[Users] SIP Clients Can't REGISTER

Hi, I have followed the Intrsuctions on setting up FreeRADIUS with OpenSER. (http://openser.org/docs/openser-radius-1.0.x.html) But the server doesn't allow the registration: Config: ============================================================================ ==================== # $Id$ # # radius config script # # ----------- global configuration parameters ------------------------ debug=7 # debug level (cmd line: -dddddddddd) fork=no log_stderror=yes # (cmd line: -E) check_via=no # (cmd. line: -v) dns=no # (cmd. line: -r) rev_dns=no # (cmd. line: -R) port=5060 children=4 listen=udp:192.168.10.18 alias="openser.org" alias="mydomain.com" #fifo="/tmp/openser_fifo" # ------------------ module loading ---------------------------------- mpath="/usr/local/lib/openser/modules/" loadmodule "mysql.so" loadmodule "sl.so" loadmodule "tm.so" loadmodule "rr.so" loadmodule "maxfwd.so" loadmodule "avpops.so" loadmodule "usrloc.so" loadmodule "registrar.so" loadmodule "textops.so" loadmodule "xlog.so" loadmodule "uri.so" loadmodule "acc.so" loadmodule "auth.so" loadmodule "auth_radius.so" loadmodule "group_radius.so" loadmodule "avp_radius.so" # ----------------- setting module-specific parameters --------------- # -- usrloc params -- #modparam("usrloc","db_url","mysql://openser:openserrw@localhost/openser") modparam("usrloc", "db_mode", 2) # -- acc params -- modparam("acc", "radius_flag", 1) modparam("acc", "radius_missed_flag", 2) modparam("acc", "log_flag", 1) modparam("acc", "log_missed_flag", 1) modparam("acc", "service_type", 15) modparam("acc", "radius_extra", "Sip-Src-IP=$si;Sip-Src-Port=$sp") modparam("acc|auth_radius|group_radius|avp_radius", "radius_config", "/usr/local/etc/radiusclient-ng/radiusclient.conf") # -- group_radius params -- modparam("group_radius", "use_domain", 1) # -- avpops params -- modparam("avpops", "avp_aliases", "day=i:101;time=i:102") # -- rr params -- # add value to ;lr param to make some broken UAs happy modparam("rr", "enable_full_lr", 1) # ------------------------- request routing logic ------------------- # main routing logic route{ # initial sanity checks -- messages with # max_forwards==0, or excessively long requests if (!mf_process_maxfwd_header("10")) { sl_send_reply("483","Too Many Hops"); exit; }; if (msg:len >= 2048 ) { sl_send_reply("513", "Message too big"); exit; }; # check if user is suspended if(is_method("REGISTER|INVITE|MESSAGE|OPTIONS|SUBSCRIBE")) { if (radius_is_user_in("From", "suspended")) { sl_send_reply("403", "Forbidden - suspended"); exit; }; }; # we record-route all messages -- to make sure that # subsequent messages will go through our proxy; that's # particularly good if upstream and downstream entities # use different transport protocol if (!method=="REGISTER") record_route(); # subsequent messages withing a dialog should take the # path determined by record-routing if (loose_route()) { # mark routing logic in request append_hf("P-hint: rr-enforced\r\n"); if(is_method("BYE")) { # log it all the time acc_rad_request("200 ok"); acc_log_request("200 ok"); } route(1); }; if(is_method("INVITE") && !has_totag()) { # set the acc flags setflag(1); setflag(2); }; if (!uri==myself) { # check if user is allowed to do voip calls to other domains if(is_method("INVITE|MESSAGE")) { if (!radius_is_user_in("From", "voip")) { sl_send_reply("403", "Forbidden VoIP"); exit; }; }; # mark routing logic in request append_hf("P-hint: outbound\r\n"); route(1); }; # if the request is for other domain use UsrLoc # (in case, it does not work, use the following command # with proper names and addresses in it) if (uri==myself) { # authenticate registers if (method=="REGISTER") { if (!radius_www_authorize("mydomain.com")) { www_challenge("mydomain.com", "0"); exit; }; # check the src ip address if(!avp_check("i:2", "eq/$src_ip/ig")) { sl_send_reply("403", "Forbidden IP"); exit; }; save("location"); exit; }; # calls to pstn if(uri=~"sip:00[1-9][0-9]+@") { if(is_method("INVITE") && !has_totag()) { if (!radius_is_user_in("From", "pstn")) { sl_send_reply("403", "Forbidden PSTN"); exit; }; }; # set gateway address rewritehostport("192.168.10.18:5090"); route(1); }; # load callee's avps if(avp_load_radius("callee")) { # check if user has time filter enabled if(avp_check("i:3", "eq/i:1")) { # print time in an avp avp_printf("i:100", "$Tf"); # extract day avp_subst("i:100/i:101", "/(.