22 Mar
2005
22 Mar
'05
8:08 p.m.
Thank you Alan
it works now, the operator for User-Password should be == .
Maybe you can help with other doubts, I am trying to use
"radius_is_user_in()" function from group_radius module to check if
the user has voicemail service and also to authorize pstn calls using
credentials, what attributes should I use in users file?
On Tue, 22 Mar 2005 13:36:06 -0000, Alan Litster
<alitster(a)telcoelectronics.co.uk> wrote:
It's been a while since I've done any major
work with FR though I have got
it working and it's handling ~3000 users.
Your entry for the test user is fine, copied from the original file? The
others differ in that the User-Password attribute is on the other line where
as it should follow the Auth-Type. The operator should be == and not :=, not
too sure if that makes a difference when using the users file? We us MySQL
for the backend and that doesn't seem to be quite so strick on the operators
==/:=. Also, don't specify the Digest-Response as the digest module does
that. All you need is the following
6604321 Auth-Type := Digest, User-Password == "4321"
--
rrgv
-----Original Message-----
From: serusers-bounces(a)iptel.org [mailto:serusers-bounces@lists.iptel.org]On
Behalf Of Rafael J. Risco G.V.
Sent: 21 March 2005 21:15
To: serusers(a)lists.iptel.org
Subject: [Serusers] SER with Radius Authentication
Hi,
I´ve configured freeradius and SER according to the Radius HOW TO
document, Accounting works very well but now I am doing some tests
trying to do user authentication however all the authentication
requests coming to the freeradius fails and X-lite sipphone is
receiving an Unauthorized message from SER, please some advice,
thanks
rafael
PS: config files...
in /usr/local/etc/raddb/users :
---------
test Auth-Type := Digest, User-Password == "test"
Reply-Message = "Hello, test with digest"
6609876 Auth-Type := Digest
User-Password := "9876",
Digest-Response = "lalalalala",
Reply-Message = "Hello, ibm1"
6604321 Auth-Type := Digest
User-Password := "4321",
Digest-Response = "lalalalala",
Reply-Message = "Hello, ibm2"
---------
Some relevant data in ser.cfg:
...
modparam("group_radius", "use_domain", 0)
....
if (uri==myself) {
if (method=="REGISTER") {
# Uncomment this if you want to use digest authentication
if (!radius_www_authorize("")) {
www_challenge("", "1");
break;
};
if (!save("location")) {
sl_reply_error();
};
break;
};
lookup("aliases");
if (!uri==myself) {
append_hf("P-hint: outbound alias\r\n");
route(1);
break;
};
# does the user wish redirection on no availability?
(i.e., is he
# in the voicemail group?) -- determine it now
and store it in
# flag 4, before we rewrite the flag using UsrLoc
if (radius_is_user_in("Request-URI", "voicemail")) {
log(1, "requested user is in voicemail group");
setflag(4);
};
# native SIP destinations are handled using our USRLOC DB
if (!lookup("location")) {
# sl_send_reply("404", "Not Found");
log(1,"unable to locate user");
route(4);
break;
};
}; # End of "if(uri==myself)"
....
------------------RADIUSD -X Output ---------------------------:
rad_recv: Access-Request packet from host 127.0.0.1:33187, id=79,
length=311
User-Name = "6604321(a)10.0.1.22"
Digest-Attributes = 0x0a0936363034333231
Digest-Attributes = 0x010b31302e302e312e3232
Digest-Attributes =
0x022a343233663331633730623366316432616433303838336332383034343166
32663133643136613830
Digest-Attributes = 0x040f7369703a31302e302e312e3232
Digest-Attributes = 0x030a5245474953544552
Digest-Attributes = 0x050661757468
Digest-Attributes = 0x090a3030303030303162
Digest-Attributes =
0x08224433343132424232394131453131443939334232303035304241373836433642
Digest-Response = "a6a7812ac0331324f977453c228da2ed"
Service-Type = IAPP-Register
Sip-URI-User = "6604321"
Cisco-AVPair =
"call-id=D3412ADB9A1E11D993B20050BA786C6B(a)10.0.1.22"
NAS-IP-Address = 127.0.0.1
NAS-Port = 5060
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 8
modcall[authorize]: module "preprocess" returns ok for request 8
modcall[authorize]: module "chap" returns noop for request 8
modcall[authorize]: module "mschap" returns noop for request 8
rlm_digest: Converting Digest-Attributes to something sane...
