1 Sep
2007
1 Sep
'07
11:45 a.m.
Hi Dan,
Thanks for all your help and support, I really appreciate it. I was able
to get it to work.
Although I had to replace all VSA'a with the SIP-AVP attributes. For some
reason the SIP-AVP's were not loaded due to the presence of other VSA's.
Maybe it was because I was using a = sign in the value prefixes instead of
: or #.
Is this a known issue.
Regards,
Danish
ps: Someone asked earlier about the radius server I was using. The radius
server along with the billing solution is from advancedvoip.com, so far
our experience with them has been quite good.
Hi Danish,
sorry for replying to you so late, but I was out from the office today.
Here you go:
First of all, my bad, the returned value should be in the form:
return-code#0 if you want your value to be treated as an integer or
return-code:0 if 0 the AVP should be considered as string - has been a
while since I worked last time with those. By using a higher layer of
debug you should be able to see your avps converted inside when
received from radius.
The rest of your configuration looks good. Note that you can return
more AVP values with the same reply, so you can include the credit
amount as well:
SIP-AVP="return-code#0"
SIP-AVP="h323-credit-amount#4206"
Hope you will rock now.
Cheers,
DanB
On 8/30/07, danish.samad(a)vocalseeds.com <danish.samad(a)vocalseeds.com>
wrote:
Hi Dan,
To test the functionality of SIP-AVP, I am trying to get theses avp's in
the registration block, shown below. Basically on sucessful registration
the radius server returns the following attributes in acces-accpet
Attributes:
SIP-AVP = "return-code=0"
cisco-h323-credit-amount = "h323-credit-amount=4206"
so after registration I am trying to get the return code value. The
registration block is shown below
route[2] {
# -----------------------------------------------------------------
# REGISTER Message Handler
# ----------------------------------------------------------------
xlog("L_NOTICE","Danish: Entering route[2]\n");
xlog("L_NOTICE","Danish: Register message IPsrcaddr [$si],
RecvdIPaddr[$Ri]\n");
if (!search("^Contact:[ ]*\*") && nat_uac_test("2"))
{
xlog("L_NOTICE","Danish: In route[2] Found Nated
contact\n");
setflag(6);
setbflag(6);
# if you want OPTIONS natpings uncomment next
setbflag(7);
fix_nated_register();
force_rport();
};
sl_send_reply("100", "Trying");
if (!radius_www_authorize("192.168.0.99")) {
www_challenge("192.168.0.99", "1");
};
consume_credentials();
#avp_print();
xlog("L_NOTICE","Danish: Before is set check\n");
if(is_avp_set("$avp(s:return-code)")){
xlog("L_NOTICE","Danish: return code is set \n");
};
xlog("L_NOTICE","Danish: After is set check\n");
if(avp_check("$avp(s:return-code)", "eq/i:0/g"))
{
xlog("L_NOTICE","Danish: return code 0 received
\n");
};
if (!save("location")) {
sl_reply_error();
};
}
In my logs I see
058) DEBUG:auth_radius:generate_avps: getting SIP AVPs from avpair 225
4(11058) Danish: Before is set check
4(11058) Danish: After is set check
4(11058) DEBUG:avpops:ops_check_avp: no src avp found
so both conditional avp checks fail and the last debug line is a bit
worrying
I traced the first debug line above to sterman.c->generate_avps()
so just under this debug line I added this piece of code
vp=rc_avpair_get(vp,attrs[A_SIP_AVP].v,0);
if (vp != NULL)
{
DBG("DEBUG:auth_radius:generate_avps: strvalue %s\n",
vp->strvalue);
}
else
DBG("DEBUG:auth_radius:generate_avps: vp is null\n");
and this is what I got
4(11058) DEBUG:auth_radius:generate_avps: getting SIP AVPs from avpair
225
4(11058) DEBUG:auth_radius:generate_avps: vp is null
hence openser is not loading the SIP-avp in $avp(s:return-code). I think
either I am missing something in the openser script or the way I am
returning the attribute.