{3}) .+/*\1*/"); if(!avp_check("i:6", "fm/$day")) { sl_send_reply("403", "Forbidden - day"); exit; }; # extract 'hours:minutes' avp_subst("i:100/i:102", "/(.{10}) (.{5}):.+/\2/"); if((is_avp_set("i:4") && avp_check("i:4", "gt/$time")) || (is_avp_set("i:5") && avp_check("i:5", "lt/$time"))) { sl_send_reply("403", "Forbidden - time"); exit; }; }; }; # native SIP destinations are handled using our USRLOC DB if (!lookup("location")) { # log to acc as missed call acc_rad_request("404 Not Found"); acc_log_request("404 Not Found"); sl_send_reply("404", "Not Found"); exit; }; append_hf("P-hint: usrloc applied\r\n"); }; route(1); } # generic forward route[1] { # send it out now; use stateful forwarding as it works reliably # even for UDP2TCP if (!t_relay()) { sl_reply_error(); }; exit; } # ============================================================================ ==================== Users file on RADIUS: ### --- avps --- 101(a)mydomain.com Auth-Type := Accept, Service-Type == "SIP-Callee-AVPs" Sip-Avp += "#3#1", Sip-Avp += "#4:08:00", Sip-Avp += "#5:16:00", Sip-Avp += "#6:Mon,Wed,Thu,Fri" 102(a)mydomain.com Auth-Type := Accept, Service-Type == "SIP-Callee-AVPs" Sip-Avp += "#3#1", Sip-Avp += "#4:08:00", Sip-Avp += "#5:16:00", Sip-Avp += "#6:Mon,Wed,Thu,Free" DEFAULT Auth-Type := Accept, Service-Type == "SIP-Callee-AVPs" ### --- group checking --- ### --- user 101 --- 101(a)mydomain.com Auth-Type := Accept, Sip-Group == "voip", Service-Type == "Group-Check" Reply-Message = "Authorized" 101(a)mydomain.com Auth-Type := Accept, Sip-Group == "pstn", Service-Type == "Group-Check" Reply-Message = "Authorized" ### --- user 102 --- 102(a)mydomain.com Auth-Type := Accept, Sip-Group == "voip", Service-Type == "Group-Check" Reply-Message = "Authorized" DEFAULT Auth-Type := Reject, Service-Type == "Group-Check" ### --- user authentication --- 101(a)mydomain.com Auth-Type := Digest, User-Password == "101" Reply-Message = "Authenticated", Sip-Avp += "rpid:101", Sip-Avp += "#2:192.168.10.17", # Sip-Avp += "#2:192.168.2.11" 102(a)mydomain.com Auth-Type := Digest, User-Password == "102" Reply-Message = "Authenticated", Sip-Avp += "rpid:102", # Sip-Avp += "#2:192.168.2.12" ============================================================================ ==================== And bellow is the dubug from radiusd -X and openser -E -ddddddd: OpenSER Debug: ***************************** 0(4084) SIP Request: 0(4084) method: <REGISTER> 0(4084) uri: <sip:mydomain.com> 0(4084) version: <SIP/2.0> 0(4084) parse_headers: flags=2 0(4084) DEBUG:parse_to:end of header reached, state=8 0(4084) DEBUG: get_hdr_field: <To> [19]; uri=[sip:101@mydomain.com] 0(4084) DEBUG: to body [sip:101@mydomain.com ] 0(4084) get_hdr_field: cseq <Cseq>: <2> <REGISTER> 0(4084) Found param type 232, <branch> = <z9hG4bK-eb137d5b6c8524d7c778e5629555a97e>; state=16 0(4084) end of header reached, state=5 0(4084) parse_headers: Via found, flags=2 0(4084) parse_headers: this is the first via 0(4084) After parse_msg... 0(4084) preparing to run routing scripts... 0(4084) DEBUG:maxfwd:is_maxfwd_present: value = 20 0(4084) DEBUG: add_param: tag=30167a95 0(4084) DEBUG:parse_to:end of header reached, state=29 0(4084) radius_is_user_in(): Failure 0(4084) parse_headers: flags=200 0(4084) DEBUG: get_hdr_body : content_length=0 0(4084) found end of header 0(4084) find_first_route: No Route headers found 0(4084) loose_route: There is no Route HF 0(4084) grep_sock_info - checking if host==us: 9==10 && [mydomain.com] == [192.168.10.18] 0(4084) grep_sock_info - checking if port 5060 matches port 5060 0(4084) grep_sock_info - checking if host==us: 9==10 && [mydomain.com] == [192.168.10.18] 0(4084) grep_sock_info - checking if port 5060 matches port 5060 0(4084) check_nonce(): comparing [448fe8934593e3e7780fffee019ce58577231baf] and [448fe8934593e3e7780fffee019ce58577231baf] 0(4084) DEBUG:auth_radius:radius_authorize_sterman: Success 0(4084) DEBUG:auth_radius:generate_avps: getting SIP AVPs from avpair 225 0(4084) DEBUG:auth_radius:extract_avp: string is <rpid:101> 0(4084) DEBUG:auth_radius:extract_avp: AVP name is <rpid> 0(4084) DEBUG:auth_radius:extract_avp: AVP val is <101> 0(4084) DEBUG:auth_radius:generate_avps: AVP 'rpid'/0='101'/0 has been added 0(4084) DEBUG:auth_radius:extract_avp: string is <#2:192.168.10.17> 0(4084) DEBUG:auth_radius:extract_avp: