use X-lite and connect to openser, it seems openser is not talking with freeradius servers. I am sure the "secret" I am using is right as I have already tested from radclient. The log which I am getting in openser is as shown below
9(1986) SIP Request: 9(1986) method: <REGISTER> 9(1986) uri: sip:192.168.0.56 9(1986) version: <SIP/2.0> 9(1986) parse_headers: flags=2 9(1986) Found param type 232, <branch> = <z9hG4bK-d8754z-c33212005635f16c-1---d8754z->; state=6 9(1986) Found param type 235, <rport> = <n/a>; state=17 9(1986) end of header reached, state=5 9(1986) parse_headers: Via found, flags=2 9(1986) parse_headers: this is the first via 9(1986) After parse_msg... 9(1986) preparing to run routing scripts... 9(1986) parse_headers: flags=100 9(1986) DEBUG:maxfwd:is_maxfwd_present: value = 70 9(1986) parse_headers: flags=10 9(1986) DEBUG:parse_to:end of header reached, state=9 9(1986) DEBUG: get_hdr_field: <To> [44]; uri=[sip:101%40kamailio.org@192.168.0.56] 9(1986) DEBUG: to body ["101"sip:101%40kamailio.org@192.168.0.56 ] 9(1986) DEBUG: add_param: tag=cc6e4259 9(1986) DEBUG:parse_to:end of header reached, state=29 9(1986) radius_is_user_in(): Failure 9(1986) parse_headers: flags=200 9(1986) get_hdr_field: cseq <CSeq>: <2> <REGISTER> 9(1986) DEBUG: get_hdr_body : content_length=0 9(1986) found end of header 9(1986) find_first_route: No Route headers found 9(1986) loose_route: There is no Route HF 9(1986) grep_sock_info - checking if host==us: 12==9 && [192.168.0.56] == [127.0.0.1] 9(1986) grep_sock_info - checking if port 5060 matches port 5060 9(1986) grep_sock_info - checking if host==us: 12==12 && [192.168.0.56] == [192.168.0.56] 9(1986) grep_sock_info - checking if port 5060 matches port 5060 9(1986) grep_sock_info - checking if host==us: 12==9 && [192.168.0.56] == [127.0.0.1] 9(1986) grep_sock_info - checking if port 5060 matches port 5060 9(1986) grep_sock_info - checking if host==us: 12==12 && [192.168.0.56] == [192.168.0.56] 9(1986) grep_sock_info - checking if port 5060 matches port 5060 9(1986) check_nonce(): comparing [4c5649b2d78b205e6a5ca1c6dcdc54b84445dd9c] and [4c5649b2d78b205e6a5ca1c6dcdc54b84445dd9c] 9(1986) ERROR:auth_radius:radius_authorize_sterman: rc_auth failed 9(1986) build_auth_hf(): 'WWW-Authenticate: Digest realm="192.168.0.56", nonce="4c5649b2d78b205e6a5ca1c6dcdc54b84445dd9c" ' 9(1986) parse_headers: flags=ffffffffffffffff 9(1986) check_via_address(192.168.0.148, 192.168.182.3, 0) 9(1986) DEBUG:destroy_avp_list: destroying list (nil) 9(1986) receive_msg: cleaning up
At freeradius also, no request goes from openser.
Please advise me how to get rid of this problem.
Best Regards, Pratik
On Wed, Jul 28, 2010 at 5:56 PM, Pratik Shrestha pratikdbl@gmail.com wrote:
Thanks a lot. I will give it a try
Pratik
On Wed, Jul 28, 2010 at 3:48 PM, Daniel-Constantin Mierla miconda@gmail.com wrote:
Hello,
On 7/22/10 6:06 AM, Pratik Shrestha wrote:
Dear All,
I am very new to OpenSer. I want to use latest version of OpenSer with Radius. I need the documentation/tutorial on how to do this. Googling, Ionly found for the old version. Please help me.
indeed, there is a rather old version:
http://www.kamailio.org/docs/openser-radius-1.0.x.html
What I can say now is that you can skip the part of installing kamailio and use next link instead:
http://www.kamailio.org/dokuwiki/doku.php/install:kamailio-3.0.x-from-git
Radius client library is now in most of common Linux distributions, so you can install it with the package manager (you need the devel headers as well, the -dev package).
FreeRadius configuration should be more or less the same.
The config of kamailio has changed quite a lot. Use the default one from kamailio, follow the WITH_AUTH define conditions and replace auth_db with auth_radius modules and functions. Also, the rest of radius modules were merged into misc_radius. For enabling radius acc, you need to recompile acc module after editing the Makefile in module directory.
Hope it helps to start, ask here if you get stuck.
Cheers, Daniel
-- Daniel-Constantin Mierla http://www.asipto.com/
-- Daniel-Constantin Mierla http://www.asipto.com/
-- Daniel-Constantin Mierla http://www.asipto.com/
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users