Hi!
I'm using openser CVS and try to deliver the rpid using auth_radius. But the rpid never appears in the AVPs. Also other AVP-SIP attributes (e.g. SIP-AVP = #101:TEST) do not appear in the AVP.
Filling AVPs in the .cfg using avp_write("$ruri/username","$ruser"); works fine and are printed with avp_print.
Any ideas how I can track down this problem?
thanks klaus
The radius server responds with a SIP-AVP (225) attribute (verfied with tcpdump): rpid:sip:+4359966366102@1013cbc.com
my cfg snippet (full config attached): if (!radius_proxy_authorize("")) { xlog("L_WARN","wrong or no credentials - challenging client ..."); proxy_challenge("", "0"); exit; }; xlog("L_WARN","start avp_print()-"); avp_print(); xlog("L_WARN","stop avp_print()--");
the debug log: 8(5807) checking REGISTER authentication ... 8(5807) check_nonce(): comparing [42e78dca8153d605c63042be302f64af00e1abfc] and [42e78dca8153d605c63042be302f64af00e1abfc] 8(5807) DEBUG:auth_radius:radius_authorize_sterman: Success 8(5807) xl_printf: final buffer length 37 8(5807) start avp_print() - 8(5807) xl_printf: final buffer length 37 8(5807) stop avp_print() -- 8(5807) xl_printf: final buffer length 58
# # $Id: openser.cfg,v 1.1.1.1 2005/06/13 16:47:30 bogdan_iancu Exp $ # # simple quick-start config script #
# ----------- global configuration parameters ------------------------
debug=7 # debug level (cmd line: -dddddddddd) #fork=yes #log_stderror=no # (cmd line: -E)
/* Uncomment these lines to enter debugging mode fork=no log_stderror=yes */
check_via=no # (cmd. line: -v) dns=no # (cmd. line: -r) rev_dns=no # (cmd. line: -R) #port=5060 #children=4 fifo="/tmp/openser_fifo" listen=1.2.3.83:5060
log_facility=LOG_LOCAL4 # /var/log/openser.log
# ------------------ module loading ----------------------------------
# Uncomment this if you want to use SQL database #loadmodule "/usr/local/lib/ser/modules/mysql.so"
mpath="/usr/lib/openser/modules" loadmodule "sl.so" loadmodule "tm.so" loadmodule "rr.so" loadmodule "maxfwd.so" loadmodule "usrloc.so" loadmodule "registrar.so" loadmodule "textops.so" loadmodule "xlog.so"
loadmodule "postgres.so" loadmodule "domain.so" loadmodule "alias_db.so"
# Uncomment this if you want digest authentication # mysql.so must be loaded ! loadmodule "auth.so" loadmodule "auth_radius.so"
loadmodule "avpops.so"
# ----------------- setting module-specific parameters ---------------
# database configuration modparam("usrloc", "db_url", "postgres://openser:xxxxxx@localhost/openser") modparam("domain|uri_db|alias_db", "db_url", "postgres://openserro:xxxxxxx@localhost/openser")
# radius configuration modparam("auth_radius", "radius_config", "/etc/openser/radiusclient.conf")
# multi domain configuration modparam("domain", "db_mode", 1) # Use caching in domain module modparam("alias_db|usrloc|registrar", "use_domain", 1) # group, group_radius, speeddial, uri_db, avpops
# -- usrloc params -- modparam("usrloc", "db_mode", 1) # 0=no DB, 1 = write through, 2=caching
# -- rr params -- # add value to ;lr param to make some broken UAs happy modparam("rr", "enable_full_lr", 1)
# AVPs # I:101 = cbcprefix # call by call provider prefix # I:102 = ruser # userpart in request uri # I:103 = rdomain # domainpart in request uri # I:104 = dummy1 # I:105 = dummy2 # modparam("avpops","avp_aliases","cbcprefix=I:101;ruser=I:102;rdomain=I:103;dummy1=I:104;dummy2=I:105")
# ------------------------- request routing logic -------------------
# main routing logic
route{
xlog("L_WARN","[$Tf] $rm $ru ($fu --> $tu)"); #xlog("L_WARN","reference to message buffer: $mb");
xlog("L_WARN","playing around with avps..."); avp_write("$ruri/username","$ruser"); avp_write("$ruri/domain","$rdomain");
