4 Mar
2006
4 Mar
'06
11:38 a.m.
Hi,
I run SER with Radius/MySQL for authentication and accounting.
Things are pretty much in place except for group checking. I have something
like this in my ser.cfg:
....
modparam("auth_radius", "radius_config",
"/etc/radiusclient-ng/radiusclient.conf")
modparam("group_radius", "use_domain", 1)
.....
if (uri=~"^sip:[0-9]{8}@") { # Domestic PSTN
if (!radius_is_user_in("credentials", "ld")) {
sl_send_reply("403", "No permission for domestic
calls");
return;
};
route(4);
return;
};
....
When I look at Radius debug log I can see that when ser sends a request to
radius, radius wants to do digest on it and then the complete request fails
and call can't go through. Output looks something like this:
..
rad_recv: Access-Request packet from host 127.0.0.1:34027, id=18, length=72
User-Name = "81000(a)sage.home.local"
Sip-Group = "voicemail"
Service-Type = Group-Check
NAS-Port = 0
NAS-IP-Address = 127.0.0.1
Processing the authorize section of radiusd.conf
..
** bunch of sql statements ...
..
modcall: group authorize returns ok for request 17
rad_check_password: Found Auth-Type Digest
auth: type "digest"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 17
ERROR: No Digest-Nonce: Cannot perform Digest authentication
modcall[authenticate]: module "digest" returns invalid for request 17
modcall: group authenticate returns invalid for request 17
auth: Failed to validate the user.
In databases I have following:
mysql> SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username =
'81000(a)sage.home.local' ORDER BY id;
+----+-----------------------+--------------+-------------+----+
| id | UserName | Attribute | Value | op |
+----+-----------------------+--------------+-------------+----+
| 18 | 81000(a)sage.home.local | Service-Type | Group-Check | := |
+----+-----------------------+--------------+-------------+----+
1 row in set (0.00 sec)
mysql> SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username =
'81000(a)sage.home.local' ORDER BY id;
+----+-----------------------+---------------+------------------------------
------+----+
| id | UserName | Attribute | Value
| op |
+----+-----------------------+---------------+------------------------------
------+----+
| 23 | 81000(a)sage.home.local | User-Password |
$1$d7XAeahG$9f17cb8JaKj8R1z9GpwG4/ | := |
| 25 | 81000(a)sage.home.local | Sip-Rpid | 81000
| = |
| 30 | 81000(a)sage.home.local | Auth-Type | Digest
| := |
+----+-----------------------+---------------+------------------------------
------+----+
mysql> SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche
ck.Value,radgroupcheck.op FR
OM radgroupcheck,usergroup WHERE usergroup.Username =
'81000(a)sage.home.local' AND usergroup.GroupName = radgroupcheck.G
roupName ORDER BY radgroupcheck.id;
+----+-----------+-----------+--------+----+
| id | GroupName | Attribute | Value | op |
+----+-----------+-----------+--------+----+
| 12 | voicemail | Auth-Type | Accept | := |
+----+-----------+-----------+--------+----+
Has anyone had a chance to do something like this with success? I am stuck
at the moment - any help is greatly appreciated.
Thanks.
/Vel
7 Mar
7 Mar
12:20 p.m.
Hi Velimir,
not an expert on RADIUS, but my guess the problem is in the RADIUS
server configuration - it should not request authentication for the
"Service-Type = Group-Check"
regards,
bogdan
Velimir Novkovic wrote:
Hi,
I run SER with Radius/MySQL for authentication and accounting.
Things are pretty much in place except for group checking. I have
something like this in my ser.cfg:
……..
modparam("auth_radius", "radius_config",
"/etc/radiusclient-ng/radiusclient.conf")
modparam("group_radius", "use_domain", 1)
………..
if (uri=~"^sip:[0-9]{8}@") { # Domestic PSTN
if (!radius_is_user_in("credentials", "ld")) {
sl_send_reply("403", "No permission for domestic calls");
return;
};
route(4);
return;
};
…………
When I look at Radius debug log I can see that when ser sends a
request to radius, radius wants to do digest on it and then the
complete request fails and call can’t go through. Output looks
something like this:
……
rad_recv: Access-Request packet from host 127.0.0.1:34027, id=18,
length=72
User-Name = "81000(a)sage.home.local"
Sip-Group = "voicemail"
Service-Type = Group-Check
NAS-Port = 0
NAS-IP-Address = 127.0.0.1
Processing the authorize section of radiusd.conf
….
** bunch of sql statements …..
….
modcall: group authorize returns ok for request 17
rad_check_password: Found Auth-Type Digest
auth: type "digest"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 17
ERROR: No Digest-Nonce: Cannot perform Digest authentication
modcall[authenticate]: module "digest" returns invalid for request 17
modcall: group authenticate returns invalid for request 17
auth: Failed to validate the user.
