Hi,
I run SER with Radius/MySQL for authentication and accounting.
Things are pretty much in place except for group checking. I have something like this in my ser.cfg:
....
modparam("auth_radius", "radius_config", "/etc/radiusclient-ng/radiusclient.conf")
modparam("group_radius", "use_domain", 1)
.....
if (uri=~"^sip:[0-9]{8}@") { # Domestic PSTN
if (!radius_is_user_in("credentials", "ld")) {
sl_send_reply("403", "No permission for domestic calls");
return;
};
route(4);
return;
};
....
When I look at Radius debug log I can see that when ser sends a request to radius, radius wants to do digest on it and then the complete request fails and call can't go through. Output looks something like this:
..
rad_recv: Access-Request packet from host 127.0.0.1:34027, id=18, length=72
User-Name = "81000@sage.home.local"
Sip-Group = "voicemail"
Service-Type = Group-Check
NAS-Port = 0
NAS-IP-Address = 127.0.0.1
Processing the authorize section of radiusd.conf
..
** bunch of sql statements ...
..
modcall: group authorize returns ok for request 17
rad_check_password: Found Auth-Type Digest
auth: type "digest"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 17
ERROR: No Digest-Nonce: Cannot perform Digest authentication
modcall[authenticate]: module "digest" returns invalid for request 17
modcall: group authenticate returns invalid for request 17
auth: Failed to validate the user.
In databases I have following:
mysql> SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '81000@sage.home.local' ORDER BY id;
+----+-----------------------+--------------+-------------+----+
| id | UserName | Attribute | Value | op |
+----+-----------------------+--------------+-------------+----+
| 18 | 81000@sage.home.local | Service-Type | Group-Check | := |
+----+-----------------------+--------------+-------------+----+
1 row in set (0.00 sec)
mysql> SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '81000@sage.home.local' ORDER BY id;
+----+-----------------------+---------------+------------------------------ ------+----+
| id | UserName | Attribute | Value | op |
+----+-----------------------+---------------+------------------------------ ------+----+
| 23 | 81000@sage.home.local | User-Password | $1$d7XAeahG$9f17cb8JaKj8R1z9GpwG4/ | := |
| 25 | 81000@sage.home.local | Sip-Rpid | 81000 | = |
| 30 | 81000@sage.home.local | Auth-Type | Digest | := |
+----+-----------------------+---------------+------------------------------ ------+----+
mysql> SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FR
OM radgroupcheck,usergroup WHERE usergroup.Username = '81000@sage.home.local' AND usergroup.GroupName = radgroupcheck.G
roupName ORDER BY radgroupcheck.id;
+----+-----------+-----------+--------+----+
| id | GroupName | Attribute | Value | op |
+----+-----------+-----------+--------+----+
| 12 | voicemail | Auth-Type | Accept | := |
+----+-----------+-----------+--------+----+
Has anyone had a chance to do something like this with success? I am stuck at the moment - any help is greatly appreciated.
Thanks.
/Vel
Hi Velimir,
not an expert on RADIUS, but my guess the problem is in the RADIUS server configuration - it should not request authentication for the "Service-Type = Group-Check"
regards, bogdan
Velimir Novkovic wrote:
Hi,
I run SER with Radius/MySQL for authentication and accounting.
Things are pretty much in place except for group checking. I have something like this in my ser.cfg:
……..
modparam("auth_radius", "radius_config", "/etc/radiusclient-ng/radiusclient.conf")
modparam("group_radius", "use_domain", 1)
………..
if (uri=~"^sip:[0-9]{8}@") { # Domestic PSTN
if (!radius_is_user_in("credentials", "ld")) {
sl_send_reply("403", "No permission for domestic calls");
return;
};
route(4);
return;
};
…………
When I look at Radius debug log I can see that when ser sends a request to radius, radius wants to do digest on it and then the complete request fails and call can’t go through. Output looks something like this:
……
rad_recv: Access-Request packet from host 127.0.0.1:34027, id=18, length=72
User-Name = "81000@sage.home.local"
Sip-Group = "voicemail"
Service-Type = Group-Check
NAS-Port = 0
NAS-IP-Address = 127.0.0.1
Processing the authorize section of radiusd.conf
….
** bunch of sql statements …..
….
modcall: group authorize returns ok for request 17
rad_check_password: Found Auth-Type Digest
auth: type "digest"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 17
ERROR: No Digest-Nonce: Cannot perform Digest authentication
modcall[authenticate]: module "digest" returns invalid for request 17
modcall: group authenticate returns invalid for request 17
auth: Failed to validate the user.
