try to include both dictionary.ser (from SER) and dictionary.sip (from radiusclient) on ICRADIUS dictionary
I did, but nothing new happened ...
I forget to say, add them to /etc/radiusclient/dictionary, too. both ICRADIUS and radiusclient needs to point to the same dictionary file content!
Both of them have dictionary.sip and dictionary.ser (/etc/radiusclient/dictionary and my ICRadius dictionary). But, you know, ICRadius has its dictionary in a mysql database. Will it have something to do with everything ?? But, both dictionaries are just the same.
It just makes no sense ... Why would some attributes be recognized and some others not. It is not logical, as they are all (the attributes) taken from the same files (dictionary.sip and dictionary.ser).
check if /etc/radiusclient/radiusclient.conf points to the correct dictionary you're using
Yes it does.
Is there any special configuration needed for the ser.cfg or for the radiusclient.conf ? The radius.conf file of my icradius has little to touch ... Any ideas ??
perhaps your SER is (like mine) pointing to /usr/local/etc/radiusclient/ and you're tweaking /etc/radiusclient/ ?
[root@radius]# ls -l /etc/radiusclient/dictionary lrwxrwxrwx 1 root root /etc/radiusclient/dictionary -> /usr/local/etc/radiusclient/dictionary
Is this what you meant ???
By the way ... I mak a call but did not see the called-station-Id nor the calling-station-Id, any ideas ?? But the call could just be placed, cause, 1st authentication takes place ... I mean, the User making the call exists and so I get an access-accept from radius. Then ser places de call, but I do not see the 2nd authentication taking place ... Does this happen to you ??
[]s, !3runo
Lucas
--- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.786 / Virus Database: 532 - Release Date: 29/10/2004
Hi there
Lucas Aimaretto wrote:
Both of them have dictionary.sip and dictionary.ser (/etc/radiusclient/dictionary and my ICRadius dictionary). But, you know, ICRadius has its dictionary in a mysql database. Will it have something to do with everything ?? But, both dictionaries are just the same.
bingo, you problably should re-import the directionaries to mysql
By the way ... I mak a call but did not see the called-station-Id nor the calling-station-Id, any ideas ?? But the call could just be placed, cause, 1st authentication takes place ... I mean, the User making the call exists and so I get an access-accept from radius. Then ser places de call, but I do not see the 2nd authentication taking place ... Does this happen to you ??
I'm not sure if I understood what you're saying... try rephrasing, plz
Cheers !3runo
Both of them have dictionary.sip and dictionary.ser (/etc/radiusclient/dictionary and my ICRadius dictionary). But, you know, ICRadius has its dictionary in a mysql database. Will it have something to do with everything ?? But, both dictionaries
are just the
same.
bingo, you problably should re-import the directionaries to mysql
I already did that :( I re-imported the dicitionaries into de mysql but got the same behaviour.
By the way ... I mak a call but did not see the
called-station-Id nor
the calling-station-Id, any ideas ?? But the call could just be placed, cause, 1st authentication takes place ... I mean, the User making the call exists and so I get an access-accept from
radius. Then
ser places de call, but I do not see the 2nd authentication taking place ... Does this happen to you ??
I'm not sure if I understood what you're saying... try rephrasing, plz
What I tried to say, was (sorry for my english :( )
I use (actually) my IC-RADIUS with cisco and h323. When ever a user wants to make a call, the following happens ...
CISCO IC-RADIUS | | |---(1st AUTH)---->| |<-----(OK!)-------| |---(2nd AUTH)---->| |<-----(OK!)-------| |---(ACCT-START)-->| |<---(response)----| |------------------| | <- Data Flow -> | |------------------| |---(ACCT-STOP)--->| |<---(response)----|
- 1st Auth: Cisco sends the User name, and if user exists, then Access-Accept. Otherwise, Access-Reject. - 2nd Auth: Cisco sends Username, Calling-station-Id, Called-Station-Id (and password if any). If Called-Station-Id exists in user's available destinations, Access-Accept. Otherwise, Access-Reject. - ACCT-Start: Cisco sends and Acct-Start message with Calling-Station-Id, Called-Station-Id, Acct-Session-Id and Acct-Start-Time attributes, among others. - Communication Takes place. - ACCT-Stop: Cisco sends and Acct-Start message with Calling-Station-Id, Called-Station-Id, Acct-Session-Id and Acct-Stop-Time attributes, among others.
