[first post to list]
Greetings,
I'm in the process of getting a Kamailio 3.3.2 installation authenticating its SIP accounts against a RADIUS database. There are -- at the moment -- no plans to do any fancy accounting nor any authorisation beyond simple authentication.
I've set up and tested a FreeRadius 2.2.3_1 server on a dedicated server.
After a fairly steep learning curve involving RADIUS dictionaries I've come so far that kamailio sends out a RADIUS Access-Request message that is received by FreeRadius, processed, and returned to Kamailio which promptly ignores it and continues to send 401 to the client; the SIP message exchange with the client being:
(some identifing info has been redacted)
REGISTER sip:my.domain SIP/2.0
< SIP/2.0 401 Unauthorized Via: SIP/2.0/UDP 10.25.191.24:41688;branch=z9hG4bK-d8754z-eac09e6c626d4c4d-1---d8754z-;rport=41688
REGISTER sip:my.domain SIP/2.0
Via: SIP/2.0/UDP 10.25.191.24:41688;branch=z9hG4bK-d8754z-4f25c643f4b93465-1---d8754z-;rport < SIP/2.0 401 Unauthorized Via: SIP/2.0/UDP 10.25.191.24:41688;branch=z9hG4bK-d8754z-4f25c643f4b93465-1---d8754z-;rport=41688
The RADIUS exchange:
10:07:10.861063 IP (tos 0x0, ttl 64, id 14964, offset 0, flags [none], proto UDP (17), length 270) 10.24.194.198.63712 > 10.24.194.196.1812: [udp sum ok] RADIUS, length: 242 Access Request (1), id: 0x05, Authenticator: 4215e95809551826eda76972be4106c4 Username Attribute (1), length: 18, Value: mtu-06@my.domain 0x0000: 6d74 752d 3036 4069 706b 2e73 722e 7365 Unknown Attribute (207), length: 10, Value: 0x0000: 0a08 6d74 752d 3036 Unknown Attribute (207), length: 13, Value: 0x0000: 010b 6970 6b2e 7372 2e73 65 Unknown Attribute (207), length: 36, Value: 0x0000: 0222 5532 6448 326c 4e6e 5271 3677 4353 0x0010: 6463 6775 5056 3050 516e 3936 324d 5635 0x0020: 6d34 Unknown Attribute (207), length: 17, Value: 0x0000: 040f 7369 703a 6970 6b2e 7372 2e73 65 Unknown Attribute (207), length: 12, Value: 0x0000: 030a 5245 4749 5354 4552 Unknown Attribute (207), length: 8, Value: 0x0000: 0506 6175 7468 Unknown Attribute (207), length: 12, Value: 0x0000: 090a 3030 3030 3030 3031 Unknown Attribute (207), length: 36, Value: 0x0000: 0822 3933 3832 3333 3333 3530 3162 3238 0x0010: 6439 3236 3739 3863 3964 3038 6539 3134 0x0020: 3733 Unknown Attribute (206), length: 34, Value: 0x0000: 3538 3665 3336 3763 3230 3163 3137 6438 0x0010: 6261 3265 3830 3533 3763 6433 3562 3761 Service Type Attribute (6), length: 6, Value: #15 0x0000: 0000 000f Unknown Attribute (208), length: 8, Value: 0x0000: 6d74 752d 3036 NAS Port Attribute (5), length: 6, Value: 5060 0x0000: 0000 13c4 NAS IP Address Attribute (4), length: 6, Value: 10.24.194.198 0x0000: c079 c2c6 10:07:10.863964 IP (tos 0x0, ttl 64, id 28916, offset 0, flags [none], proto UDP (17), length 48) 10.24.194.196.1812 > 10.24.194.198.63712: [bad udp cksum 0x06ac -> 0x44c0!] RADIUS, length: 20 Access Accept (2), id: 0x05, Authenticator: 8f07de871a066aacfbe822e20a9b96c1
The RADIUS part of the Kamailio config is:
if (is_method("REGISTER") || from_uri==myself) #if (is_method("REGISTER") ) { # authenticate requests xlog("L_INFO", "authenticate [$fd]\n"); ### RADIUS ### if (!radius_www_authorize("my.domain")) { $var(ret) = $rc; xlog("L_INFO", "response code: [$var(ret)]\n"); switch ($var(ret)) { case -7: send_reply("500", "Server Internal Error"); exit; case -1: send_reply("400", "Bad Request"); exit; default: }; if (defined($avp(digest_challenge)) && ($avp(digest_challenge) != "")) { append_to_reply("$avp(digest_challenge)"); }; send_reply("401", "Unauthorized"); exit; }; # user authenticated - remove auth header if(!is_method("REGISTER|PUBLISH")) consume_credentials(); }
Any clues? What is missing from my narrative?
