27 Jul
2005
27 Jul
'05
4:56 p.m.
Hi!
I'm using openser CVS and try to deliver the rpid using auth_radius. But
the rpid never appears in the AVPs. Also other AVP-SIP attributes
(e.g. SIP-AVP = #101:TEST) do not appear in the AVP.
Filling AVPs in the .cfg using avp_write("$ruri/username","$ruser");
works fine and are printed with avp_print.
Any ideas how I can track down this problem?
thanks
klaus
The radius server responds with a SIP-AVP (225) attribute (verfied with
tcpdump):
rpid:<sip:+4359966366102@1013cbc.com>
my cfg snippet (full config attached):
if (!radius_proxy_authorize("")) {
xlog("L_WARN","wrong or no credentials - challenging client
...");
proxy_challenge("", "0");
exit;
};
xlog("L_WARN","start avp_print()-");
avp_print();
xlog("L_WARN","stop avp_print()--");
the debug log:
8(5807) checking REGISTER authentication ... 8(5807) check_nonce():
comparing [42e78dca8153d605c63042be302f64af00e1abfc] and
[42e78dca8153d605c63042be302f64af00e1abfc]
8(5807) DEBUG:auth_radius:radius_authorize_sterman: Success
8(5807) xl_printf: final buffer length 37
8(5807) start avp_print() - 8(5807) xl_printf: final buffer length 37
8(5807) stop avp_print() -- 8(5807) xl_printf: final buffer length 58
#
# $Id: openser.cfg,v 1.1.1.1 2005/06/13 16:47:30 bogdan_iancu Exp $
#
# simple quick-start config script
#
# ----------- global configuration parameters ------------------------
debug=7 # debug level (cmd line: -dddddddddd)
#fork=yes
#log_stderror=no # (cmd line: -E)
/* Uncomment these lines to enter debugging mode
fork=no
log_stderror=yes
*/
check_via=no # (cmd. line: -v)
dns=no # (cmd. line: -r)
rev_dns=no # (cmd. line: -R)
#port=5060
#children=4
fifo="/tmp/openser_fifo"
listen=1.2.3.83:5060
log_facility=LOG_LOCAL4 # /var/log/openser.log
# ------------------ module loading ----------------------------------
# Uncomment this if you want to use SQL database
#loadmodule "/usr/local/lib/ser/modules/mysql.so"
mpath="/usr/lib/openser/modules"
loadmodule "sl.so"
loadmodule "tm.so"
loadmodule "rr.so"
loadmodule "maxfwd.so"
loadmodule "usrloc.so"
loadmodule "registrar.so"
loadmodule "textops.so"
loadmodule "xlog.so"
loadmodule "postgres.so"
loadmodule "domain.so"
loadmodule "alias_db.so"
# Uncomment this if you want digest authentication
# mysql.so must be loaded !
loadmodule "auth.so"
loadmodule "auth_radius.so"
loadmodule "avpops.so"
# ----------------- setting module-specific parameters ---------------
# database configuration
modparam("usrloc", "db_url",
"postgres://openser:xxxxxx@localhost/openser")
modparam("domain|uri_db|alias_db", "db_url",
"postgres://openserro:xxxxxxx@localhost/openser")
# radius configuration
modparam("auth_radius", "radius_config",
"/etc/openser/radiusclient.conf")
# multi domain configuration
modparam("domain", "db_mode", 1) # Use caching in domain module
modparam("alias_db|usrloc|registrar", "use_domain", 1) # group,
group_radius, speeddial, uri_db, avpops
# -- usrloc params --
modparam("usrloc", "db_mode", 1) # 0=no DB, 1 = write through,
2=caching
# -- rr params --
# add value to ;lr param to make some broken UAs happy
modparam("rr", "enable_full_lr", 1)
# AVPs
# I:101 = cbcprefix
# call by call provider prefix
# I:102 = ruser
# userpart in request uri
# I:103 = rdomain
# domainpart in request uri
# I:104 = dummy1
# I:105 = dummy2
#
modparam("avpops","avp_aliases","cbcprefix=I:101;ruser=I:102;rdomain=I:103;dummy1=I:104;dummy2=I:105")
# ------------------------- request routing logic -------------------
# main routing logic
route{
xlog("L_WARN","[$Tf] $rm $ru ($fu --> $tu)");
#xlog("L_WARN","reference to message buffer: $mb");
xlog("L_WARN","playing around with avps...");
avp_write("$ruri/username","$ruser");
avp_write("$ruri/domain","$rdomain");
# initial sanity checks -- messages with
# max_forwards==0, or excessively long requests
if (!mf_process_maxfwd_header("10")) {
xlog("L_WARN","too many hops, reply with 483 ...");
sl_send_reply("483","Too Many Hops");
exit;
};
if (msg:len >= 2048 ) {
xlog("L_WARN","message too big, reply with 513 ...");
sl_send_reply("513", "Message too big");
exit;
};