# initial sanity checks -- messages with # max_forwards==0, or excessively long requests if (!mf_process_maxfwd_header("10")) { xlog("L_WARN","too many hops, reply with 483 ..."); sl_send_reply("483","Too Many Hops"); exit; }; if (msg:len >= 2048 ) { xlog("L_WARN","message too big, reply with 513 ..."); sl_send_reply("513", "Message too big"); exit; };
# we record-route all messages -- to make sure that # subsequent messages will go through our proxy; that's # particularly good if upstream and downstream entities # use different transport protocol if (!is_method("REGISTER")) { record_route(); }
# subsequent messages withing a dialog should take the # path determined by record-routing if (loose_route()) { log(1,"loose_route processing ..."); # mark routing logic in request append_hf("P-hint: rr-enforced\r\n"); route(1); exit; };
if (!is_method("REGISTER|CANCEL|ACK|BYE|OPTIONS|INFO")) { if (is_from_local()) { xlog("L_WARN","checking authentication ..."); # digest authentication if (!radius_proxy_authorize("")) { xlog("L_WARN","wrong or no credentials - challenging client ..."); proxy_challenge("", "0"); exit; }; xlog("L_WARN","start avp_print()--------"); avp_print(); xlog("L_WARN","stop avp_print()---------");
consume_credentials();
xlog("L_WARN","username/password correct ..."); log(1,"adding rpid header ..."); append_rpid_hf();
} }
if (!is_uri_host_local()) { log(1,"outbound request ..."); # mark routing logic in request append_hf("P-hint: outbound\r\n"); route(1); exit; };
# if the request is for other domain use UsrLoc # (in case, it does not work, use the following command # with proper names and addresses in it) if (is_uri_host_local()) {
if (is_method("REGISTER")) { if (is_from_local()) { log(1,"processing REGISTER ...");
xlog("L_WARN","checking REGISTER authentication ..."); # digest authentication if (!radius_www_authorize("")) { xlog("L_WARN","wrong or no credentials in REGISTER - challenging client ..."); www_challenge("", "0"); exit; };
xlog("L_WARN","start avp_print() of REGISTER--------"); avp_print(); xlog("L_WARN","stop avp_print() of REGISTER---------"); consume_credentials();
xlog("L_WARN","username/password correct in REGISTER, saving location ..."); save("location"); exit; } else { xlog("L_WARN","REGISTER for unknown domain received, reply with 403 ..."); sl_send_reply("403","Use your own proxy"); exit; } };
lookup("aliases"); if (!is_uri_host_local()) { append_hf("P-hint: outbound alias\r\n"); route(1); exit; };
# native SIP destinations are handled using our USRLOC DB if (!lookup("location")) { # send to at43 main proxy xlog("L_WARN","user not found, forwarding to main proxy ..."); t_relay_to_udp("1.2.3.160", "5060"); #sl_send_reply("404", "Not Found"); exit; }; }; append_hf("P-hint: usrloc applied\r\n"); route(1); }
route[1] { xlog("L_WARN","route[1] entered ..."); # send it out now; use stateful forwarding as it works reliably # even for UDP2TCP xlog("L_WARN","t_relay the request ..."); if (!t_relay()) { sl_reply_error(); }; xlog("L_WARN","... leaving route[1]"); }
Hi Klaus,
I just added (on cvs) more debug messages in auth_radius when extracting AVPs. As I have no access to an auth RADIUS server, please give it a try and send my the debug output.
regards, bogdan
Klaus Darilion wrote:
Hi!
I'm using openser CVS and try to deliver the rpid using auth_radius. But the rpid never appears in the AVPs. Also other AVP-SIP attributes (e.g. SIP-AVP = #101:TEST) do not appear in the AVP.
Filling AVPs in the .cfg using avp_write("$ruri/username","$ruser"); works fine and are printed with avp_print.
Any ideas how I can track down this problem?
thanks klaus
The radius server responds with a SIP-AVP (225) attribute (verfied with tcpdump): rpid:sip:+4359966366102@1013cbc.com
my cfg snippet (full config attached): if (!radius_proxy_authorize("")) { xlog("L_WARN","wrong or no credentials - challenging client ..."); proxy_challenge("", "0"); exit; }; xlog("L_WARN","start avp_print()-"); avp_print(); xlog("L_WARN","stop avp_print()--");
the debug log: 8(5807) checking REGISTER authentication ... 8(5807) check_nonce(): comparing [42e78dca8153d605c63042be302f64af00e1abfc] and [42e78dca8153d605c63042be302f64af00e1abfc] 8(5807) DEBUG:auth_radius:radius_authorize_sterman: Success 8(5807) xl_printf: final buffer length 37 8(5807) start avp_print() - 8(5807) xl_printf: final buffer length 37 8(5807) stop avp_print() -- 8(5807) xl_printf: final buffer length 58
Hi Bogdan!
