Hi, Guys...
As the MySQL problem is aparently solved I’m facing a Radius issue… I'm using FreeRadius 1.0.4, RadiusCliente-NG 0.5.2 and OpenSER 1.0.1.
If I duplicate the configs used with SER (and that it works fine) I’m unable to authenticate my UA (the same that authenticate with SER). The message with “debug=4” is:
Mar 1 15:41:43 dell openser-TEST[20789]: check_nonce(): comparing [4405ec129258d5cf9c016ade69cf37e33b5af52b] and [4405ec129258d5cf9c016ade69cf37e33b5af52b] Mar 1 15:41:43 dell openser-TEST[20789]: rc_check_reply: received invalid reply digest from RADIUS server Mar 1 15:41:43 dell openser-TEST[20789]: ERROR:auth_radius:radius_authorize_sterman: rc_auth failed
So I supposed that there were some failed configuration, I looked at my “radiusd.conf” and finded: modules { ... digest { } ... } authorize { preprocess auth_log suffix digest sql } authenticate { digest }
As my FreeRadius back-end is a MySQL database, the 'sql' statement in authorize seems ok. And so do 'digest' in 'autheticate' section. The question remains: Why are OpenSER complain on Radius response? Maybe it's because of the sterman schema (?)....
Anyway, I try to test the server using the radtest tool. The output seems good to me:
# radtest 8201@DOMAIN.VALID 8201 127.0.0.1 12345 MyServerPassword Sending Access-Request of id 255 to 127.0.0.1:1812 User-Name = "8201@DOMAIN.VALID" User-Password = "8201" NAS-IP-Address = sip NAS-Port = 12345 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=255, length=35 Reply-Message = "Authenticated"
So I discard FreeRadius config. Is this related on the value of “Reply-Message”? I already read all Radius material that I found on OpenSER web-page…
What am I doing wrong? What am I missing? As this same configs work with SER 0.9.2, why did it not with OpenSER 1.0.x?
Edson.
Hello,
the error:
Mar 1 15:41:43 dell openser-TEST[20789]: rc_check_reply: received invalid reply digest from RADIUS server
comes from the radiusclient-ng library, in file "lib/sendserver.c" at line 498. Did you use the same version of radiusclient-ng before?
Cheers, Daniel
On 03/01/06 22:23, Edson wrote:
Hi, Guys...
As the MySQL problem is aparently solved I’m facing a Radius issue… I'm using FreeRadius 1.0.4, RadiusCliente-NG 0.5.2 and OpenSER 1.0.1.
If I duplicate the configs used with SER (and that it works fine) I’m unable to authenticate my UA (the same that authenticate with SER). The message with “debug=4” is:
Mar 1 15:41:43 dell openser-TEST[20789]: check_nonce(): comparing [4405ec129258d5cf9c016ade69cf37e33b5af52b] and [4405ec129258d5cf9c016ade69cf37e33b5af52b] Mar 1 15:41:43 dell openser-TEST[20789]: rc_check_reply: received invalid reply digest from RADIUS server Mar 1 15:41:43 dell openser-TEST[20789]: ERROR:auth_radius:radius_authorize_sterman: rc_auth failed
So I supposed that there were some failed configuration, I looked at my “radiusd.conf” and finded: modules { ... digest { } ... } authorize { preprocess auth_log suffix digest sql } authenticate { digest }
As my FreeRadius back-end is a MySQL database, the 'sql' statement in authorize seems ok. And so do 'digest' in 'autheticate' section. The question remains: Why are OpenSER complain on Radius response? Maybe it's because of the sterman schema (?)....