Digest-User-Name = "6604321"
Digest-Realm = "10.0.1.22"
Digest-Nonce = "423f31c70b3f1d2ad30883c280441f2f13d16a80"
Digest-URI = "sip:10.0.1.22"
Digest-Method = "REGISTER"
Digest-QOP = "auth"
Digest-Nonce-Count = "0000001b"
Digest-CNonce = "D3412BB29A1E11D993B20050BA786C6B"
rlm_digest: Adding Auth-Type = DIGEST
modcall[authorize]: module "digest" returns ok for request 8
rlm_realm: Looking up realm "10.0.1.22" for User-Name =
"6604321(a)10.0.1.22"
rlm_realm: No such realm "10.0.1.22"
modcall[authorize]: module "suffix" returns noop for request 8
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 8
users: Matched DEFAULT at 152
modcall[authorize]: module "files" returns ok for request 8
modcall: group authorize returns ok for request 8
rad_check_password: Found Auth-Type DIGEST
auth: type "digest"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 8
rlm_digest: Configuration item "User-Password" is required for
authentication.
modcall[authenticate]: module "digest" returns invalid for request 8
modcall: group authenticate returns invalid for request 8
auth: Failed to validate the user.
Delaying request 8 for 1 seconds
Finished request 8
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
rad_recv: Access-Request packet from host 127.0.0.1:33188, id=80,
length=311
User-Name = "6609876(a)10.0.1.22"
Digest-Attributes = 0x0a0936363039383736
Digest-Attributes = 0x010b31302e302e312e3232
Digest-Attributes =
0x022a343233663331633730623366316432616433303838336332383034343166
32663133643136613830
Digest-Attributes = 0x040f7369703a31302e302e312e3232
Digest-Attributes = 0x030a5245474953544552
Digest-Attributes = 0x050661757468
Digest-Attributes = 0x090a3030303030303163
Digest-Attributes =
0x08224433343132424235394131453131443939334232303035304241373836433642
Digest-Response = "50fa695654b20e2eec54a1003fe15d9f"
Service-Type = IAPP-Register
Sip-URI-User = "6609876"
Cisco-AVPair =
"call-id=D3412ADE9A1E11D993B20050BA786C6B(a)10.0.1.22"
NAS-IP-Address = 127.0.0.1
NAS-Port = 5060
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 9
modcall[authorize]: module "preprocess" returns ok for request 9
modcall[authorize]: module "chap" returns noop for request 9
modcall[authorize]: module "mschap" returns noop for request 9
rlm_digest: Converting Digest-Attributes to something sane...
Digest-User-Name = "6609876"
Digest-Realm = "10.0.1.22"
Digest-Nonce = "423f31c70b3f1d2ad30883c280441f2f13d16a80"
Digest-URI = "sip:10.0.1.22"
Digest-Method = "REGISTER"
Digest-QOP = "auth"
Digest-Nonce-Count = "0000001c"
Digest-CNonce = "D3412BB59A1E11D993B20050BA786C6B"
rlm_digest: Adding Auth-Type = DIGEST
modcall[authorize]: module "digest" returns ok for request 9
rlm_realm: Looking up realm "10.0.1.22" for User-Name =
"6609876(a)10.0.1.22"
rlm_realm: No such realm "10.0.1.22"
modcall[authorize]: module "suffix" returns noop for request 9
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 9
users: Matched DEFAULT at 152
modcall[authorize]: module "files" returns ok for request 9
modcall: group authorize returns ok for request 9
rad_check_password: Found Auth-Type DIGEST
auth: type "digest"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 9
rlm_digest: Configuration item "User-Password" is required for
authentication.
modcall[authenticate]: module "digest" returns invalid for request 9
modcall: group authenticate returns invalid for request 9
auth: Failed to validate the user.