Hello,
you should just use www_challenge() to send back the 401 response.
Here is a old tutorial, from the time when the project was named openser, but could be a good reading anyhow:
- http://www.kamailio.org/docs/openser-radius-1.0.x.html
The authentication part is pretty much the same.
Cheers, Daniel
On 05/05/14 12:00, Måns Nilsson wrote:
[first post to list]
Greetings,
I'm in the process of getting a Kamailio 3.3.2 installation authenticating its SIP accounts against a RADIUS database. There are -- at the moment -- no plans to do any fancy accounting nor any authorisation beyond simple authentication.
I've set up and tested a FreeRadius 2.2.3_1 server on a dedicated server.
After a fairly steep learning curve involving RADIUS dictionaries I've come so far that kamailio sends out a RADIUS Access-Request message that is received by FreeRadius, processed, and returned to Kamailio which promptly ignores it and continues to send 401 to the client; the SIP message exchange with the client being:
(some identifing info has been redacted)
REGISTER sip:my.domain SIP/2.0
< SIP/2.0 401 Unauthorized Via: SIP/2.0/UDP 10.25.191.24:41688;branch=z9hG4bK-d8754z-eac09e6c626d4c4d-1---d8754z-;rport=41688
REGISTER sip:my.domain SIP/2.0
Via: SIP/2.0/UDP 10.25.191.24:41688;branch=z9hG4bK-d8754z-4f25c643f4b93465-1---d8754z-;rport< SIP/2.0 401 Unauthorized Via: SIP/2.0/UDP 10.25.191.24:41688;branch=z9hG4bK-d8754z-4f25c643f4b93465-1---d8754z-;rport=41688
The RADIUS exchange:
10:07:10.861063 IP (tos 0x0, ttl 64, id 14964, offset 0, flags [none], proto UDP (17), length 270) 10.24.194.198.63712 > 10.24.194.196.1812: [udp sum ok] RADIUS, length: 242 Access Request (1), id: 0x05, Authenticator: 4215e95809551826eda76972be4106c4 Username Attribute (1), length: 18, Value: mtu-06@my.domain 0x0000: 6d74 752d 3036 4069 706b 2e73 722e 7365 Unknown Attribute (207), length: 10, Value: 0x0000: 0a08 6d74 752d 3036 Unknown Attribute (207), length: 13, Value: 0x0000: 010b 6970 6b2e 7372 2e73 65 Unknown Attribute (207), length: 36, Value: 0x0000: 0222 5532 6448 326c 4e6e 5271 3677 4353 0x0010: 6463 6775 5056 3050 516e 3936 324d 5635 0x0020: 6d34 Unknown Attribute (207), length: 17, Value: 0x0000: 040f 7369 703a 6970 6b2e 7372 2e73 65 Unknown Attribute (207), length: 12, Value: 0x0000: 030a 5245 4749 5354 4552 Unknown Attribute (207), length: 8, Value: 0x0000: 0506 6175 7468 Unknown Attribute (207), length: 12, Value: 0x0000: 090a 3030 3030 3030 3031 Unknown Attribute (207), length: 36, Value: 0x0000: 0822 3933 3832 3333 3333 3530 3162 3238 0x0010: 6439 3236 3739 3863 3964 3038 6539 3134 0x0020: 3733 Unknown Attribute (206), length: 34, Value: 0x0000: 3538 3665 3336 3763 3230 3163 3137 6438 0x0010: 6261 3265 3830 3533 3763 6433 3562 3761 Service Type Attribute (6), length: 6, Value: #15 0x0000: 0000 000f Unknown Attribute (208), length: 8, Value: 0x0000: 6d74 752d 3036 NAS Port Attribute (5), length: 6, Value: 5060 0x0000: 0000 13c4 NAS IP Address Attribute (4), length: 6, Value: 10.24.194.198 0x0000: c079 c2c6 10:07:10.863964 IP (tos 0x0, ttl 64, id 28916, offset 0, flags [none], proto UDP (17), length 48) 10.24.194.196.1812 > 10.24.194.198.63712: [bad udp cksum 0x06ac -> 0x44c0!] RADIUS, length: 20 Access Accept (2), id: 0x05, Authenticator: 8f07de871a066aacfbe822e20a9b96c1