Anyway, I try to test the server using the radtest tool. The output seems good to me:
# radtest 8201@DOMAIN.VALID 8201 127.0.0.1 12345 MyServerPassword Sending Access-Request of id 255 to 127.0.0.1:1812 User-Name = "8201@DOMAIN.VALID" User-Password = "8201" NAS-IP-Address = sip NAS-Port = 12345 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=255, length=35 Reply-Message = "Authenticated"
So I discard FreeRadius config. Is this related on the value of “Reply-Message”? I already read all Radius material that I found on OpenSER web-page…
What am I doing wrong? What am I missing? As this same configs work with SER 0.9.2, why did it not with OpenSER 1.0.x?
Edson.
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
The working SER installation uses radiusclient-ng 0.5.0-1. It was compiled after a CVS download maded on the beginning on jun/2005. Unfortunatly I miss the source code and am using an i686-RPM derived from that code.
I already try to use this RPM (version 0.5.0-1) on the Xeon machine. The results are the same. Just same message on /var/log/messages:
"Mar 2 21:45:54 sip openser: rc_check_reply: received invalid reply digest from RADIUS server"
When I start "openser -TDdd I see: ... 0(16385) get_hdr_field: cseq <CSeq>: <4> <REGISTER> 0(16385) DEBUG:maxfwd:is_maxfwd_present: value = 70 0(16385) parse_headers: flags=200 0(16385) DEBUG: get_hdr_body : content_length=0 0(16385) found end of header 0(16385) find_first_route: No Route headers found 0(16385) loose_route: There is no Route HF 0(16385) grep_sock_info - checking if host==us: 13==13 && [ZZZ.ZZ.ZZZ.39] == [ZZZ.ZZ.ZZZ.39] 0(16385) grep_sock_info - checking if port 5060 matches port 5060 0(16385) parse_headers: flags=ffffffffffffffff 0(16385) check_via_address(XXX.XX.XXX.120, 172.27.248.6, 0) 0(16385) lookup(): '' Not found in usrloc 0(16385) check_nonce(): comparing [440792edd872b52b27f6dbee8ab2af7f61016704] and [440792edd872b52b27f6dbee8ab2af7f61016704]
0(16385) ERROR:auth_radius:radius_authorize_sterman: rc_auth failed
0(16385) build_auth_hf(): 'WWW-Authenticate: Digest realm="ZZZ.ZZ.ZZZ.39", nonce="440792eeec1cb5b22b20c18355c2a9a71eeb1af7"' 0(16385) parse_headers: flags=ffffffffffffffff 0(16385) check_via_address(XXX.XX.XXX.120, 172.27.248.6, 0) 0(16385) DEBUG:destroy_avp_list: destroying list (nil) 0(16385) receive_msg: cleaning up ... I double checked all the "dictionary" definitions, triple checked my OpenSER and Radiusclient-NG config and were not able to find the mistake.
So I'm really out of ideas... Maybe is the return value ("Authenticated") illegal?
Edson.
-----Original Message----- From: Daniel-Constantin Mierla [mailto:daniel@voice-system.ro] Sent: quinta-feira, 2 de março de 2006 09:29 To: Edson Cc: 'OpenSER (E-mail)' Subject: Re: [Users] Radius Authentication
Hello,
the error:
Mar 1 15:41:43 dell openser-TEST[20789]: rc_check_reply: received invalid reply digest from RADIUS server
comes from the radiusclient-ng library, in file "lib/sendserver.c" at line 498. Did you use the same version of radiusclient-ng before?
Cheers, Daniel
On 03/01/06 22:23, Edson wrote:
Hi, Guys...
As the MySQL problem is aparently solved Im facing a Radius issue I'm
using FreeRadius 1.0.4, RadiusCliente-NG 0.5.2 and OpenSER 1.0.1.