Delaying request 9 for 1 seconds
Finished request 9
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 79 to 127.0.0.1:33187
Waking up in 1 seconds...
rad_recv: Access-Request packet from host 127.0.0.1:33189, id=81,
length=311
User-Name = "6609876(a)10.0.1.22"
Digest-Attributes = 0x0a0936363039383736
Digest-Attributes = 0x010b31302e302e312e3232
Digest-Attributes =
0x022a343233663331633730623366316432616433303838336332383034343166
32663133643136613830
Digest-Attributes = 0x040f7369703a31302e302e312e3232
Digest-Attributes = 0x030a5245474953544552
Digest-Attributes = 0x050661757468
Digest-Attributes = 0x090a3030303030303163
Digest-Attributes =
0x08224433343132424236394131453131443939334232303035304241373836433642
Digest-Response = "e4f68760f2b3eed0ad45942b32542c92"
Service-Type = IAPP-Register
Sip-URI-User = "6609876"
Cisco-AVPair =
"call-id=D3412ADE9A1E11D993B20050BA786C6B(a)10.0.1.22"
NAS-IP-Address = 127.0.0.1
NAS-Port = 5060
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 10
modcall[authorize]: module "preprocess" returns ok for request 10
modcall[authorize]: module "chap" returns noop for request 10
modcall[authorize]: module "mschap" returns noop for request 10
rlm_digest: Converting Digest-Attributes to something sane...
Digest-User-Name = "6609876"
Digest-Realm = "10.0.1.22"
Digest-Nonce = "423f31c70b3f1d2ad30883c280441f2f13d16a80"
Digest-URI = "sip:10.0.1.22"
Digest-Method = "REGISTER"
Digest-QOP = "auth"
Digest-Nonce-Count = "0000001c"
Digest-CNonce = "D3412BB69A1E11D993B20050BA786C6B"
rlm_digest: Adding Auth-Type = DIGEST
modcall[authorize]: module "digest" returns ok for request 10
rlm_realm: Looking up realm "10.0.1.22" for User-Name =
"6609876(a)10.0.1.22"
rlm_realm: No such realm "10.0.1.22"
modcall[authorize]: module "suffix" returns noop for request 10
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 10
users: Matched DEFAULT at 152
modcall[authorize]: module "files" returns ok for request 10
modcall: group authorize returns ok for request 10
rad_check_password: Found Auth-Type DIGEST
auth: type "digest"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 10
rlm_digest: Configuration item "User-Password" is required for
authentication.
modcall[authenticate]: module "digest" returns invalid for request 10
modcall: group authenticate returns invalid for request 10
auth: Failed to validate the user.
Delaying request 10 for 1 seconds
Finished request 10
Going to the next request
Sending Access-Reject of id 80 to 127.0.0.1:33188
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 81 to 127.0.0.1:33189
Waking up in 2 seconds...
--- Walking the entire request list ---
Cleaning up request 8 ID 79 with timestamp 423f309b
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 9 ID 80 with timestamp 423f309c
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 10 ID 81 with timestamp 423f309d
Nothing to do. Sleeping until we see a request.
--
rrgv
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers
-------------------------------------------------------------------------------------------------------
This email, and any files transmitted with it, is copyright and may contain confidential
information.
The contents are intended for the use of the addressee(s) only.
Unauthorized use may be unlawful.
If you receive this email by mistake, please advise sender immediately.
The views of the author may not necessarily constitute the views of Telco Electronics
Limited.
Nothing in this mail shall bind Telco Electronics Limited in any contract or obligation.
Telco Electronics Limited
6-8 Oxford Court
Brackley
Northants
NN13 7XY
Tel 01280 761600
Fax 01280 841174