Hello,
I'm using radius for auth with a mysql backend. I'm a little confused about Digest. I've read the radius howto and the mysql guide (http://www.frontios.com/freeradius.html) but it doesn't really explain digest.
When I add new users I'm putting them in the mysql table "radcheck". Do I then always have to enter the user in the /etc/raddb/digest file as well?
I'm trying to run a basic test. Here's what I have in the digest file:
User-Name = "test", Digest-Response = "631d6d73147add2f9e437f59bbc3aeb7", Digest-Realm = "testrealm", User-Password = "test", Digest-Nonce = "test" , Digest-Method = "INVITE", Digest-URI = "sip:5555551212@example.com", Digest-Algorithm = "MD5", Digest-User-Name = "test"
"radcheck" table:
UserName = test Attribute = Password Value = test
"radgroupcheck" table:
GroupName = phone Attribute = Auth-Type Value = Digest
"usergroup" table: UserName = test GroupName = phone
When I run: [root@scratch raddb]# radclient -f digest localhost auth qwerty Received response ID 81, code 3, length = 20
Here's the debug output:
rad_recv: Access-Request packet from host 127.0.0.1:38061, id=91, length=154 User-Name = "test" Digest-Response = "631d6d73147add2f9e437f59bbc3aeb7" Digest-Attributes = "\001\013testrealm" User-Password = "test" Digest-Attributes = "\002\006test" Digest-Attributes = "\003\010INVITE" Digest-Attributes = "\004\034sip:5555551212@example.com" Digest-Attributes = "\006\005MD5" Digest-Attributes = "\n\006test" modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "eap" returns noop for request 0 rlm_digest: Converting Digest-Attributes to something sane... Digest-Realm = "testrealm" Digest-Nonce = "test" Digest-Method = "INVITE" Digest-Uri = "sip:5555551212@example.com" Digest-Algorithm = "MD5" Digest-User-Name = "test" rlm_digest: Adding Auth-Type = DIGEST modcall[authorize]: module "digest" returns ok for request 0 radius_xlat: 'test' rlm_sql (sql): sql_set_user escaped user --> 'test' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'test' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'test' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'test' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'test' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns ok for request 0 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 users: Matched DEFAULT at 152 modcall[authorize]: module "files" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type DIGEST rad_check_password: Found Auth-Type Digest Warning: Found 2 auth-types on request for user 'test' auth: type "digest" modcall: entering group authenticate for request 0 A1 = test:testrealm:test A2 = INVITE:sip:5555551212@example.com KD = 1e00d6dbd30441265df6064b9d9b7da9:test:675b8c827b388805aa252ea38bfb6804 rlm_digest: FAILED authentication modcall[authenticate]: module "digest" returns reject for request 0 modcall: group authenticate returns reject for request 0 auth: Failed to validate the user. Login incorrect: [test/test] (from client localhost port 0) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 91 to 127.0.0.1:38061 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 91 with timestamp 413f842e Nothing to do. Sleeping until we see a request.
-------------------------
The username is "test" and the password is "test". I'm stumped.
I'm using FreeRadius 0.9.3 / SER 0.8.12 / radiusclient 0.3.2
Any help is appreciated.
Thanks,
- Darren
Hi Darren,
You don't have to put the information in digest file if mysql is used to store the information. Make sure you have "sql" within the authorize{} section of radiusd.conf file.
If this doesn't work, try put the following in your radcheck table.
UserName Attribute op Value -------- --------- ----- ------- test@yourdomain User-Password == test test@yourdomain Auth-Type := Digest
Zeus
-----Original Message----- From: serusers-bounces@lists.iptel.org [mailto:serusers-bounces@lists.iptel.org] On Behalf Of Darren Bentley Sent: Thursday, 9 September 2004 8:22 AM To: serusers@lists.iptel.org Subject: [Serusers] Ser with Radius/Mysql - digest problem?
Hello,
I'm using radius for auth with a mysql backend. I'm a little confused about Digest. I've read the radius howto and the mysql guide (http://www.frontios.com/freeradius.html) but it doesn't really explain digest.
When I add new users I'm putting them in the mysql table "radcheck". Do I then always have to enter the user in the /etc/raddb/digest file as well?
I'm trying to run a basic test. Here's what I have in the digest file:
User-Name = "test", Digest-Response = "631d6d73147add2f9e437f59bbc3aeb7", Digest-Realm = "testrealm", User-Password = "test", Digest-Nonce = "test" , Digest-Method = "INVITE", Digest-URI = "sip:5555551212@example.com", Digest-Algorithm = "MD5", Digest-User-Name = "test"
"radcheck" table:
UserName = test Attribute = Password Value = test
"radgroupcheck" table:
GroupName = phone Attribute = Auth-Type Value = Digest
"usergroup" table: UserName = test GroupName = phone
When I run: [root@scratch raddb]# radclient -f digest localhost auth qwerty Received response ID 81, code 3, length = 20
Here's the debug output:
rad_recv: Access-Request packet from host 127.0.0.1:38061, id=91, length=154 User-Name = "test" Digest-Response = "631d6d73147add2f9e437f59bbc3aeb7" Digest-Attributes = "\001\013testrealm" User-Password = "test" Digest-Attributes = "\002\006test" Digest-Attributes = "\003\010INVITE" Digest-Attributes = "\004\034sip:5555551212@example.com" Digest-Attributes = "\006\005MD5" Digest-Attributes = "\n\006test" modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "eap" returns noop for request 0 rlm_digest: Converting Digest-Attributes to something sane... Digest-Realm = "testrealm" Digest-Nonce = "test" Digest-Method = "INVITE" Digest-Uri = "sip:5555551212@example.com" Digest-Algorithm = "MD5" Digest-User-Name = "test" rlm_digest: Adding Auth-Type = DIGEST modcall[authorize]: module "digest" returns ok for request 0 radius_xlat: 'test' rlm_sql (sql): sql_set_user escaped user --> 'test' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'test' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribu te,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'test' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'test' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribu te,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'test' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns ok for request 0 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 users: Matched DEFAULT at 152 modcall[authorize]: module "files" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type DIGEST rad_check_password: Found Auth-Type Digest Warning: Found 2 auth-types on request for user 'test' auth: type "digest" modcall: entering group authenticate for request 0 A1 = test:testrealm:test A2 = INVITE:sip:5555551212@example.com KD = 1e00d6dbd30441265df6064b9d9b7da9:test:675b8c827b388805aa252ea38bfb6804 rlm_digest: FAILED authentication modcall[authenticate]: module "digest" returns reject for request 0 modcall: group authenticate returns reject for request 0 auth: Failed to validate the user. Login incorrect: [test/test] (from client localhost port 0) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 91 to 127.0.0.1:38061 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 91 with timestamp 413f842e Nothing to do. Sleeping until we see a request.
The username is "test" and the password is "test". I'm stumped.
I'm using FreeRadius 0.9.3 / SER 0.8.12 / radiusclient 0.3.2
Any help is appreciated.
Thanks,
- Darren
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
-
Darren Bentley -
Zeus Ng