If I duplicate the configs used with SER (and that it works fine) Im
unable to authenticate my UA (the same that authenticate with SER). The message with debug=4 is:
Mar 1 15:41:43 dell openser-TEST[20789]: check_nonce(): comparing
[4405ec129258d5cf9c016ade69cf37e33b5af52b] and [4405ec129258d5cf9c016ade69cf37e33b5af52b]
Mar 1 15:41:43 dell openser-TEST[20789]: rc_check_reply: received
invalid reply digest from RADIUS server
Mar 1 15:41:43 dell openser-TEST[20789]:
ERROR:auth_radius:radius_authorize_sterman: rc_auth failed
So I supposed that there were some failed configuration, I looked at my
radiusd.conf and finded:
modules { ... digest { } ... } authorize { preprocess auth_log suffix digest sql } authenticate { digest }
As my FreeRadius back-end is a MySQL database, the 'sql' statement in
authorize seems ok. And so do 'digest' in 'autheticate' section.
The question remains: Why are OpenSER complain on Radius response? Maybe
it's because of the sterman schema (?)....
Anyway, I try to test the server using the radtest tool. The output
seems good to me:
# radtest 8201@DOMAIN.VALID 8201 127.0.0.1 12345 MyServerPassword Sending Access-Request of id 255 to 127.0.0.1:1812 User-Name = "8201@DOMAIN.VALID" User-Password = "8201" NAS-IP-Address = sip NAS-Port = 12345 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=255,
length=35
Reply-Message = "Authenticated"So I discard FreeRadius config. Is this related on the value of Reply-
Message? I already read all Radius material that I found on OpenSER web- page
What am I doing wrong? What am I missing? As this same configs work with
SER 0.9.2, why did it not with OpenSER 1.0.x?
Edson.
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
I need some functions similar to the UAC module's replace_from/ restore_from stuff. Before I get started, is there any reason this can't be done?
I have a provider that insists on seeing an e164 number followed by @1.2.3.4 (ip address) in the from and to headers. It looks like the replace_from gear will handle the from line. I have seen references to the to header. I think they can be interchanged? Is it possible that I can already change the to header and don't know it?
-greg
On 03/03/06 05:43, Greg Fausak wrote:
I need some functions similar to the UAC module's replace_from/restore_from stuff. Before I get started, is there any reason this can't be done?
To header should not be changed, to avoid interoperability problems -- however, same statement applies for From header :-) .
I have a provider that insists on seeing an e164 number followed by @1.2.3.4 (ip address) in the from and to headers. It looks like the replace_from gear will handle the from line. I have seen references to the to header. I think they can be interchanged? Is it possible that I can already change the to header and don't know it?
It is not possible to change the To header right now, only the From header. Recovering From header is done via a special parameter in Route headers. Something similar should be done for To header, but Route header might get pretty long.
Cheers, Daniel
-greg
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
Hello,
On 03/03/06 02:57, Edson wrote:
The working SER installation uses radiusclient-ng 0.5.0-1. It was compiled after a CVS download maded on the beginning on jun/2005. Unfortunatly I miss the source code and am using an i686-RPM derived from that code.
I already try to use this RPM (version 0.5.0-1) on the Xeon machine. The results are the same. Just same message on /var/log/messages:
"Mar 2 21:45:54 sip openser: rc_check_reply: received invalid reply digest from RADIUS server"
can you run the radius server in debug mode to see there what messages you get. Also, check the /var/log/syslog or /var/log/messages to see other error messages printed by radiusclient-ng library when you use debug mode with openser.
