Hi,

I have followed the Intrsuctions on setting up FreeRADIUS with OpenSER. (http://openser.org/docs/openser-radius-1.0.x.html)

But  the server doesn’t allow the registration:

 

Config:

================================================================================================

# $Id$

#

# radius config script

#

 

# ----------- global configuration parameters ------------------------

 

debug=7            # debug level (cmd line: -dddddddddd)

fork=no

log_stderror=yes    # (cmd line: -E)

 

check_via=no    # (cmd. line: -v)

dns=no          # (cmd. line: -r)

rev_dns=no      # (cmd. line: -R)

port=5060

children=4

listen=udp:192.168.10.18

alias="openser.org"

alias="mydomain.com"

 

#fifo="/tmp/openser_fifo"

 

# ------------------ module loading ----------------------------------

mpath="/usr/local/lib/openser/modules/"

 

loadmodule "mysql.so"

loadmodule "sl.so"

loadmodule "tm.so"

loadmodule "rr.so"

loadmodule "maxfwd.so"

loadmodule "avpops.so"

loadmodule "usrloc.so"

loadmodule "registrar.so"

loadmodule "textops.so"

loadmodule "xlog.so"

loadmodule "uri.so"

loadmodule "acc.so"

loadmodule "auth.so"

loadmodule "auth_radius.so"

loadmodule "group_radius.so"

loadmodule "avp_radius.so"

 

# ----------------- setting module-specific parameters ---------------

 

# -- usrloc params --

#modparam("usrloc","db_url","mysql://openser:openserrw@localhost/openser")

modparam("usrloc", "db_mode", 2)

 

# -- acc params --

modparam("acc", "radius_flag", 1)

modparam("acc", "radius_missed_flag", 2)

modparam("acc", "log_flag", 1)

modparam("acc", "log_missed_flag", 1)

modparam("acc", "service_type", 15)

modparam("acc", "radius_extra", "Sip-Src-IP=$si;Sip-Src-Port=$sp")

modparam("acc|auth_radius|group_radius|avp_radius", "radius_config",

    "/usr/local/etc/radiusclient-ng/radiusclient.conf")

 

# -- group_radius params --

modparam("group_radius", "use_domain", 1)

 

# -- avpops params --

modparam("avpops", "avp_aliases", "day=i:101;time=i:102")

 

# -- rr params --

# add value to ;lr param to make some broken UAs happy

modparam("rr", "enable_full_lr", 1)

 

# -------------------------  request routing logic -------------------

 

# main routing logic

 

route{

 

    # initial sanity checks -- messages with

    # max_forwards==0, or excessively long requests

    if (!mf_process_maxfwd_header("10")) {

        sl_send_reply("483","Too Many Hops");

        exit;

    };

 

    if (msg:len >=  2048 ) {

        sl_send_reply("513", "Message too big");

        exit;

    };

 

    # check if user is suspended

    if(is_method("REGISTER|INVITE|MESSAGE|OPTIONS|SUBSCRIBE"))

    {

        if (radius_is_user_in("From", "suspended")) {

            sl_send_reply("403", "Forbidden - suspended");

            exit;

        };

    };

   

    # we record-route all messages -- to make sure that

    # subsequent messages will go through our proxy; that's

    # particularly good if upstream and downstream entities

    # use different transport protocol

    if (!method=="REGISTER")

        record_route();

 

    # subsequent messages withing a dialog should take the

    # path determined by record-routing

    if (loose_route()) {

        # mark routing logic in request

        append_hf("P-hint: rr-enforced\r\n");

        if(is_method("BYE"))

        { # log it all the time

            acc_rad_request("200 ok");

            acc_log_request("200 ok");

        }

        route(1);

    };

 

    if(is_method("INVITE") && !has_totag())

    {   # set the acc flags

        setflag(1);

        setflag(2);

    };

 

    if (!uri==myself) {

        # check if user is allowed to do voip calls to other domains

        if(is_method("INVITE|MESSAGE")) {

            if (!radius_is_user_in("From", "voip")) {

                sl_send_reply("403", "Forbidden VoIP");

                exit;

            };

        };

        # mark routing logic in request

        append_hf("P-hint: outbound\r\n");

        route(1);

    };

 

