29 Apr
2004
29 Apr
'04
5:24 p.m.
Hello List,
I've been using SER with RADIUS successfully now for a few months and am
very pleased with the result. It's used for authenticating users accessing
our gateways.
I know have a new requirement to extend this to provide authentication for
remote domains.
The setup being as follows.
We've got SER running with FreeRADIUS, then at the remote sites we will have
the same plus Asterisk that is to act as a local gateway.
I've configured the local FreeRADIUS instance to proxy the requests for the
remote SIP domains to the remote RADIUS server. Unfortunately this doesn't
work and I'm not sure why.
The SUA gets asked by the remote SIP proxy to authenticate, it then forwards
the INVITE to the local SER instance which then gets the LOCAL RADIUS to do
another auth. This doesn't work. However if I disable the local auth and
leave the remote auth enabled it works fine.
Has anyone successfully managed to get proxied radius auth to work?
My other question is to do with getting SER to send the INVITE to a
different gateway if the primary one is at capacity/out of action? Is there
an example of this sort of config?
Kind Regards,
Alan
-------------------------------------------------------------------------------------------------------
This email, and any files transmitted with it, is copyright and may contain confidential
information.
The contents are intended for the use of the addressee(s) only.
Unauthorized use may be unlawful.
If you receive this email by mistake, please advise sender immediately.
The views of the author may not necessarily constitute the views of Telco Electronics
Limited.
Nothing in this mail shall bind Telco Electronics Limited in any contract or obligation.
Telco Electronics Limited
6-8 Oxford Court
Brackley
Northants
NN13 7XY
Tel 07000 701999
Fax 07000 701777
29 Apr
29 Apr
5:35 p.m.
Are you challenging the INVITE two times (remote and local)? So do you
use the same realm both times or different ones? I think using the same
realm two times will confuse the UAs and the proxies. Iy ou are using
different realms, the UA must support multiple realms/users/passwords.
As your local proxy does authentication using the remote radius server,
it is not necessary to challenge the INVITE at the remote proxy.
klaus
Alan Litster wrote:
Hello List,
I've been using SER with RADIUS successfully now for a few months and am
very pleased with the result. It's used for authenticating users accessing
our gateways.
I know have a new requirement to extend this to provide authentication for
remote domains.
The setup being as follows.
We've got SER running with FreeRADIUS, then at the remote sites we will have
the same plus Asterisk that is to act as a local gateway.
I've configured the local FreeRADIUS instance to proxy the requests for the
remote SIP domains to the remote RADIUS server. Unfortunately this doesn't
work and I'm not sure why.
The SUA gets asked by the remote SIP proxy to authenticate, it then forwards
the INVITE to the local SER instance which then gets the LOCAL RADIUS to do
another auth. This doesn't work. However if I disable the local auth and
leave the remote auth enabled it works fine.
Has anyone successfully managed to get proxied radius auth to work?
My other question is to do with getting SER to send the INVITE to a
different gateway if the primary one is at capacity/out of action? Is there
an example of this sort of config?
Kind Regards,
Alan
-------------------------------------------------------------------------------------------------------
This email, and any files transmitted with it, is copyright and may contain confidential
information.
The contents are intended for the use of the addressee(s) only.
Unauthorized use may be unlawful.
If you receive this email by mistake, please advise sender immediately.
The views of the author may not necessarily constitute the views of Telco Electronics
Limited.
Nothing in this mail shall bind Telco Electronics Limited in any contract or obligation.
Telco Electronics Limited
6-8 Oxford Court
Brackley
Northants
NN13 7XY
Tel 07000 701999
Fax 07000 701777
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers
7:14 p.m.
We I get it to do auth for both remote and local it is using the same realm,
should this cause a problem?
Disabling remote auth makes it work correctly. So is this going to be a
problem with the SUAs?
I don't see any harm with doing auth at both ends but if it's going to cause
a problem then we'll have to only do it on the local gateway side.
At present we are using mainly Vega gateways but have the one Cisco 5300, we
will be standardising on Cisco. I don't know how they behave on busy.
Is error 486 the standard? I'll give that a go.
Thanks klaus
Regards,
Alan
-----Original Message-----
From: Klaus Darilion [mailto:klaus.mailinglists@pernau.at]
Sent: 29 April 2004 15:35
To: Alan Litster
Cc: SER Mailing List
Subject: Re: [Serusers] RADIUS between multiple domains + Fail Over
Gateways
Are you challenging the INVITE two times (remote and local)? So do you
use the same realm both times or different ones? I think using the same
realm two times will confuse the UAs and the proxies. Iy ou are using
different realms, the UA must support multiple realms/users/passwords.