# we record-route all messages -- to make sure that
# subsequent messages will go through our proxy; that's
# particularly good if upstream and downstream entities
# use different transport protocol
if (!is_method("REGISTER")) {
record_route();
}
# subsequent messages withing a dialog should take the
# path determined by record-routing
if (loose_route()) {
log(1,"loose_route processing ...");
# mark routing logic in request
append_hf("P-hint: rr-enforced\r\n");
route(1);
exit;
};
if (!is_method("REGISTER|CANCEL|ACK|BYE|OPTIONS|INFO")) {
if (is_from_local()) {
xlog("L_WARN","checking authentication ...");
# digest authentication
if (!radius_proxy_authorize("")) {
xlog("L_WARN","wrong or no credentials - challenging client
...");
proxy_challenge("", "0");
exit;
};
xlog("L_WARN","start avp_print()--------");
avp_print();
xlog("L_WARN","stop avp_print()---------");
consume_credentials();
xlog("L_WARN","username/password correct ...");
log(1,"adding rpid header ...");
append_rpid_hf();
}
}
if (!is_uri_host_local()) {
log(1,"outbound request ...");
# mark routing logic in request
append_hf("P-hint: outbound\r\n");
route(1);
exit;
};
# if the request is for other domain use UsrLoc
# (in case, it does not work, use the following command
# with proper names and addresses in it)
if (is_uri_host_local()) {
if (is_method("REGISTER")) {
if (is_from_local()) {
log(1,"processing REGISTER ...");
xlog("L_WARN","checking REGISTER authentication ...");
# digest authentication
if (!radius_www_authorize("")) {
xlog("L_WARN","wrong or no credentials in REGISTER - challenging
client ...");
www_challenge("", "0");
exit;
};
xlog("L_WARN","start avp_print() of REGISTER--------");
avp_print();
xlog("L_WARN","stop avp_print() of REGISTER---------");
consume_credentials();
xlog("L_WARN","username/password correct in REGISTER, saving location
...");
save("location");
exit;
} else {
xlog("L_WARN","REGISTER for unknown domain received, reply with 403
...");
sl_send_reply("403","Use your own proxy");
exit;
}
};
lookup("aliases");
if (!is_uri_host_local()) {
append_hf("P-hint: outbound alias\r\n");
route(1);
exit;
};
# native SIP destinations are handled using our USRLOC DB
if (!lookup("location")) {
# send to at43 main proxy
xlog("L_WARN","user not found, forwarding to main proxy ...");
t_relay_to_udp("1.2.3.160", "5060");
#sl_send_reply("404", "Not Found");
exit;
};
};
append_hf("P-hint: usrloc applied\r\n");
route(1);
}
route[1]
{
xlog("L_WARN","route[1] entered ...");
# send it out now; use stateful forwarding as it works reliably
# even for UDP2TCP
xlog("L_WARN","t_relay the request ...");
if (!t_relay()) {
sl_reply_error();
};
xlog("L_WARN","... leaving route[1]");
}
27 Jul
27 Jul
6:56 p.m.
Hi Klaus,
I just added (on cvs) more debug messages in auth_radius when extracting
AVPs. As I have no access to an auth RADIUS server, please give it a try
and send my the debug output.
regards,
bogdan
Klaus Darilion wrote:
Hi!
I'm using openser CVS and try to deliver the rpid using auth_radius.
But the rpid never appears in the AVPs. Also other AVP-SIP attributes
(e.g. SIP-AVP = #101:TEST) do not appear in the AVP.
Filling AVPs in the .cfg using avp_write("$ruri/username","$ruser");
works fine and are printed with avp_print.
Any ideas how I can track down this problem?
thanks
klaus
The radius server responds with a SIP-AVP (225) attribute (verfied
with tcpdump):
rpid:<sip:+4359966366102@1013cbc.com>
my cfg snippet (full config attached):
if (!radius_proxy_authorize("")) {
xlog("L_WARN","wrong or no credentials - challenging client
...");
proxy_challenge("", "0");
exit;
};
xlog("L_WARN","start avp_print()-");
avp_print();
xlog("L_WARN","stop avp_print()--");
the debug log:
8(5807) checking REGISTER authentication ... 8(5807) check_nonce():
comparing [42e78dca8153d605c63042be302f64af00e1abfc] and
[42e78dca8153d605c63042be302f64af00e1abfc]
8(5807) DEBUG:auth_radius:radius_authorize_sterman: Success
8(5807) xl_printf: final buffer length 37
8(5807) start avp_print() - 8(5807) xl_printf: final buffer length 37
8(5807) stop avp_print() -- 8(5807) xl_printf: final buffer length 58
8:20 p.m.