    # if the request is for other domain use UsrLoc

    # (in case, it does not work, use the following command

    # with proper names and addresses in it)

    if (uri==myself) {

        # authenticate registers

        if (method=="REGISTER") {

            if (!radius_www_authorize("mydomain.com")) {

                www_challenge("mydomain.com", "0");

                exit;

            };

 

            # check the src ip address

            if(!avp_check("i:2", "eq/$src_ip/ig"))

            {

                sl_send_reply("403", "Forbidden IP");

                exit;

            };

 

            save("location");

            exit;

        };

 

        # calls to pstn

        if(uri=~"sip:00[1-9][0-9]+@") {

            if(is_method("INVITE") && !has_totag()) {

                if (!radius_is_user_in("From", "pstn")) {

                    sl_send_reply("403", "Forbidden PSTN");

                    exit;

                };

            };

            # set gateway address

            rewritehostport("192.168.10.18:5090");

            route(1);

        };

       

        # load callee's avps

        if(avp_load_radius("callee"))

        {

            # check if user has time filter enabled

            if(avp_check("i:3", "eq/i:1"))

            {

                # print time in an avp

                avp_printf("i:100", "$Tf");

                # extract day

                avp_subst("i:100/i:101", "/(.{3}) .+/*\1*/");

                if(!avp_check("i:6", "fm/$day")) {

                    sl_send_reply("403", "Forbidden - day");

                    exit;

                };

                # extract 'hours:minutes'

                avp_subst("i:100/i:102", "/(.{10}) (.{5}):.+/\2/");

                if((is_avp_set("i:4") && avp_check("i:4", "gt/$time"))

                || (is_avp_set("i:5") && avp_check("i:5", "lt/$time"))) {

                    sl_send_reply("403", "Forbidden - time");

                    exit;

                };

            };

        };

       

        # native SIP destinations are handled using our USRLOC DB

        if (!lookup("location")) {

            # log to acc as missed call

            acc_rad_request("404 Not Found");

            acc_log_request("404 Not Found");

            sl_send_reply("404", "Not Found");

            exit;

        };

        append_hf("P-hint: usrloc applied\r\n");

    };

 

    route(1);

}

 

# generic forward

route[1] {

    # send it out now; use stateful forwarding as it works reliably

    # even for UDP2TCP

    if (!t_relay()) {

        sl_reply_error();

    };

    exit;

}

#

================================================================================================

Users file on RADIUS:

 

### --- avps ---

101@mydomain.com Auth-Type := Accept, Service-Type == "SIP-Callee-AVPs"

        Sip-Avp += "#3#1",

        Sip-Avp += "#4:08:00",

        Sip-Avp += "#5:16:00",

        Sip-Avp += "#6:Mon,Wed,Thu,Fri"

 

102@mydomain.com Auth-Type := Accept, Service-Type == "SIP-Callee-AVPs"

        Sip-Avp += "#3#1",

        Sip-Avp += "#4:08:00",

        Sip-Avp += "#5:16:00",

        Sip-Avp += "#6:Mon,Wed,Thu,Free"

 

DEFAULT Auth-Type := Accept, Service-Type == "SIP-Callee-AVPs"

 

### --- group checking ---

### --- user 101 ---

101@mydomain.com Auth-Type := Accept, Sip-Group == "voip", Service-Type == "Group-Check"

        Reply-Message = "Authorized"

 

101@mydomain.com Auth-Type := Accept, Sip-Group == "pstn", Service-Type == "Group-Check"

        Reply-Message = "Authorized"

 

### --- user 102 ---

102@mydomain.com Auth-Type := Accept, Sip-Group == "voip", Service-Type == "Group-Check"

        Reply-Message = "Authorized"

 

DEFAULT Auth-Type := Reject, Service-Type == "Group-Check"

 

### --- user authentication ---

101@mydomain.com Auth-Type := Digest, User-Password == "101"

        Reply-Message = "Authenticated",

        Sip-Avp += "rpid:101",

        Sip-Avp += "#2:192.168.10.17",

#       Sip-Avp += "#2:192.168.2.11"

 

102@mydomain.com Auth-Type := Digest, User-Password == "102"

        Reply-Message = "Authenticated",

        Sip-Avp += "rpid:102",

#       Sip-Avp += "#2:192.168.2.12"

 