all relevant definitions in the cfg are given below:
loadmodule "/usr/local/lib/openser/modules/auth_radius.so"
loadmodule "/usr/local/lib/openser/modules/uri_radius.so"
loadmodule "/usr/local/lib/openser/modules/avp_radius.so"
loadmodule "/usr/local/lib/openser/modules/avpops.so"
modparam("auth_radius|uri_radius|avp_radius", "radius_config",
"/usr/local/etc/radiusclient-ng/radiusclient.conf")
modparam("mi_fifo", "fifo_name", "/tmp/openser_fifo")
modparam("uri_db|usrloc", "db_url",
"mysql://openser:openserrw@localhost/openser")
modparam("nathelper", "natping_interval", 20)
modparam("nathelper", "ping_nated_only", 1)
modparam("nathelper", "rtpproxy_sock",
"unix:/var/run/rtpproxy.sock")
modparam("nathelper", "received_avp", "$avp(i:42)")
modparam("nathelper", "sipping_bflag", 7)
modparam("nathelper", "sipping_from",
"sip:pinger@abc.org")
modparam("registrar", "received_avp", "$avp(i:42)")
modparam("usrloc", "db_mode", 2)
modparam("usrloc", "nat_bflag", 6)
Hope this explains everything and you would be in a better position to
help.
Regards,
Danish
ps: isnt there any sample script I can refer to for sip-avp radius
configurations.
Hi Danish,
can u post the full block where you are doing these checks?
DanB
On 8/29/07, danish.samad(a)vocalseeds.com <danish.samad(a)vocalseeds.com>
wrote:
> Hi Dan,
> Thanks for the explanation, things are more clear now. Now I am
> returning
> a SIP-AVP from radius (for authentication), this is what I see in the
> logs
>
> Attributes:
> SIP-AVP = "return-code=0"
> .......
>
> In my script I do
> avp_print();
> if(is_avp_set("$avp(s:return-code)")){
> xlog("L_NOTICE","return code is set \n");
> };
> if(avp_check("$avp(s:return-code)", "eq/0/g"))
> {
> xlog("L_NOTICE","return code 0 received \n");
> };
>
> none of the checks pass and nothing is printed from avp_print. In
> openser
> logs I see this line
>
> 1(32550) DEBUG:auth_radius:generate_avps: getting SIP AVPs from
avpair
> 225
>
> am I missing some pre-requisites or what am I doing wrong.
>
> Regards,
> Danish
>
>
> > Hi Danish,
> >
> > for the moment you cannot process attributes other than SIP-AVP
inside
> > openser script. This one is
automatically converted into avp.
> > EG. A SIP-AVP attribute in the form of: "reason='No Credit'"
should
> > automatically create an AVP named reason with value "No Credit".
> >
> > Hope that helps,
> > DanB
> >
> >
> > On 8/29/07, danish.samad(a)vocalseeds.com
<danish.samad(a)vocalseeds.com>
> > wrote:
> >> Hi Dan,
> >>
> >> Thanks for your reply.
> >>
> >> Actually I am currently returning an integer status value in
> >> cisco-h323-return-code (a vendor specific attribute). So basically
> how
> >> can
> >> I extract the value returned in this attribute, compare it and
then
> send
> >> and sl reply.
> >>
> >> Probably there is a way of loading this attr value in an avp and
> >> comparing
> >> it?
> >>
> >> Regards,
> >> Danish
> >>
> >> > Hello Danish,
> >> >
> >> > a solution would be returning a SIP-AVP, containing the reason
for
> >> > failure, and then forward this
to the client using sl.
> >> > Another one would be completely rewriting R-URI again from your
> >> > SIP-AVP and then send the request to an announcement server (eg:
> >> > ann:paymentrequired@your.server - which should play Payment
> Required
> >> > annoucement).
> >> >
> >> > Cheers,
> >> > DanB
> >> >
> >> > On 8/29/07, danish.samad(a)vocalseeds.com
> <danish.samad(a)vocalseeds.com>
> >> > wrote:
> >> >> Hi,
> >> >>
> >> >> I have configured openser-1.2 with a (commercial) third party
> radius
> >> >> server and it is working great. Now I have a requirement where
I
> need
> >> to
> >> >> check a radius return attribute in case an access reject is
> received
> >> in
> >> >> response to an authorization request. Is there some way I can
do
> >> this
> >> >> in
> >> >> the openser script.
> >> >>
> >> >> Basically I want to send a 402 payment required message to a
sip
>>
client
>> >> in
>> >> case the call is rejected due low balance. In such cases radius
>> returns
>> >> a
>> >> status response code with access reject.
>> >>
>> >>
>> >> Thanks,
>> >> Danish
>> >>
>> >> _______________________________________________
>> >> Users mailing list
>> >> Users(a)openser.org
>> >> http://openser.org/cgi-bin/mailman/listinfo/users
>> >>
>> >
>>
>>
>
6292
days inactive
6292
days old
0 comments
1 participants
participants (1)
-
danish.samad@vocalseeds.com