Cheers, Daniel
When I start "openser -TDdd I see: ... 0(16385) get_hdr_field: cseq <CSeq>: <4> <REGISTER> 0(16385) DEBUG:maxfwd:is_maxfwd_present: value = 70 0(16385) parse_headers: flags=200 0(16385) DEBUG: get_hdr_body : content_length=0 0(16385) found end of header 0(16385) find_first_route: No Route headers found 0(16385) loose_route: There is no Route HF 0(16385) grep_sock_info - checking if host==us: 13==13 && [ZZZ.ZZ.ZZZ.39] == [ZZZ.ZZ.ZZZ.39] 0(16385) grep_sock_info - checking if port 5060 matches port 5060 0(16385) parse_headers: flags=ffffffffffffffff 0(16385) check_via_address(XXX.XX.XXX.120, 172.27.248.6, 0) 0(16385) lookup(): '' Not found in usrloc 0(16385) check_nonce(): comparing [440792edd872b52b27f6dbee8ab2af7f61016704] and [440792edd872b52b27f6dbee8ab2af7f61016704]
0(16385) ERROR:auth_radius:radius_authorize_sterman: rc_auth failed
0(16385) build_auth_hf(): 'WWW-Authenticate: Digest realm="ZZZ.ZZ.ZZZ.39", nonce="440792eeec1cb5b22b20c18355c2a9a71eeb1af7"' 0(16385) parse_headers: flags=ffffffffffffffff 0(16385) check_via_address(XXX.XX.XXX.120, 172.27.248.6, 0) 0(16385) DEBUG:destroy_avp_list: destroying list (nil) 0(16385) receive_msg: cleaning up ... I double checked all the "dictionary" definitions, triple checked my OpenSER and Radiusclient-NG config and were not able to find the mistake.
So I'm really out of ideas... Maybe is the return value ("Authenticated") illegal?
Edson.
-----Original Message----- From: Daniel-Constantin Mierla [mailto:daniel@voice-system.ro] Sent: quinta-feira, 2 de março de 2006 09:29 To: Edson Cc: 'OpenSER (E-mail)' Subject: Re: [Users] Radius Authentication
Hello,
the error:
Mar 1 15:41:43 dell openser-TEST[20789]: rc_check_reply: received invalid reply digest from RADIUS server
comes from the radiusclient-ng library, in file "lib/sendserver.c" at line 498. Did you use the same version of radiusclient-ng before?
Cheers, Daniel
On 03/01/06 22:23, Edson wrote:
Hi, Guys...
As the MySQL problem is aparently solved I’m facing a Radius issue… I'm
using FreeRadius 1.0.4, RadiusCliente-NG 0.5.2 and OpenSER 1.0.1.
If I duplicate the configs used with SER (and that it works fine) I’m
unable to authenticate my UA (the same that authenticate with SER). The message with “debug=4” is:
Mar 1 15:41:43 dell openser-TEST[20789]: check_nonce(): comparing
[4405ec129258d5cf9c016ade69cf37e33b5af52b] and [4405ec129258d5cf9c016ade69cf37e33b5af52b]
Mar 1 15:41:43 dell openser-TEST[20789]: rc_check_reply: received
invalid reply digest from RADIUS server
Mar 1 15:41:43 dell openser-TEST[20789]:
ERROR:auth_radius:radius_authorize_sterman: rc_auth failed
So I supposed that there were some failed configuration, I looked at my
“radiusd.conf” and finded:
modules { ... digest { } ... } authorize { preprocess auth_log suffix digest sql } authenticate { digest }
As my FreeRadius back-end is a MySQL database, the 'sql' statement in
authorize seems ok. And so do 'digest' in 'autheticate' section.
The question remains: Why are OpenSER complain on Radius response? Maybe
it's because of the sterman schema (?)....
Anyway, I try to test the server using the radtest tool. The output
seems good to me:
# radtest 8201@DOMAIN.VALID 8201 127.0.0.1 12345 MyServerPassword Sending Access-Request of id 255 to 127.0.0.1:1812 User-Name = "8201@DOMAIN.VALID" User-Password = "8201" NAS-IP-Address = sip NAS-Port = 12345 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=255,
length=35
Reply-Message = "Authenticated"So I discard FreeRadius config. Is this related on the value of “Reply-
Message”? I already read all Radius material that I found on OpenSER web- page…
What am I doing wrong? What am I missing? As this same configs work with
SER 0.9.2, why did it not with OpenSER 1.0.x?
Edson.
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
I run it, now with FreeRadius in debug mode (see results in attached file), but nothing changed... I run with the two versions of radiusclient that I have...
Any idea?
Edson.