Hi Bogdan!
Thanks dor the DEBUG info. I found the problem. The *vp received from
radiusclient was NULL.
There were also other RADIUS attributes in the RADIUS response, which
were not in the dictionary of the radiusclient. Thus, the radiusclient
discarded all RADIUS attributes :-(
IMO, the radiusclient should be more tolerant.
regards,
klaus
PS: http://openser.org/dokuwiki/doku.php?id=radius
Bogdan-Andrei Iancu wrote:
Hi Klaus,
I just added (on cvs) more debug messages in auth_radius when extracting
AVPs. As I have no access to an auth RADIUS server, please give it a try
and send my the debug output.
regards,
bogdan
Klaus Darilion wrote:
Hi!
I'm using openser CVS and try to deliver the rpid using auth_radius.
But the rpid never appears in the AVPs. Also other AVP-SIP attributes
(e.g. SIP-AVP = #101:TEST) do not appear in the AVP.
Filling AVPs in the .cfg using avp_write("$ruri/username","$ruser");
works fine and are printed with avp_print.
Any ideas how I can track down this problem?
thanks
klaus
The radius server responds with a SIP-AVP (225) attribute (verfied
with tcpdump):
rpid:<sip:+4359966366102@1013cbc.com>
my cfg snippet (full config attached):
if (!radius_proxy_authorize("")) {
xlog("L_WARN","wrong or no credentials - challenging client
...");
proxy_challenge("", "0");
exit;
};
xlog("L_WARN","start avp_print()-");
avp_print();
xlog("L_WARN","stop avp_print()--");
the debug log:
8(5807) checking REGISTER authentication ... 8(5807) check_nonce():
comparing [42e78dca8153d605c63042be302f64af00e1abfc] and
[42e78dca8153d605c63042be302f64af00e1abfc]
8(5807) DEBUG:auth_radius:radius_authorize_sterman: Success
8(5807) xl_printf: final buffer length 37
8(5807) start avp_print() - 8(5807) xl_printf: final buffer length 37
8(5807) stop avp_print() -- 8(5807) xl_printf: final buffer length 58
8:34 p.m.
Hi Klaus,
nice debugging :). I think this problem should be reported to Maxim
since sounds a little be strange to me also...
regards,
bogdan
Klaus Darilion wrote:
Hi Bogdan!
Thanks dor the DEBUG info. I found the problem. The *vp received from
radiusclient was NULL.
There were also other RADIUS attributes in the RADIUS response, which
were not in the dictionary of the radiusclient. Thus, the radiusclient
discarded all RADIUS attributes :-(
IMO, the radiusclient should be more tolerant.
regards,
klaus
PS: http://openser.org/dokuwiki/doku.php?id=radius
Bogdan-Andrei Iancu wrote:
Hi Klaus,
I just added (on cvs) more debug messages in auth_radius when
extracting AVPs. As I have no access to an auth RADIUS server, please
give it a try and send my the debug output.
regards,
bogdan
Klaus Darilion wrote:
Hi!
I'm using openser CVS and try to deliver the rpid using auth_radius.
But the rpid never appears in the AVPs. Also other AVP-SIP
attributes (e.g. SIP-AVP = #101:TEST) do not appear in the AVP.
Filling AVPs in the .cfg using avp_write("$ruri/username","$ruser");
works fine and are printed with avp_print.
Any ideas how I can track down this problem?
thanks
klaus
The radius server responds with a SIP-AVP (225) attribute (verfied
with tcpdump):
rpid:<sip:+4359966366102@1013cbc.com>
my cfg snippet (full config attached):
if (!radius_proxy_authorize("")) {
xlog("L_WARN","wrong or no credentials - challenging client
...");
proxy_challenge("", "0");
exit;
};
xlog("L_WARN","start avp_print()-");
avp_print();
xlog("L_WARN","stop avp_print()--");
the debug log:
8(5807) checking REGISTER authentication ... 8(5807) check_nonce():
comparing [42e78dca8153d605c63042be302f64af00e1abfc] and
[42e78dca8153d605c63042be302f64af00e1abfc]
8(5807) DEBUG:auth_radius:radius_authorize_sterman: Success
8(5807) xl_printf: final buffer length 37
8(5807) start avp_print() - 8(5807) xl_printf: final buffer length 37
8(5807) stop avp_print() -- 8(5807) xl_printf: final buffer length 58
7061
days inactive
7061
days old
4 comments
3 participants
participants (3)
-
Bogdan-Andrei Iancu -
Juha Heinanen -
Klaus Darilion