Thanks dor the DEBUG info. I found the problem. The *vp received from radiusclient was NULL.
There were also other RADIUS attributes in the RADIUS response, which were not in the dictionary of the radiusclient. Thus, the radiusclient discarded all RADIUS attributes :-(
IMO, the radiusclient should be more tolerant.
regards, klaus
PS: http://openser.org/dokuwiki/doku.php?id=radius
Bogdan-Andrei Iancu wrote:
Hi Klaus,
I just added (on cvs) more debug messages in auth_radius when extracting AVPs. As I have no access to an auth RADIUS server, please give it a try and send my the debug output.
regards, bogdan
Klaus Darilion wrote:
Hi!
I'm using openser CVS and try to deliver the rpid using auth_radius. But the rpid never appears in the AVPs. Also other AVP-SIP attributes (e.g. SIP-AVP = #101:TEST) do not appear in the AVP.
Filling AVPs in the .cfg using avp_write("$ruri/username","$ruser"); works fine and are printed with avp_print.
Any ideas how I can track down this problem?
thanks klaus
The radius server responds with a SIP-AVP (225) attribute (verfied with tcpdump): rpid:sip:+4359966366102@1013cbc.com
my cfg snippet (full config attached): if (!radius_proxy_authorize("")) { xlog("L_WARN","wrong or no credentials - challenging client ..."); proxy_challenge("", "0"); exit; }; xlog("L_WARN","start avp_print()-"); avp_print(); xlog("L_WARN","stop avp_print()--");
the debug log: 8(5807) checking REGISTER authentication ... 8(5807) check_nonce(): comparing [42e78dca8153d605c63042be302f64af00e1abfc] and [42e78dca8153d605c63042be302f64af00e1abfc] 8(5807) DEBUG:auth_radius:radius_authorize_sterman: Success 8(5807) xl_printf: final buffer length 37 8(5807) start avp_print() - 8(5807) xl_printf: final buffer length 37 8(5807) stop avp_print() -- 8(5807) xl_printf: final buffer length 58
Hi Klaus,
nice debugging :). I think this problem should be reported to Maxim since sounds a little be strange to me also...
regards, bogdan
Klaus Darilion wrote:
Hi Bogdan!
Thanks dor the DEBUG info. I found the problem. The *vp received from radiusclient was NULL.
There were also other RADIUS attributes in the RADIUS response, which were not in the dictionary of the radiusclient. Thus, the radiusclient discarded all RADIUS attributes :-(
IMO, the radiusclient should be more tolerant.
regards, klaus
PS: http://openser.org/dokuwiki/doku.php?id=radius
Bogdan-Andrei Iancu wrote:
Hi Klaus,
I just added (on cvs) more debug messages in auth_radius when extracting AVPs. As I have no access to an auth RADIUS server, please give it a try and send my the debug output.
regards, bogdan
Klaus Darilion wrote:
Hi!
I'm using openser CVS and try to deliver the rpid using auth_radius. But the rpid never appears in the AVPs. Also other AVP-SIP attributes (e.g. SIP-AVP = #101:TEST) do not appear in the AVP.
Filling AVPs in the .cfg using avp_write("$ruri/username","$ruser"); works fine and are printed with avp_print.
Any ideas how I can track down this problem?
thanks klaus
The radius server responds with a SIP-AVP (225) attribute (verfied with tcpdump): rpid:sip:+4359966366102@1013cbc.com
my cfg snippet (full config attached): if (!radius_proxy_authorize("")) { xlog("L_WARN","wrong or no credentials - challenging client ..."); proxy_challenge("", "0"); exit; }; xlog("L_WARN","start avp_print()-"); avp_print(); xlog("L_WARN","stop avp_print()--");
the debug log: 8(5807) checking REGISTER authentication ... 8(5807) check_nonce(): comparing [42e78dca8153d605c63042be302f64af00e1abfc] and [42e78dca8153d605c63042be302f64af00e1abfc] 8(5807) DEBUG:auth_radius:radius_authorize_sterman: Success 8(5807) xl_printf: final buffer length 37 8(5807) start avp_print() - 8(5807) xl_printf: final buffer length 37 8(5807) stop avp_print() -- 8(5807) xl_printf: final buffer length 58
-
Bogdan-Andrei Iancu -
Juha Heinanen -
Klaus Darilion