PS: in attached file, You will find debug from OpenSER, FreeRadius and logs from /var/log/message and /var/log/radius/radacct/127.0.0.1/reply-detail-20060306.
-----Original Message----- From: Daniel-Constantin Mierla [mailto:daniel@voice-system.ro] Sent: sábado, 4 de março de 2006 08:24 To: Edson Cc: 'OpenSER (E-mail)' Subject: Re: [Users] Radius Authentication
Hello,
On 03/03/06 02:57, Edson wrote:
The working SER installation uses radiusclient-ng 0.5.0-1. It was
compiled
after a CVS download maded on the beginning on jun/2005. Unfortunatly I
miss
the source code and am using an i686-RPM derived from that code.
I already try to use this RPM (version 0.5.0-1) on the Xeon machine. The results are the same. Just same message on /var/log/messages:
"Mar 2 21:45:54 sip openser: rc_check_reply: received invalid reply
digest
from RADIUS server"
can you run the radius server in debug mode to see there what messages you get. Also, check the /var/log/syslog or /var/log/messages to see other error messages printed by radiusclient-ng library when you use debug mode with openser.
Cheers, Daniel
When I start "openser -TDdd I see: ... 0(16385) get_hdr_field: cseq <CSeq>: <4> <REGISTER> 0(16385) DEBUG:maxfwd:is_maxfwd_present: value = 70 0(16385) parse_headers: flags=200 0(16385) DEBUG: get_hdr_body : content_length=0 0(16385) found end of header 0(16385) find_first_route: No Route headers found 0(16385) loose_route: There is no Route HF 0(16385) grep_sock_info - checking if host==us: 13==13 &&
[ZZZ.ZZ.ZZZ.39]
== [ZZZ.ZZ.ZZZ.39] 0(16385) grep_sock_info - checking if port 5060 matches port 5060 0(16385) parse_headers: flags=ffffffffffffffff 0(16385) check_via_address(XXX.XX.XXX.120, 172.27.248.6, 0) 0(16385) lookup(): '' Not found in usrloc 0(16385) check_nonce(): comparing [440792edd872b52b27f6dbee8ab2af7f61016704] and [440792edd872b52b27f6dbee8ab2af7f61016704]
0(16385) ERROR:auth_radius:radius_authorize_sterman: rc_auth failed
0(16385) build_auth_hf(): 'WWW-Authenticate: Digest
realm="ZZZ.ZZ.ZZZ.39",
nonce="440792eeec1cb5b22b20c18355c2a9a71eeb1af7"' 0(16385) parse_headers: flags=ffffffffffffffff 0(16385) check_via_address(XXX.XX.XXX.120, 172.27.248.6, 0) 0(16385) DEBUG:destroy_avp_list: destroying list (nil) 0(16385) receive_msg: cleaning up ... I double checked all the "dictionary" definitions, triple checked my
OpenSER
and Radiusclient-NG config and were not able to find the mistake.
So I'm really out of ideas... Maybe is the return value
("Authenticated")
illegal?
Edson.
-----Original Message----- From: Daniel-Constantin Mierla [mailto:daniel@voice-system.ro] Sent: quinta-feira, 2 de março de 2006 09:29 To: Edson Cc: 'OpenSER (E-mail)' Subject: Re: [Users] Radius Authentication
Hello,
the error:
Mar 1 15:41:43 dell openser-TEST[20789]: rc_check_reply: received
invalid
reply digest from RADIUS server
comes from the radiusclient-ng library, in file "lib/sendserver.c" at line 498. Did you use the same version of radiusclient-ng before?
Cheers, Daniel
On 03/01/06 22:23, Edson wrote:
Hi, Guys...
As the MySQL problem is aparently solved Im facing a Radius issue
I'm
using FreeRadius 1.0.4, RadiusCliente-NG 0.5.2 and OpenSER 1.0.1.
