17 Nov
2004
17 Nov
'04
9:27 p.m.
>try to
include both dictionary.ser (from SER) and dictionary.sip
>(from radiusclient) on ICRADIUS dictionary
I did, but nothing new happened ...
I forget to say, add them to /etc/radiusclient/dictionary,
too. both ICRADIUS and radiusclient needs to point to the
same dictionary file content! It just makes
no sense ... Why would some attributes be
recognized and
some others not. It is not logical, as they are all (the
attributes)
taken from the same files (dictionary.sip and dictionary.ser).
check if /etc/radiusclient/radiusclient.conf points
to the correct dictionary you're using Is there any
special configuration needed for the ser.cfg
or for the
radiusclient.conf ? The radius.conf file of my icradius has
little to touch ... Any ideas ??
perhaps your SER is (like mine) pointing to
/usr/local/etc/radiusclient/ and you're tweaking /etc/radiusclient/ ? []s, !3runo
Lucas
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.786 / Virus Database: 532 - Release Date: 29/10/2004
17 Nov
17 Nov
11:25 p.m.
New subject: [Serusers] SER and IC-RADIUS
Hi there
Lucas Aimaretto wrote:
Both of them have dictionary.sip and dictionary.ser
(/etc/radiusclient/dictionary and my ICRadius dictionary). But, you
know, ICRadius has its dictionary in a mysql database. Will it have
something to do with everything ?? But, both dictionaries are just the
same.
bingo, you problably should re-import the directionaries
to mysql
By the way ... I mak a call but did not see the
called-station-Id nor
the calling-station-Id, any ideas ?? But the call could just be placed,
cause, 1st authentication takes place ... I mean, the User making the
call exists and so I get an access-accept from radius. Then ser places
de call, but I do not see the 2nd authentication taking place ... Does
this happen to you ??
I'm not sure if I understood what you're saying... try rephrasing, plz
Cheers
!3runo
19 Nov
19 Nov
7:58 p.m.
New subject: [Serusers] SER and IC-RADIUS
Both of them
have dictionary.sip and dictionary.ser
(/etc/radiusclient/dictionary and my ICRadius dictionary). But, you
know, ICRadius has its dictionary in a mysql database. Will it have
something to do with everything ?? But, both dictionaries
are just the
same.
bingo, you problably should re-import the directionaries
to mysql By the way ...
I mak a call but did not see the
called-station-Id nor
the calling-station-Id, any ideas ?? But the call
could just be
placed, cause, 1st authentication takes place ... I mean, the User
making the call exists and so I get an access-accept from
radius. Then
ser places de call, but I do not see the 2nd
authentication taking
place ... Does this happen to you ??
I'm not sure if I understood what you're saying... try rephrasing, plz Cheers
Regards,
Lucas
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.786 / Virus Database: 532 - Release Date: 29/10/2004
7:46 p.m.
New subject: [Serusers] SER and IC-RADIUS
Hi there
what you described doesn't seem to have anything
to do with the dictionary anymore, so let's forget
that for now (may be it is fixed and you didn't
noticed because the following case)
Lucas Aimaretto wrote:
So, now coming to SER.
When I tried to make a call, only 1st auth took place between SER and
IC-RADIUS.
SER IC-RADIUS
| |
|---(1st AUTH)---->|
|<-----(OK!)-------|
|------------------|
| <- Data Flow -> |
|------------------|
No 2nd auth, nor Acct-Messages were sent.
why would be a 2a auth for the same user? do you mean
you desire a new auth per call?
what you're describing is correct, from the default
SER installation point of view. the user is authenticated
until his register "expires" (controlled on UA or forced
by SER)
to make the acct packets travel you'll need to edit
modules/acc/Makefile and uncomment radius defines
(check the file please, it is very small)
then recompile SER (I wish acc module splits in
acc_sql and acc_radius as with auth module somewhere
in the future, so it will easy binary distributions)
so your new acc module will have RADIUS support
then turn on acc module (loadmodule "acc.so")
and turn on radius flags (see my previous post
on the list with further instructions to enable
RADIUS acct packets. it does work -- sort of)
I didn't had the time on the last couple days to try
to figure out where to insert the setflag to trigger
the start packet (the stop and failed packets are
generated ok on my test config)
The user trying to make the
called, existed on my RADIUS Database, and so RADIUS sent back and
Access-Accept to SER, and ser automatically placed the call, yes ? Is
this a normal SER´s behaviour? How can I make SER send 2nd auth and
Acct-Messages ?
Hope this time is clear! ;-)
much better, thanks!
Cheers
!3runo
Thank you very much ...
Cheers
Regards,
Lucas
11:08 p.m.
New subject: [Serusers] SER and IC-RADIUS
Hello Bruno,
Well, suppouse the following ...
User "A" exists in radius' database, and he is only allowed to call
users B,C,D and E. What about if user "A" wants to call user "F", how
do
I control that ???
Well, I have (today) different "destination lists" wich I assign to any
new user I create. In those lists I have several possible destinations
for that particular user. So ... going back ...
SER IC-RADIUS
| |
|---(1st AUTH)---->|
|<-----(OK!)-------|
|---(2nd AUTH)---->|
|<-----(OK!)-------|
|------------------|
| <- Data Flow -> |
|------------------|
In 1st auth, I send Username and check if he/she exists in database (in
this case user "A"). If so, then Access-Accept. Now, in 2nd auth I also
send Calling-station-Id and Called-Station-Id, being Called-Station-Id
the User who "A" wants to talk to, am I clear ? If Called-Station-Id
does not exist in User's "A" destination list, then RADIUS sends back an
Access-Reject.