================================================================================================

And bellow is the dubug from radiusd –X and openser -E –ddddddd:

 

OpenSER Debug:

*****************************

 0(4084) SIP Request:

 0(4084)  method:  <REGISTER>

 0(4084)  uri:     <sip:mydomain.com>

 0(4084)  version: <SIP/2.0>

 0(4084) parse_headers: flags=2

 0(4084) DEBUG:parse_to:end of header reached, state=8

 0(4084) DEBUG: get_hdr_field: <To> [19]; uri=[sip:101@mydomain.com]

 0(4084) DEBUG: to body [sip:101@mydomain.com

]

 0(4084) get_hdr_field: cseq <Cseq>: <2> <REGISTER>

 0(4084) Found param type 232, <branch> = <z9hG4bK-eb137d5b6c8524d7c778e5629555a97e>; state=16

 0(4084) end of header reached, state=5

 0(4084) parse_headers: Via found, flags=2

 0(4084) parse_headers: this is the first via

 0(4084) After parse_msg...

 0(4084) preparing to run routing scripts...

 0(4084) DEBUG:maxfwd:is_maxfwd_present: value = 20

 0(4084) DEBUG: add_param: tag=30167a95

 0(4084) DEBUG:parse_to:end of header reached, state=29

 0(4084) radius_is_user_in(): Failure

 0(4084) parse_headers: flags=200

 0(4084) DEBUG: get_hdr_body : content_length=0

 0(4084) found end of header

 0(4084) find_first_route: No Route headers found

 0(4084) loose_route: There is no Route HF

 0(4084) grep_sock_info - checking if host==us: 9==10 &&  [mydomain.com] == [192.168.10.18]

 0(4084) grep_sock_info - checking if port 5060 matches port 5060

 0(4084) grep_sock_info - checking if host==us: 9==10 &&  [mydomain.com] == [192.168.10.18]

 0(4084) grep_sock_info - checking if port 5060 matches port 5060

 0(4084) check_nonce(): comparing [448fe8934593e3e7780fffee019ce58577231baf] and [448fe8934593e3e7780fffee019ce58577231baf]

 0(4084) DEBUG:auth_radius:radius_authorize_sterman: Success

 0(4084) DEBUG:auth_radius:generate_avps: getting SIP AVPs from avpair 225

 0(4084) DEBUG:auth_radius:extract_avp: string is <rpid:101>

 0(4084) DEBUG:auth_radius:extract_avp: AVP name is <rpid>

 0(4084) DEBUG:auth_radius:extract_avp: AVP val is <101>

 0(4084) DEBUG:auth_radius:generate_avps: AVP 'rpid'/0='101'/0 has been added

 0(4084) DEBUG:auth_radius:extract_avp: string is <#2:192.168.10.17>

 0(4084) DEBUG:auth_radius:extract_avp: AVP name is <2>

 0(4084) DEBUG:auth_radius:extract_avp: AVP val is <192.168.10.17>

 0(4084) DEBUG:auth_radius:generate_avps: AVP 'null'/2='192.168.10.17'/0 has been added

 0(4084) DEBUG:avpops:check_avp: check <192.168.10.17> against <192.168.10.17> as str

 0(4084) parse_headers: flags=ffffffffffffffff

 0(4084) parse_headers: flags=4000000

 0(4084) build_contact(): Created Contact HF: Contact: <sip:101@192.168.10.17;LINEID=6f5beb97d08670a1c8328ce1526ae928>;expires=300

 

 0(4084) parse_headers: flags=ffffffffffffffff

 0(4084) check_via_address(192.168.10.17, 192.168.10.17, 0)

 0(4084) DEBUG:destroy_avp_list: destroying list 0xb60f0a50

 0(4084) receive_msg: cleaning up

 1(4086) build_recv_sock: <192.168.10.18_5060>

 

 

 

 

*******************************

RADIUS Debug:

*******************************

rad_recv: Access-Request packet from host 127.0.0.1:32900, id=196, length=185

        User-Name = "101@shatel.ir"

        Digest-Attributes = 0x0a05313031

        Digest-Attributes = 0x010b73686174656c2e6972

        Digest-Attributes = 0x022a34343866663166663933326638303933376130343732663338373631633530366561663636613934