If I duplicate the configs used with SER (and that it works fine) Im
unable to authenticate my UA (the same that authenticate with SER). The message with debug=4 is:
Mar 1 15:41:43 dell openser-TEST[20789]: check_nonce(): comparing
[4405ec129258d5cf9c016ade69cf37e33b5af52b] and [4405ec129258d5cf9c016ade69cf37e33b5af52b]
Mar 1 15:41:43 dell openser-TEST[20789]: rc_check_reply: received
invalid reply digest from RADIUS server
Mar 1 15:41:43 dell openser-TEST[20789]:
ERROR:auth_radius:radius_authorize_sterman: rc_auth failed
So I supposed that there were some failed configuration, I looked at
my
radiusd.conf and finded:
modules { ... digest { } ... } authorize { preprocess auth_log suffix digest sql } authenticate { digest }
As my FreeRadius back-end is a MySQL database, the 'sql' statement in
authorize seems ok. And so do 'digest' in 'autheticate' section.
The question remains: Why are OpenSER complain on Radius response?
Maybe
it's because of the sterman schema (?)....
Anyway, I try to test the server using the radtest tool. The output
seems good to me:
# radtest 8201@DOMAIN.VALID 8201 127.0.0.1 12345 MyServerPassword Sending Access-Request of id 255 to 127.0.0.1:1812 User-Name = "8201@DOMAIN.VALID" User-Password = "8201" NAS-IP-Address = sip NAS-Port = 12345 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=255,
length=35
Reply-Message = "Authenticated"So I discard FreeRadius config. Is this related on the value of
Reply-
Message? I already read all Radius material that I found on OpenSER
web-
page
What am I doing wrong? What am I missing? As this same configs work
with
SER 0.9.2, why did it not with OpenSER 1.0.x?
Edson.
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
Hello,
On 03/07/06 04:16, Edson wrote:
I run it, now with FreeRadius in debug mode (see results in attached file), but nothing changed... I run with the two versions of radiusclient that I have...
Any idea?
I have seen that radius server returned authenticated, but the libradiusclient-ng returns failure. You should get some error message in the syslog file from libradiusclient-ng.
I will set up a radius server and play with it in my environment.
Cheers, Daniel
Edson.
PS: in attached file, You will find debug from OpenSER, FreeRadius and logs from /var/log/message and /var/log/radius/radacct/127.0.0.1/reply-detail-20060306.
-----Original Message----- From: Daniel-Constantin Mierla [mailto:daniel@voice-system.ro] Sent: sábado, 4 de março de 2006 08:24 To: Edson Cc: 'OpenSER (E-mail)' Subject: Re: [Users] Radius Authentication
Hello,
On 03/03/06 02:57, Edson wrote:
The working SER installation uses radiusclient-ng 0.5.0-1. It was
compiled
after a CVS download maded on the beginning on jun/2005. Unfortunatly I
miss
the source code and am using an i686-RPM derived from that code.
I already try to use this RPM (version 0.5.0-1) on the Xeon machine. The results are the same. Just same message on /var/log/messages:
"Mar 2 21:45:54 sip openser: rc_check_reply: received invalid reply
digest
from RADIUS server"
can you run the radius server in debug mode to see there what messages you get. Also, check the /var/log/syslog or /var/log/messages to see other error messages printed by radiusclient-ng library when you use debug mode with openser.