As your local proxy does authentication using the remote radius server,
it is not necessary to challenge the INVITE at the remote proxy.
How does the GW behalf it is busy, will it send back '486 busy'? Just
catch failures t_on_failure and in the failure route add another branch
to the second gw and resend the message.
klaus
Alan Litster wrote:
Hello List,
I've been using SER with RADIUS successfully now for a few months and am
very pleased with the result. It's used for authenticating users accessing
our gateways.
I know have a new requirement to extend this to provide authentication for
remote domains.
The setup being as follows.
We've got SER running with FreeRADIUS, then at the remote sites we will
have
the same plus Asterisk that is to act as a local
gateway.
I've configured the local FreeRADIUS instance to proxy the requests for
the
remote SIP domains to the remote RADIUS server.
Unfortunately this doesn't
work and I'm not sure why.
The SUA gets asked by the remote SIP proxy to authenticate, it then
forwards
the INVITE to the local SER instance which then gets
the LOCAL RADIUS to
do
another auth. This doesn't work. However if I
disable the local auth and
leave the remote auth enabled it works fine.
Has anyone successfully managed to get proxied radius auth to work?
My other question is to do with getting SER to send the INVITE to a
different gateway if the primary one is at capacity/out of action? Is
there
an example of this sort of config?
Kind Regards,
Alan
--------------------------------------------------------------------------
-----------------------------
This email, and any files transmitted with it, is
copyright and may
contain confidential information.
The contents are intended for the use of the
addressee(s) only.
Unauthorized use may be unlawful.
If you receive this email by mistake, please advise sender immediately.
The views of the author may not necessarily constitute the views of Telco
Electronics Limited.
Nothing in this mail shall bind Telco Electronics
Limited in any contract
or obligation.
Telco Electronics Limited
6-8 Oxford Court
Brackley
Northants
NN13 7XY
Tel 07000 701999
Fax 07000 701777
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers
-------------------------------------------------------------------------------------------------------
This email, and any files transmitted with it, is copyright and may contain confidential
information.
The contents are intended for the use of the addressee(s) only.
Unauthorized use may be unlawful.
If you receive this email by mistake, please advise sender immediately.
The views of the author may not necessarily constitute the views of Telco Electronics
Limited.
Nothing in this mail shall bind Telco Electronics Limited in any contract or obligation.
Telco Electronics Limited
6-8 Oxford Court
Brackley
Northants
NN13 7XY
Tel 07000 701999
Fax 07000 701777
7:30 p.m.
The proxy challenges the UA with a certain nonce. The UA has to create a
hash value consiting of the username, password, nonce (and some more).
Then the UA sends this hash to the proxy. The proxy (or the radius
server) also generates this hash and compares it with the one from the
UA. IF they are identical, authentication was sucessful.
The realm is used to identify the server who whishes authentication.
The problem arises as the nonce is random. So, an Authentication header
provided by the UA can only fits to the authentication of one of the
proxies as tehy will use different nonces.
klaus
PS: no responsibility is taken for 100% correctness of this information ;-)
Alan Litster wrote:
We I get it to do auth for both remote and local it is
using the same realm,
should this cause a problem?
Disabling remote auth makes it work correctly. So is this going to be a
problem with the SUAs?
I don't see any harm with doing auth at both ends but if it's going to cause
a problem then we'll have to only do it on the local gateway side.
At present we are using mainly Vega gateways but have the one Cisco 5300, we
will be standardising on Cisco. I don't know how they behave on busy.
Is error 486 the standard? I'll give that a go.
Thanks klaus
Regards,
Alan
-----Original Message-----
From: Klaus Darilion [mailto:klaus.mailinglists@pernau.at]
Sent: 29 April 2004 15:35
To: Alan Litster
Cc: SER Mailing List
Subject: Re: [Serusers] RADIUS between multiple domains + Fail Over
Gateways
Are you challenging the INVITE two times (remote and local)? So do you
use the same realm both times or different ones? I think using the same
realm two times will confuse the UAs and the proxies. Iy ou are using
different realms, the UA must support multiple realms/users/passwords.
As your local proxy does authentication using the remote radius server,
it is not necessary to challenge the INVITE at the remote proxy.