The RADIUS part of the Kamailio config is:
if (is_method("REGISTER") || from_uri==myself) #if (is_method("REGISTER") ) { # authenticate requests xlog("L_INFO", "authenticate [$fd]\n"); ### RADIUS ### if (!radius_www_authorize("my.domain")) { $var(ret) = $rc; xlog("L_INFO", "response code: [$var(ret)]\n"); switch ($var(ret)) { case -7: send_reply("500", "Server Internal Error"); exit; case -1: send_reply("400", "Bad Request"); exit; default: }; if (defined($avp(digest_challenge)) && ($avp(digest_challenge) != "")) { append_to_reply("$avp(digest_challenge)"); }; send_reply("401", "Unauthorized"); exit; }; # user authenticated - remove auth header if(!is_method("REGISTER|PUBLISH")) consume_credentials(); }
Any clues? What is missing from my narrative?
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Subject: Re: [SR-Users] n00b question -- RADIUS authentication. Date: Mon, May 05, 2014 at 12:09:54PM +0200 Quoting Daniel-Constantin Mierla (miconda@gmail.com):
Hello,
you should just use www_challenge() to send back the 401 response.
Here is a old tutorial, from the time when the project was named openser, but could be a good reading anyhow:
The authentication part is pretty much the same.
And the error too -- exactly the same symptoms are produced.
I also tried with another setup;
if (is_method("REGISTER") ) { # authenticate requests xlog("L_INFO", "authenticate [$fd]\n"); ### RADIUS ### if(!radius_proxy_authorize("$fd")) { proxy_challenge("$fd", "1"); } # user authenticated - remove auth header if(!is_method("REGISTER|PUBLISH")) consume_credentials(); }
This produces a 407 error; but other than that, things are identical.
The core question is why the positive reply from the RADIUS server isn't accepted as such. (could this be a problem with the dictionary?)
Stumblingly grateful,
Subject: Re: [SR-Users] n00b question -- RADIUS authentication. Date: Mon, May 05, 2014 at 03:33:22PM +0200 Quoting Måns Nilsson (mansaxel@besserwisser.org):
The core question is why the positive reply from the RADIUS server isn't accepted as such. (could this be a problem with the dictionary?)
That was indeed spot on. The shared secret between RADIUS client and server was too long. ~ 80 chars of random text is too long.
I've not thought out exactly where this occurs, and who is to blame, but at first sight it looks like it is FreeRadius with its limit of 31 chars is the culprit:
"FreeRADIUS is limited to 31 characters for the shared secret."
http://wiki.freeradius.org/guide/faq#Incoming-Authentication-Request-passwor...
Thanks all for your attention and especially to Olle who stopped by in person and helped me think. I think he has a patch too; this was hard to find, since auth_radius module hides the response from radiusclient-ng; one small adjustment brings the fault code to attention.
-
Daniel-Constantin Mierla -
Måns Nilsson