        Digest-Attributes = 0x040f7369703a73686174656c2e6972

        Digest-Attributes = 0x030a5245474953544552

        Digest-Response = "7a3f00f697286dd95c5aa654a9662dea"

        Service-Type = Sip-Session

        Sip-Uri-User = "101"

        NAS-Port = 5060

        NAS-IP-Address = 127.0.0.1

  Processing the authorize section of radiusd.conf

modcall: entering group authorize for request 100

  modcall[authorize]: module "preprocess" returns ok for request 100

  modcall[authorize]: module "chap" returns noop for request 100

  modcall[authorize]: module "mschap" returns noop for request 100

rlm_digest: Adding Auth-Type = DIGEST

  modcall[authorize]: module "digest" returns ok for request 100

    rlm_realm: Looking up realm "shatel.ir" for User-Name = "101@shatel.ir"

    rlm_realm: No such realm "shatel.ir"

  modcall[authorize]: module "suffix" returns noop for request 100

  rlm_eap: No EAP-Message, not doing EAP

  modcall[authorize]: module "eap" returns noop for request 100

    users: Matched entry DEFAULT at line 152

    users: Matched entry 101@shatel.ir at line 255

  modcall[authorize]: module "files" returns ok for request 100

modcall: leaving group authorize (returns ok) for request 100

  rad_check_password:  Found Auth-Type Digest

auth: type "digest"

  Processing the authenticate section of radiusd.conf

modcall: entering group authenticate for request 100

    rlm_digest: Converting Digest-Attributes to something sane...

        Digest-User-Name = "101"

        Digest-Realm = "shatel.ir"

        Digest-Nonce = "448ff1ff932f80937a0472f38761c506eaf66a94"

        Digest-URI = "sip:shatel.ir"

        Digest-Method = "REGISTER"

A1 = 101:shatel.ir:101

A2 = REGISTER:sip:shatel.ir

H(A1) = a5d8cf73217ea46c8fd8ca5da1c6a2e3

H(A2) = 27e9df2d1a7ed715c7204d1316039120

KD = a5d8cf73217ea46c8fd8ca5da1c6a2e3:448ff1ff932f80937a0472f38761c506eaf66a94:27e9df2d1a7ed715c7204d1316039120

EXPECTED 7a3f00f697286dd95c5aa654a9662dea

RECEIVED 7a3f00f697286dd95c5aa654a9662dea

  modcall[authenticate]: module "digest" returns ok for request 100

modcall: leaving group authenticate (returns ok) for request 100

radius_xlat:  'Authenticated'

Sending Access-Accept of id 196 to 127.0.0.1 port 32900

        Reply-Message = "Authenticated"

        SIP-AVP += "rpid:101"

        SIP-AVP += "#2:85.15.7.17"

Finished request 100

Going to the next request

Waking up in 2 seconds...

rad_recv: Access-Request packet from host 127.0.0.1:32901, id=197, length=64

        User-Name = "101@shatel.ir"

        Sip-Group = "suspended"

        Service-Type = Group-Check

        NAS-Port = 0

        NAS-IP-Address = 127.0.0.1

  Processing the authorize section of radiusd.conf

modcall: entering group authorize for request 101

  modcall[authorize]: module "preprocess" returns ok for request 101

  modcall[authorize]: module "chap" returns noop for request 101

  modcall[authorize]: module "mschap" returns noop for request 101

  modcall[authorize]: module "digest" returns noop for request 101

    rlm_realm: Looking up realm "shatel.ir" for User-Name = "101@shatel.ir"

    rlm_realm: No such realm "shatel.ir"

  modcall[authorize]: module "suffix" returns noop for request 101

  rlm_eap: No EAP-Message, not doing EAP

  modcall[authorize]: module "eap" returns noop for request 101

    users: Matched entry DEFAULT at line 152

    users: Matched entry DEFAULT at line 252

  modcall[authorize]: module "files" returns ok for request 101

modcall: leaving group authorize (returns ok) for request 101

  rad_check_password:  Found Auth-Type Reject

  rad_check_password: Auth-Type = Reject, rejecting user

auth: Failed to validate the user.

Delaying request 101 for 1 seconds

Finished request 101

 

 

Any thoughts?

 

Thanks,

Hamid