So, now coming to SER. When I tried to make a call, only 1st auth took place between SER and IC-RADIUS.
SER IC-RADIUS | | |---(1st AUTH)---->| |<-----(OK!)-------| |------------------| | <- Data Flow -> | |------------------|
No 2nd auth, nor Acct-Messages were sent. The user trying to make the called, existed on my RADIUS Database, and so RADIUS sent back and Access-Accept to SER, and ser automatically placed the call, yes ? Is this a normal SER´s behaviour? How can I make SER send 2nd auth and Acct-Messages ?
Hope this time is clear! ;-)
Thank you very much ...
Cheers
Regards,
Lucas
--- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.786 / Virus Database: 532 - Release Date: 29/10/2004
Hi there
what you described doesn't seem to have anything to do with the dictionary anymore, so let's forget that for now (may be it is fixed and you didn't noticed because the following case)
Lucas Aimaretto wrote:
So, now coming to SER. When I tried to make a call, only 1st auth took place between SER and IC-RADIUS.
SER IC-RADIUS | | |---(1st AUTH)---->| |<-----(OK!)-------| |------------------| | <- Data Flow -> | |------------------|
No 2nd auth, nor Acct-Messages were sent.
why would be a 2a auth for the same user? do you mean you desire a new auth per call?
what you're describing is correct, from the default SER installation point of view. the user is authenticated until his register "expires" (controlled on UA or forced by SER)
to make the acct packets travel you'll need to edit modules/acc/Makefile and uncomment radius defines (check the file please, it is very small)
then recompile SER (I wish acc module splits in acc_sql and acc_radius as with auth module somewhere in the future, so it will easy binary distributions) so your new acc module will have RADIUS support
then turn on acc module (loadmodule "acc.so") and turn on radius flags (see my previous post on the list with further instructions to enable RADIUS acct packets. it does work -- sort of)
I didn't had the time on the last couple days to try to figure out where to insert the setflag to trigger the start packet (the stop and failed packets are generated ok on my test config)
The user trying to make the called, existed on my RADIUS Database, and so RADIUS sent back and Access-Accept to SER, and ser automatically placed the call, yes ? Is this a normal SER´s behaviour? How can I make SER send 2nd auth and Acct-Messages ?
Hope this time is clear! ;-)
much better, thanks!
Cheers !3runo
Thank you very much ...
Cheers
Regards, Lucas
Hello Bruno,
what you described doesn't seem to have anything to do with the dictionary anymore, so let's forget that for now (may be it is fixed and you didn't noticed because the following case)
Yes, you're rigth ... It is another subject ... Sorry I'll finish with dictionaries later ...
So, now coming to SER. When I tried to make a call, only 1st auth took place between SER and IC-RADIUS.
SER IC-RADIUS | | |---(1st AUTH)---->| |<-----(OK!)-------| |------------------| | <- Data Flow -> | |------------------|
No 2nd auth, nor Acct-Messages were sent.
why would be a 2a auth for the same user? do you mean you desire a new auth per call?
Well, suppouse the following ...
User "A" exists in radius' database, and he is only allowed to call users B,C,D and E. What about if user "A" wants to call user "F", how do I control that ???
Well, I have (today) different "destination lists" wich I assign to any new user I create. In those lists I have several possible destinations for that particular user. So ... going back ...
SER IC-RADIUS | | |---(1st AUTH)---->| |<-----(OK!)-------| |---(2nd AUTH)---->| |<-----(OK!)-------| |------------------| | <- Data Flow -> | |------------------|
In 1st auth, I send Username and check if he/she exists in database (in this case user "A"). If so, then Access-Accept. Now, in 2nd auth I also send Calling-station-Id and Called-Station-Id, being Called-Station-Id the User who "A" wants to talk to, am I clear ? If Called-Station-Id does not exist in User's "A" destination list, then RADIUS sends back an Access-Reject.