Another option is, yes!, to send everything (username,
calling-station-id and called-station-id) in just one message, so as to
check destination too in only the 1st auth ... But I do not see SER
being sending the Called-Station-Id attribute in the auth process nor
the calling-station-id (which is NULL). I just see the Username
attribute. Look ...
radrecv: Access Request from host c0a801fd code=1, id=47, length=281
User-Name = "1992005(a)192.168.1.253"
Digest-Attributes = "\012\0111992005"
Digest-Attributes = "\001\017192.168.1.253"
Digest-Attributes = "\002*419e6d1044b039c6a5570602eb629a2b6b2cb881"
Digest-Attributes = "\004\033sip:1992001@192.168.1.253"
Digest-Attributes = "\003\010INVITE"
Digest-Response = "5844c35bc08dfe74b5481c959c13d65e"
Service-Type = Sip-Session
Sip-Uri-User = "1992005"
Cisco-AVPair =
"call-id=3CBA2689-8049-4D01-AB08-1DE8EE7B20BE(a)192.168.1.178"
NAS-IP-Address = 192.168.1.253
NAS-Port-Id = 5060
SQL: Attempting to reserve socket
SQL: Reserved socket 0
Username is now 1992005
Calling station Id is now (null)
CalledID==NULL
credit_amount (18.90)
Sending Access Ack of id 47 to c0a801fd (nas linux)
Credit-Amount =
"V9:T102:L26:683332332d6372656469742d616d6f756e743d31382e3930"
SQL: Socket 0 used for 0.70 seconds
SQL: Released socket 0
Do you see ?
How can I (if possible) do that (to send also
[Called/Calling]-Station-Id)?
what you described doesn't seem to have anything
to do with the dictionary anymore, so let's forget
that for now (may be it is fixed and you didn't
noticed because the following case)
Yes, you're rigth ... It is another subject ... Sorry
I'll finish with dictionaries later ...
So, now coming
to SER.
When I tried to make a call, only 1st auth took place
between SER and
IC-RADIUS.
SER IC-RADIUS
| |
|---(1st AUTH)---->|
|<-----(OK!)-------|
|------------------|
| <- Data Flow -> |
|------------------|
No 2nd auth, nor Acct-Messages were sent.
why would be a 2a auth for the same user? do you mean
you desire a new auth per call? Cheers
Thank you again ..
Lucas
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.786 / Virus Database: 532 - Release Date: 29/10/2004
20 Nov
20 Nov
12:30 a.m.
New subject: [Serusers] SER and IC-RADIUS
Hi there
Lucas Aimaretto wrote:
I read a couple of days ago (in this list) that one could
call an authorize during the INVITE step, but I didn't try
it, yet (still fighting with RADIUS Start acct packet)
why would be a
2a auth for the same user? do you mean
you desire a new auth per call?
Well, suppouse the following ...
User "A" exists in radius' database, and he is only allowed to call
users B,C,D and E. What about if user "A" wants to call user "F",
how do I control that ??? Another option is, yes!, to send everything
(username,
calling-station-id and called-station-id) in just one message, so as to
check destination too in only the 1st auth ... But I do not see SER
being sending the Called-Station-Id attribute in the auth process nor
the calling-station-id (which is NULL). I just see the Username
attribute. Look ...
that's because your auth is being sent during the REGISTER step,
not the INVITE step (REGISTER and INVITE are SIP terms
for authorizing the client on the server and to instantiate
a call to a SIP endpoing, just for clarification)
radrecv: Access Request from host c0a801fd code=1,
id=47, length=281
User-Name = "1992005(a)192.168.1.253"
Digest-Attributes = "\012\0111992005"
Digest-Attributes = "\001\017192.168.1.253"
Digest-Attributes = "\002*419e6d1044b039c6a5570602eb629a2b6b2cb881"
Digest-Attributes = "\004\033sip:1992001@192.168.1.253"
Digest-Attributes = "\003\010INVITE"
Digest-Response = "5844c35bc08dfe74b5481c959c13d65e"
Service-Type = Sip-Session
Sip-Uri-User = "1992005"
Cisco-AVPair =
"call-id=3CBA2689-8049-4D01-AB08-1DE8EE7B20BE(a)192.168.1.178"
NAS-IP-Address = 192.168.1.253
NAS-Port-Id = 5060
SQL: Attempting to reserve socket
SQL: Reserved socket 0
Username is now 1992005
Calling station Id is now (null)
CalledID==NULL
credit_amount (18.90)
Sending Access Ack of id 47 to c0a801fd (nas linux)
Credit-Amount =
"V9:T102:L26:683332332d6372656469742d616d6f756e743d31382e3930"
SQL: Socket 0 used for 0.70 seconds
SQL: Released socket 0
Do you see ?
I got the picture but really don't know how to solve
that, yet -- that's on my TODO list, as soon as I discover
WHY I can't generate the Start RADIUS acct packets -
I put setflag(1) on every "if" inside my nathelper.cfg
example which I'm testing and still doesn't get these
packets on my RADIUS server :-(
How can I (if possible) do that (to send also
[Called/Calling]-Station-Id)?
sorry, haven't a clue, right now :^)
Cheers
!3runo
7316
days inactive
7318
days old
5 comments
2 participants
participants (2)
-
Bruno Lopes F. Cabral -
Lucas Aimaretto