AVP name is <2> 0(4084) DEBUG:auth_radius:extract_avp: AVP val is <192.168.10.17> 0(4084) DEBUG:auth_radius:generate_avps: AVP 'null'/2='192.168.10.17'/0 has been added 0(4084) DEBUG:avpops:check_avp: check <192.168.10.17> against <192.168.10.17> as str 0(4084) parse_headers: flags=ffffffffffffffff 0(4084) parse_headers: flags=4000000 0(4084) build_contact(): Created Contact HF: Contact: <sip:101@192.168.10.17;LINEID=6f5beb97d08670a1c8328ce1526ae928>;expires=300 0(4084) parse_headers: flags=ffffffffffffffff 0(4084) check_via_address(192.168.10.17, 192.168.10.17, 0) 0(4084) DEBUG:destroy_avp_list: destroying list 0xb60f0a50 0(4084) receive_msg: cleaning up 1(4086) build_recv_sock: <192.168.10.18_5060> ******************************* RADIUS Debug: ******************************* rad_recv: Access-Request packet from host 127.0.0.1:32900, id=196, length=185 User-Name = &quot;101(a)shatel.ir&quot; Digest-Attributes = 0x0a05313031 Digest-Attributes = 0x010b73686174656c2e6972 Digest-Attributes = 0x022a3434386666316666393332663830393337613034373266333837363163353036656166 3636613934 Digest-Attributes = 0x040f7369703a73686174656c2e6972 Digest-Attributes = 0x030a5245474953544552 Digest-Response = "7a3f00f697286dd95c5aa654a9662dea" Service-Type = Sip-Session Sip-Uri-User = "101" NAS-Port = 5060 NAS-IP-Address = 127.0.0.1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 100 modcall[authorize]: module "preprocess" returns ok for request 100 modcall[authorize]: module "chap" returns noop for request 100 modcall[authorize]: module "mschap" returns noop for request 100 rlm_digest: Adding Auth-Type = DIGEST modcall[authorize]: module "digest" returns ok for request 100 rlm_realm: Looking up realm "shatel.ir" for User-Name = &quot;101(a)shatel.ir&quot; rlm_realm: No such realm "shatel.ir" modcall[authorize]: module "suffix" returns noop for request 100 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 100 users: Matched entry DEFAULT at line 152 users: Matched entry 101(a)shatel.ir at line 255 modcall[authorize]: module "files" returns ok for request 100 modcall: leaving group authorize (returns ok) for request 100 rad_check_password: Found Auth-Type Digest auth: type "digest" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 100 rlm_digest: Converting Digest-Attributes to something sane... Digest-User-Name = "101" Digest-Realm = "shatel.ir" Digest-Nonce = "448ff1ff932f80937a0472f38761c506eaf66a94" Digest-URI = "sip:shatel.ir" Digest-Method = "REGISTER" A1 = 101:shatel.ir:101 A2 = REGISTER:sip:shatel.ir H(A1) = a5d8cf73217ea46c8fd8ca5da1c6a2e3 H(A2) = 27e9df2d1a7ed715c7204d1316039120 KD = a5d8cf73217ea46c8fd8ca5da1c6a2e3:448ff1ff932f80937a0472f38761c506eaf66a94:27 e9df2d1a7ed715c7204d1316039120 EXPECTED 7a3f00f697286dd95c5aa654a9662dea RECEIVED 7a3f00f697286dd95c5aa654a9662dea modcall[authenticate]: module "digest" returns ok for request 100 modcall: leaving group authenticate (returns ok) for request 100 radius_xlat: 'Authenticated' Sending Access-Accept of id 196 to 127.0.0.1 port 32900 Reply-Message = "Authenticated" SIP-AVP += "rpid:101" SIP-AVP += "#2:85.15.7.17" Finished request 100 Going to the next request Waking up in 2 seconds... rad_recv: Access-Request packet from host 127.0.0.1:32901, id=197, length=64 User-Name = &quot;101(a)shatel.ir&quot; Sip-Group = "suspended" Service-Type = Group-Check NAS-Port = 0 NAS-IP-Address = 127.0.0.1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 101 modcall[authorize]: module "preprocess" returns ok for request 101 modcall[authorize]: module "chap" returns noop for request 101 modcall[authorize]: module "mschap" returns noop for request 101 modcall[authorize]: module "digest" returns noop for request 101 rlm_realm: Looking up realm "shatel.ir" for User-Name = &quot;101(a)shatel.ir&quot; rlm_realm: No such realm "shatel.ir" modcall[authorize]: module "suffix" returns noop for request 101 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 101 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 252 modcall[authorize]: module "files" returns ok for request 101 modcall: leaving group authorize (returns ok) for request 101 rad_check_password: Found Auth-Type Reject rad_check_password: Auth-Type = Reject, rejecting user auth: Failed to validate the user. Delaying request 101 for 1 seconds Finished request 101 Any thoughts? Thanks, Hamid