How does the GW behalf it is busy, will it send back '486 busy'? Just
catch failures t_on_failure and in the failure route add another branch
to the second gw and resend the message.
klaus
Alan Litster wrote:
Hello List,
I've been using SER with RADIUS successfully now for a few months and am
very pleased with the result. It's used for authenticating users accessing
our gateways.
I know have a new requirement to extend this to provide authentication for
remote domains.
The setup being as follows.
We've got SER running with FreeRADIUS, then at the remote sites we will
have
the same plus Asterisk that is to act as a local
gateway.
I've configured the local FreeRADIUS instance to proxy the requests for
the
remote SIP domains to the remote RADIUS server.
Unfortunately this doesn't
work and I'm not sure why.
The SUA gets asked by the remote SIP proxy to authenticate, it then
forwards
the INVITE to the local SER instance which then
gets the LOCAL RADIUS to
do
another auth. This doesn't work. However if I
disable the local auth and
leave the remote auth enabled it works fine.
Has anyone successfully managed to get proxied radius auth to work?
My other question is to do with getting SER to send the INVITE to a
different gateway if the primary one is at capacity/out of action? Is
there
an example of this sort of config?
Kind Regards,
Alan
--------------------------------------------------------------------------
-----------------------------
This email, and any files transmitted with it, is
copyright and may
contain confidential information.
The contents are intended for the use of the
addressee(s) only.
Unauthorized use may be unlawful.
If you receive this email by mistake, please advise sender immediately.
The views of the author may not necessarily constitute the views of Telco
Electronics Limited.
Nothing in this mail shall bind Telco Electronics
Limited in any contract
or obligation.
Telco Electronics Limited
6-8 Oxford Court
Brackley
Northants
NN13 7XY
Tel 07000 701999
Fax 07000 701777
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers
-------------------------------------------------------------------------------------------------------
This email, and any files transmitted with it, is copyright and may contain confidential
information.
The contents are intended for the use of the addressee(s) only.
Unauthorized use may be unlawful.
If you receive this email by mistake, please advise sender immediately.
The views of the author may not necessarily constitute the views of Telco Electronics
Limited.
Nothing in this mail shall bind Telco Electronics Limited in any contract or obligation.
Telco Electronics Limited
6-8 Oxford Court
Brackley
Northants
NN13 7XY
Tel 07000 701999
Fax 07000 701777
30 Apr
30 Apr
2:22 p.m.
Yes, this is correct. If you have two servers performing digest
authentication then you must either configure them to use different
realm (which also means that you can use only user agents that support
it) or configure both servers with the same secret, see "secret"
parameter of auth module.
Jan.
On 29-04 18:30, Klaus Darilion wrote:
The proxy challenges the UA with a certain nonce. The
UA has to create a
hash value consiting of the username, password, nonce (and some more).
Then the UA sends this hash to the proxy. The proxy (or the radius
server) also generates this hash and compares it with the one from the
UA. IF they are identical, authentication was sucessful.
The realm is used to identify the server who whishes authentication.
The problem arises as the nonce is random. So, an Authentication header
provided by the UA can only fits to the authentication of one of the
proxies as tehy will use different nonces.
klaus
PS: no responsibility is taken for 100% correctness of this information ;-)
Alan Litster wrote:
We I get it to do auth for both remote and local
it is using the same
realm,
should this cause a problem?
Disabling remote auth makes it work correctly. So is this going to be a
problem with the SUAs?
I don't see any harm with doing auth at both ends but if it's going to
cause
a problem then we'll have to only do it on the local gateway side.
At present we are using mainly Vega gateways but have the one Cisco 5300,
we
will be standardising on Cisco. I don't know how they behave on busy.
Is error 486 the standard? I'll give that a go.
Thanks klaus
Regards,
Alan
-----Original Message-----
From: Klaus Darilion [mailto:klaus.mailinglists@pernau.at]
Sent: 29 April 2004 15:35
To: Alan Litster
Cc: SER Mailing List
Subject: Re: [Serusers] RADIUS between multiple domains + Fail Over
Gateways
Are you challenging the INVITE two times (remote and local)? So do you
use the same realm both times or different ones? I think using the same
realm two times will confuse the UAs and the proxies. Iy ou are using
different realms, the UA must support multiple realms/users/passwords.
As your local proxy does authentication using the remote radius server,
it is not necessary to challenge the INVITE at the remote proxy.
How does the GW behalf it is busy, will it send back '486 busy'? Just
catch failures t_on_failure and in the failure route add another branch
to the second gw and resend the message.
klaus
Alan Litster wrote:
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers Hello List,
I've been using SER with RADIUS successfully now for a few months and am
very pleased with the result. It's used for authenticating users accessing
our gateways.