Cheers, Daniel
When I start "openser -TDdd I see: ... 0(16385) get_hdr_field: cseq <CSeq>: <4> <REGISTER> 0(16385) DEBUG:maxfwd:is_maxfwd_present: value = 70 0(16385) parse_headers: flags=200 0(16385) DEBUG: get_hdr_body : content_length=0 0(16385) found end of header 0(16385) find_first_route: No Route headers found 0(16385) loose_route: There is no Route HF 0(16385) grep_sock_info - checking if host==us: 13==13 &&
[ZZZ.ZZ.ZZZ.39]
== [ZZZ.ZZ.ZZZ.39] 0(16385) grep_sock_info - checking if port 5060 matches port 5060 0(16385) parse_headers: flags=ffffffffffffffff 0(16385) check_via_address(XXX.XX.XXX.120, 172.27.248.6, 0) 0(16385) lookup(): '' Not found in usrloc 0(16385) check_nonce(): comparing [440792edd872b52b27f6dbee8ab2af7f61016704] and [440792edd872b52b27f6dbee8ab2af7f61016704]
0(16385) ERROR:auth_radius:radius_authorize_sterman: rc_auth failed
0(16385) build_auth_hf(): 'WWW-Authenticate: Digest
realm="ZZZ.ZZ.ZZZ.39",
nonce="440792eeec1cb5b22b20c18355c2a9a71eeb1af7"' 0(16385) parse_headers: flags=ffffffffffffffff 0(16385) check_via_address(XXX.XX.XXX.120, 172.27.248.6, 0) 0(16385) DEBUG:destroy_avp_list: destroying list (nil) 0(16385) receive_msg: cleaning up ... I double checked all the "dictionary" definitions, triple checked my
OpenSER
and Radiusclient-NG config and were not able to find the mistake.
So I'm really out of ideas... Maybe is the return value
("Authenticated")
illegal?
Edson.
-----Original Message----- From: Daniel-Constantin Mierla [mailto:daniel@voice-system.ro] Sent: quinta-feira, 2 de março de 2006 09:29 To: Edson Cc: 'OpenSER (E-mail)' Subject: Re: [Users] Radius Authentication
Hello,
the error:
Mar 1 15:41:43 dell openser-TEST[20789]: rc_check_reply: received
invalid
reply digest from RADIUS server
comes from the radiusclient-ng library, in file "lib/sendserver.c" at line 498. Did you use the same version of radiusclient-ng before?
Cheers, Daniel
On 03/01/06 22:23, Edson wrote:
Hi, Guys...
As the MySQL problem is aparently solved I’m facing a Radius issue…
I'm
using FreeRadius 1.0.4, RadiusCliente-NG 0.5.2 and OpenSER 1.0.1.
If I duplicate the configs used with SER (and that it works fine) I’m
unable to authenticate my UA (the same that authenticate with SER). The message with “debug=4” is:
Mar 1 15:41:43 dell openser-TEST[20789]: check_nonce(): comparing
[4405ec129258d5cf9c016ade69cf37e33b5af52b] and [4405ec129258d5cf9c016ade69cf37e33b5af52b]
Mar 1 15:41:43 dell openser-TEST[20789]: rc_check_reply: received
invalid reply digest from RADIUS server
Mar 1 15:41:43 dell openser-TEST[20789]:
ERROR:auth_radius:radius_authorize_sterman: rc_auth failed
So I supposed that there were some failed configuration, I looked at
my
“radiusd.conf” and finded:
modules { ... digest { } ... } authorize { preprocess auth_log suffix digest sql } authenticate { digest }
As my FreeRadius back-end is a MySQL database, the 'sql' statement in
authorize seems ok. And so do 'digest' in 'autheticate' section.
The question remains: Why are OpenSER complain on Radius response?
Maybe
it's because of the sterman schema (?)....
Anyway, I try to test the server using the radtest tool. The output
seems good to me:
# radtest 8201@DOMAIN.VALID 8201 127.0.0.1 12345 MyServerPassword Sending Access-Request of id 255 to 127.0.0.1:1812 User-Name = "8201@DOMAIN.VALID" User-Password = "8201" NAS-IP-Address = sip NAS-Port = 12345 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=255,
length=35
Reply-Message = "Authenticated"So I discard FreeRadius config. Is this related on the value of
“Reply-
Message”? I already read all Radius material that I found on OpenSER
web-
page…
What am I doing wrong? What am I missing? As this same configs work
with
SER 0.9.2, why did it not with OpenSER 1.0.x?
Edson.