Another option is, yes!, to send everything (username, calling-station-id and called-station-id) in just one message, so as to check destination too in only the 1st auth ... But I do not see SER being sending the Called-Station-Id attribute in the auth process nor the calling-station-id (which is NULL). I just see the Username attribute. Look ...
radrecv: Access Request from host c0a801fd code=1, id=47, length=281 User-Name = "1992005@192.168.1.253" Digest-Attributes = "\012\0111992005" Digest-Attributes = "\001\017192.168.1.253" Digest-Attributes = "\002*419e6d1044b039c6a5570602eb629a2b6b2cb881" Digest-Attributes = "\004\033sip:1992001@192.168.1.253" Digest-Attributes = "\003\010INVITE" Digest-Response = "5844c35bc08dfe74b5481c959c13d65e" Service-Type = Sip-Session Sip-Uri-User = "1992005" Cisco-AVPair = "call-id=3CBA2689-8049-4D01-AB08-1DE8EE7B20BE@192.168.1.178" NAS-IP-Address = 192.168.1.253 NAS-Port-Id = 5060 SQL: Attempting to reserve socket SQL: Reserved socket 0 Username is now 1992005 Calling station Id is now (null) CalledID==NULL credit_amount (18.90) Sending Access Ack of id 47 to c0a801fd (nas linux) Credit-Amount = "V9:T102:L26:683332332d6372656469742d616d6f756e743d31382e3930" SQL: Socket 0 used for 0.70 seconds SQL: Released socket 0
Do you see ?
How can I (if possible) do that (to send also [Called/Calling]-Station-Id)?
Cheers
Thank you again ..
Lucas
--- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.786 / Virus Database: 532 - Release Date: 29/10/2004
Hi there
Lucas Aimaretto wrote:
why would be a 2a auth for the same user? do you mean you desire a new auth per call?
Well, suppouse the following ...
User "A" exists in radius' database, and he is only allowed to call users B,C,D and E. What about if user "A" wants to call user "F", how do I control that ???
I read a couple of days ago (in this list) that one could call an authorize during the INVITE step, but I didn't try it, yet (still fighting with RADIUS Start acct packet)
Another option is, yes!, to send everything (username, calling-station-id and called-station-id) in just one message, so as to check destination too in only the 1st auth ... But I do not see SER being sending the Called-Station-Id attribute in the auth process nor the calling-station-id (which is NULL). I just see the Username attribute. Look ...
that's because your auth is being sent during the REGISTER step, not the INVITE step (REGISTER and INVITE are SIP terms for authorizing the client on the server and to instantiate a call to a SIP endpoing, just for clarification)
radrecv: Access Request from host c0a801fd code=1, id=47, length=281 User-Name = "1992005@192.168.1.253" Digest-Attributes = "\012\0111992005" Digest-Attributes = "\001\017192.168.1.253" Digest-Attributes = "\002*419e6d1044b039c6a5570602eb629a2b6b2cb881" Digest-Attributes = "\004\033sip:1992001@192.168.1.253" Digest-Attributes = "\003\010INVITE" Digest-Response = "5844c35bc08dfe74b5481c959c13d65e" Service-Type = Sip-Session Sip-Uri-User = "1992005" Cisco-AVPair = "call-id=3CBA2689-8049-4D01-AB08-1DE8EE7B20BE@192.168.1.178" NAS-IP-Address = 192.168.1.253 NAS-Port-Id = 5060 SQL: Attempting to reserve socket SQL: Reserved socket 0 Username is now 1992005 Calling station Id is now (null) CalledID==NULL credit_amount (18.90) Sending Access Ack of id 47 to c0a801fd (nas linux) Credit-Amount = "V9:T102:L26:683332332d6372656469742d616d6f756e743d31382e3930" SQL: Socket 0 used for 0.70 seconds SQL: Released socket 0
Do you see ?
I got the picture but really don't know how to solve that, yet -- that's on my TODO list, as soon as I discover WHY I can't generate the Start RADIUS acct packets - I put setflag(1) on every "if" inside my nathelper.cfg example which I'm testing and still doesn't get these packets on my RADIUS server :-(
How can I (if possible) do that (to send also [Called/Calling]-Station-Id)?
sorry, haven't a clue, right now :^)
Cheers !3runo
-
Bruno Lopes F. Cabral -
Lucas Aimaretto