In databases I have following:
mysql> SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '81000@sage.home.local' ORDER BY id;
+----+-----------------------+--------------+-------------+----+
| id | UserName | Attribute | Value | op |
+----+-----------------------+--------------+-------------+----+
| 18 | 81000@sage.home.local | Service-Type | Group-Check | := |
+----+-----------------------+--------------+-------------+----+
1 row in set (0.00 sec)
mysql> SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '81000@sage.home.local' ORDER BY id;
+----+-----------------------+---------------+------------------------------------+----+
| id | UserName | Attribute | Value | op |
+----+-----------------------+---------------+------------------------------------+----+
| 23 | 81000@sage.home.local | User-Password | $1$d7XAeahG$9f17cb8JaKj8R1z9GpwG4/ | := |
| 25 | 81000@sage.home.local | Sip-Rpid | 81000 | = |
| 30 | 81000@sage.home.local | Auth-Type | Digest | := |
+----+-----------------------+---------------+------------------------------------+----+
mysql> SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FR
OM radgroupcheck,usergroup WHERE usergroup.Username = '81000@sage.home.local' AND usergroup.GroupName = radgroupcheck.G
roupName ORDER BY radgroupcheck.id;
+----+-----------+-----------+--------+----+
| id | GroupName | Attribute | Value | op |
+----+-----------+-----------+--------+----+
| 12 | voicemail | Auth-Type | Accept | := |
+----+-----------+-----------+--------+----+
Has anyone had a chance to do something like this with success? I am stuck at the moment – any help is greatly appreciated.
Thanks.
/Vel
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
Yes. And I learnt it hard way this time - couple of days of debug-like work. It turned out that group checking entries in Radius configs need to be before any user specific ones - generally speaking.
SER module works correctly all the way (in my experience).
Thanks for your indication though.
/Vel
-----Original Message----- From: Bogdan-Andrei Iancu [mailto:bogdan@voice-system.ro] Sent: Tuesday, March 07, 2006 11:21 AM To: Velimir Novkovic Cc: 'OpenSER ((E-mail))' Subject: Re: [Users] ser with radius group checking - something amiss
Hi Velimir,
not an expert on RADIUS, but my guess the problem is in the RADIUS server configuration - it should not request authentication for the "Service-Type = Group-Check"
regards, bogdan
Velimir Novkovic wrote:
Hi,
I run SER with Radius/MySQL for authentication and accounting.
Things are pretty much in place except for group checking. I have something like this in my ser.cfg:
....
modparam("auth_radius", "radius_config", "/etc/radiusclient-ng/radiusclient.conf")
modparam("group_radius", "use_domain", 1)
.....
if (uri=~"^sip:[0-9]{8}@") { # Domestic PSTN
if (!radius_is_user_in("credentials", "ld")) {
sl_send_reply("403", "No permission for domestic calls");
return;
};
route(4);
return;
};
....
When I look at Radius debug log I can see that when ser sends a request to radius, radius wants to do digest on it and then the complete request fails and call can't go through. Output looks something like this:
..
rad_recv: Access-Request packet from host 127.0.0.1:34027, id=18, length=72
User-Name = "81000@sage.home.local"
Sip-Group = "voicemail"
Service-Type = Group-Check
NAS-Port = 0
NAS-IP-Address = 127.0.0.1
Processing the authorize section of radiusd.conf
..
** bunch of sql statements ...
..
modcall: group authorize returns ok for request 17
rad_check_password: Found Auth-Type Digest
auth: type "digest"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 17
ERROR: No Digest-Nonce: Cannot perform Digest authentication
modcall[authenticate]: module "digest" returns invalid for request 17
modcall: group authenticate returns invalid for request 17
auth: Failed to validate the user.
In databases I have following:
mysql> SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '81000@sage.home.local' ORDER BY id;
+----+-----------------------+--------------+-------------+----+
| id | UserName | Attribute | Value | op |
+----+-----------------------+--------------+-------------+----+
| 18 | 81000@sage.home.local | Service-Type | Group-Check | := |
+----+-----------------------+--------------+-------------+----+
1 row in set (0.00 sec)
mysql> SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '81000@sage.home.local' ORDER BY id;
+----+-----------------------+---------------+------------------------------ ------+----+
| id | UserName | Attribute | Value | op |
+----+-----------------------+---------------+------------------------------ ------+----+
| 23 | 81000@sage.home.local | User-Password | $1$d7XAeahG$9f17cb8JaKj8R1z9GpwG4/ | := |
| 25 | 81000@sage.home.local | Sip-Rpid | 81000 | = |
| 30 | 81000@sage.home.local | Auth-Type | Digest | := |
+----+-----------------------+---------------+------------------------------ ------+----+
mysql> SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op
FR
OM radgroupcheck,usergroup WHERE usergroup.Username = '81000@sage.home.local' AND usergroup.GroupName = radgroupcheck.G
roupName ORDER BY radgroupcheck.id;
+----+-----------+-----------+--------+----+
| id | GroupName | Attribute | Value | op |
+----+-----------+-----------+--------+----+
| 12 | voicemail | Auth-Type | Accept | := |
+----+-----------+-----------+--------+----+
Has anyone had a chance to do something like this with success? I am stuck at the moment - any help is greatly appreciated.
Thanks.
/Vel
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
-
Bogdan-Andrei Iancu -
Velimir Novkovic