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
First, let me cut the length of this e-mail... ;)
Now, the only message that appears is the one that I sended You in the previous e-mail.
I played arround with the libradiusclient (file lib/sendserver.c) setting DIGEST_DEBUG (see a diff below) and recompile all stuff. Than I run openser with -TDdd and look the output. It shows me that the MD5 isn't equal. I try this after find this comments: http://lists.cistron.nl/pipermail/freeradius-users/2003-February/015851.html
If it helps I can share an access to You in our server. Let me know about...
Edson...
========================================================================= 23a24,25
#define DIGEST_DEBUG 1
404a407,410
#ifdef DIGEST_DEBUG unsigned char *ptr=NULL; #endif
445c451 < rc_log(LOG_ERR, " %s", buf); ---
rc_log(LOG_ERR, " %s\n [%s]", buf,secret);
=========================================================================
-----Original Message----- From: Daniel-Constantin Mierla [mailto:daniel@voice-system.ro] Sent: quarta-feira, 8 de março de 2006 16:26 To: Edson Cc: 'OpenSER (E-mail)' Subject: Re: [Users] Radius Authentication
Hello,
On 03/07/06 04:16, Edson wrote:
I run it, now with FreeRadius in debug mode (see results in attached
file),
but nothing changed... I run with the two versions of radiusclient that
I
have...
Any idea?
I have seen that radius server returned authenticated, but the libradiusclient-ng returns failure. You should get some error message in the syslog file from libradiusclient-ng.
I will set up a radius server and play with it in my environment.
Cheers, Daniel
Edson.
PS: in attached file, You will find debug from OpenSER, FreeRadius and
logs
from /var/log/message and /var/log/radius/radacct/127.0.0.1/reply-detail-20060306.
Hello,
I searched on google the error message ("Received invalid reply digest from server") and it is due to the fact that the radius client and server do not agree on share secret. You have to check that the same share secret is set for radiusclient as well as for freeradius server. Note that the latest versions of freeradius uses two files for configuring the radius client attributes: 'clients' and 'clients.conf'. In the radiusclient side you have to check the 'servers' file.
Cheers, Daniel
On 03/09/06 00:49, Edson wrote:
First, let me cut the length of this e-mail... ;)
Now, the only message that appears is the one that I sended You in the previous e-mail.
I played arround with the libradiusclient (file lib/sendserver.c) setting DIGEST_DEBUG (see a diff below) and recompile all stuff. Than I run openser with -TDdd and look the output. It shows me that the MD5 isn't equal. I try this after find this comments: http://lists.cistron.nl/pipermail/freeradius-users/2003-February/015851.html
If it helps I can share an access to You in our server. Let me know about...
Edson...
========================================================================= 23a24,25
#define DIGEST_DEBUG 1
404a407,410
#ifdef DIGEST_DEBUG unsigned char *ptr=NULL; #endif
445c451
< rc_log(LOG_ERR, " %s", buf);
rc_log(LOG_ERR, " %s\n [%s]", buf,secret);=========================================================================
-----Original Message----- From: Daniel-Constantin Mierla [mailto:daniel@voice-system.ro] Sent: quarta-feira, 8 de março de 2006 16:26 To: Edson Cc: 'OpenSER (E-mail)' Subject: Re: [Users] Radius Authentication
Hello,
On 03/07/06 04:16, Edson wrote:
I run it, now with FreeRadius in debug mode (see results in attached
file),
but nothing changed... I run with the two versions of radiusclient that
I
have...
Any idea?
I have seen that radius server returned authenticated, but the libradiusclient-ng returns failure. You should get some error message in the syslog file from libradiusclient-ng.
I will set up a radius server and play with it in my environment.
Cheers, Daniel
Edson.
PS: in attached file, You will find debug from OpenSER, FreeRadius and
logs
from /var/log/message and /var/log/radius/radacct/127.0.0.1/reply-detail-20060306.
-
Daniel-Constantin Mierla -
Edson -
Greg Fausak