I know have a new requirement to extend this to provide authentication for
remote domains.
The setup being as follows.
We've got SER running with FreeRADIUS, then at the remote sites we will
have
the same plus Asterisk that is to act as a local
gateway.
I've configured the local FreeRADIUS instance to proxy the requests for
the
remote SIP domains to the remote RADIUS server.
Unfortunately this doesn't
work and I'm not sure why.
The SUA gets asked by the remote SIP proxy to authenticate, it then
forwards
the INVITE to the local SER instance which then
gets the LOCAL RADIUS to
do
another auth. This doesn't work. However if I
disable the local auth and
leave the remote auth enabled it works fine.
Has anyone successfully managed to get proxied radius auth to work?
My other question is to do with getting SER to send the INVITE to a
different gateway if the primary one is at capacity/out of action? Is
there
an example of this sort of config?
Kind Regards,
Alan
--------------------------------------------------------------------------
-----------------------------
This email, and any files transmitted with it, is
copyright and may
contain confidential information.
The contents are intended for the use of the
addressee(s) only.
Unauthorized use may be unlawful.
If you receive this email by mistake, please advise sender immediately.
The views of the author may not necessarily constitute the views of Telco
Electronics Limited.
Nothing in this mail shall bind Telco Electronics
Limited in any contract
or obligation.
Telco Electronics Limited
6-8 Oxford Court
Brackley
Northants
NN13 7XY
Tel 07000 701999
Fax 07000 701777
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers
-------------------------------------------------------------------------------------------------------
This email, and any files transmitted with it, is copyright and may
contain confidential information.
The contents are intended for the use of the addressee(s) only.
Unauthorized use may be unlawful.
If you receive this email by mistake, please advise sender immediately.
The views of the author may not necessarily constitute the views of Telco
Electronics Limited.
Nothing in this mail shall bind Telco Electronics Limited in any contract
or obligation.
Telco Electronics Limited
6-8 Oxford Court
Brackley
Northants
NN13 7XY
Tel 07000 701999
Fax 07000 701777
2:45 p.m.
Hi Jan,
I've done as you suggested and configured both servers with the same
secret and it now works a treat! I can now get both servers to perform
authentication on the sip user agent.
Thanks!
Alan
-----Original Message-----
From: Jan Janak [mailto:jan@iptel.org]
Sent: 30 April 2004 12:23
To: Klaus Darilion
Cc: Alan Litster; SER Mailing List
Subject: Re: [Serusers] RADIUS between multiple domains + Fail Over Gateways
Yes, this is correct. If you have two servers performing digest
authentication then you must either configure them to use different
realm (which also means that you can use only user agents that support
it) or configure both servers with the same secret, see "secret"
parameter of auth module.
Jan.
-------------------------------------------------------------------------------------------------------
This email, and any files transmitted with it, is copyright and may contain confidential
information.
The contents are intended for the use of the addressee(s) only.
Unauthorized use may be unlawful.
If you receive this email by mistake, please advise sender immediately.
The views of the author may not necessarily constitute the views of Telco Electronics
Limited.
Nothing in this mail shall bind Telco Electronics Limited in any contract or obligation.
Telco Electronics Limited
6-8 Oxford Court
Brackley
Northants
NN13 7XY
Tel 07000 701999
Fax 07000 701777
29 Apr
29 Apr
5:37 p.m.
My other question is to do with getting SER to send the INVITE to a
different gateway if the primary one is at capacity/out of action? Is there
an example of this sort of config?
How does the GW behalf it is busy, will it send back '486 busy'? Just
catch failures t_on_failure and in the failure route add another branch
to the second gw and resend the message.
klaus
5:55 p.m.
Alan Litster writes:
Has anyone successfully managed to get proxied radius
auth to work?
i had it working with radiator. i'm pretty sure that it can also be
made to work with freeradius. radiator first made a mysql query based
on the domain that returned the radius server information for that
domain and then proxied the radius request to the remote radius server.
My other question is to do with getting SER to send
the INVITE to a
different gateway if the primary one is at capacity/out of action? Is there
an example of this sort of config?
you can do this with failure routes. there are examples somewhere either
on iptel site or in ser source.
-- juha
7511
days inactive
7512
days old
7 comments
4 participants
participants (4)
-
Alan Litster -
Jan Janak -
Juha Heinanen -
Klaus Darilion