In databases I have following:
mysql> SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = '81000(a)sage.home.local' ORDER BY id;
+----+-----------------------+--------------+-------------+----+
| id | UserName | Attribute | Value | op |
+----+-----------------------+--------------+-------------+----+
| 18 | 81000(a)sage.home.local | Service-Type | Group-Check | := |
+----+-----------------------+--------------+-------------+----+
1 row in set (0.00 sec)
mysql> SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = '81000(a)sage.home.local' ORDER BY id;
+----+-----------------------+---------------+------------------------------------+----+
| id | UserName | Attribute | Value | op |
+----+-----------------------+---------------+------------------------------------+----+
| 23 | 81000(a)sage.home.local | User-Password |
$1$d7XAeahG$9f17cb8JaKj8R1z9GpwG4/ | := |
| 25 | 81000(a)sage.home.local | Sip-Rpid | 81000 | = |
| 30 | 81000(a)sage.home.local | Auth-Type | Digest | := |
+----+-----------------------+---------------+------------------------------------+----+
mysql> SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FR
OM radgroupcheck,usergroup WHERE usergroup.Username =
'81000(a)sage.home.local' AND usergroup.GroupName = radgroupcheck.G
roupName ORDER BY radgroupcheck.id;
+----+-----------+-----------+--------+----+
| id | GroupName | Attribute | Value | op |
+----+-----------+-----------+--------+----+
| 12 | voicemail | Auth-Type | Accept | := |
+----+-----------+-----------+--------+----+
Has anyone had a chance to do something like this with success? I am
stuck at the moment – any help is greatly appreciated.
Thanks.
/Vel
------------------------------------------------------------------------
_______________________________________________
Users mailing list
Users(a)openser.org
http://openser.org/cgi-bin/mailman/listinfo/users
9:45 p.m.
Yes. And I learnt it hard way this time - couple of days of debug-like work.
It turned out that group checking entries in Radius configs need to be
before any user specific ones - generally speaking.
SER module works correctly all the way (in my experience).
Thanks for your indication though.
/Vel
-----Original Message-----
From: Bogdan-Andrei Iancu [mailto:bogdan@voice-system.ro]
Sent: Tuesday, March 07, 2006 11:21 AM
To: Velimir Novkovic
Cc: 'OpenSER ((E-mail))'
Subject: Re: [Users] ser with radius group checking - something amiss
Hi Velimir,
not an expert on RADIUS, but my guess the problem is in the RADIUS
server configuration - it should not request authentication for the
"Service-Type = Group-Check"
regards,
bogdan
Velimir Novkovic wrote:
Hi,
I run SER with Radius/MySQL for authentication and accounting.
Things are pretty much in place except for group checking. I have
something like this in my ser.cfg:
....
modparam("auth_radius", "radius_config",
"/etc/radiusclient-ng/radiusclient.conf")
modparam("group_radius", "use_domain", 1)
.....
if (uri=~"^sip:[0-9]{8}@") { # Domestic PSTN
if (!radius_is_user_in("credentials", "ld")) {
sl_send_reply("403", "No permission for domestic calls");
return;
};
route(4);
return;
};
....
When I look at Radius debug log I can see that when ser sends a
request to radius, radius wants to do digest on it and then the
complete request fails and call can't go through. Output looks
something like this:
..
rad_recv: Access-Request packet from host 127.0.0.1:34027, id=18,
length=72
User-Name = "81000(a)sage.home.local"
Sip-Group = "voicemail"
Service-Type = Group-Check
NAS-Port = 0
NAS-IP-Address = 127.0.0.1
Processing the authorize section of radiusd.conf
..
** bunch of sql statements ...
..
modcall: group authorize returns ok for request 17
rad_check_password: Found Auth-Type Digest
auth: type "digest"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 17
ERROR: No Digest-Nonce: Cannot perform Digest authentication
modcall[authenticate]: module "digest" returns invalid for request 17
modcall: group authenticate returns invalid for request 17
auth: Failed to validate the user.
In databases I have following:
mysql> SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = '81000(a)sage.home.local' ORDER BY id;
+----+-----------------------+--------------+-------------+----+
| id | UserName | Attribute | Value | op |
+----+-----------------------+--------------+-------------+----+
| 18 | 81000(a)sage.home.local | Service-Type | Group-Check | := |
+----+-----------------------+--------------+-------------+----+
1 row in set (0.00 sec)
mysql> SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = '81000(a)sage.home.local' ORDER BY id;
+----+-----------------------+---------------+------------------------------
------+----+
| id | UserName | Attribute | Value | op |
+----+-----------------------+---------------+------------------------------
------+----+
| 23 | 81000(a)sage.home.local | User-Password |
$1$d7XAeahG$9f17cb8JaKj8R1z9GpwG4/ | := |
| 25 | 81000(a)sage.home.local | Sip-Rpid | 81000 | = |
| 30 | 81000(a)sage.home.local | Auth-Type | Digest | := |
+----+-----------------------+---------------+------------------------------
------+----+
mysql> SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche
ck.Value,radgroupcheck.op
FR
OM radgroupcheck,usergroup WHERE usergroup.Username =
'81000(a)sage.home.local' AND usergroup.GroupName = radgroupcheck.G
roupName ORDER BY radgroupcheck.id;
+----+-----------+-----------+--------+----+
| id | GroupName | Attribute | Value | op |
+----+-----------+-----------+--------+----+
| 12 | voicemail | Auth-Type | Accept | := |
+----+-----------+-----------+--------+----+
Has anyone had a chance to do something like this with success? I am
stuck at the moment - any help is greatly appreciated.
Thanks.
/Vel
------------------------------------------------------------------------
_______________________________________________
Users mailing list
Users(a)openser.org
http://openser.org/cgi-bin/mailman/listinfo/users
6839
days inactive
6842
days old
2 comments
2 participants
participants (2)
-
Bogdan-Andrei Iancu -
Velimir Novkovic