OK, I figured out that I had messed up the digest file that I was using with radclient. I now get a correct response using radclient to test against the freeradius server. When I try to auth from ser though, I am getting a failure. Group authenticate returns reject. I'm not intending to do any group authentication. I tried loading the group_radius module instead of the group module and I also tried loading no group modules, but I still get the same error.
Please see my radiusd-x output...
modcall: group authorize returns ok rad_check_password: Found Auth-Type Digest auth: type "digest" modcall: entering group authenticate A1 = sdolloff:voip2.test.net:test A2 = REGISTER:sip:voip2.test.net KD = ad3c99a75e03ad3ead8254ce95a59a3b:3f7b05a030240eba31ec566b2d783170e9c9830 0:797c155d7796a9cb0be4154d07e88417 rlm_digest: FAILED authentication modcall[authenticate]: module "digest" returns reject modcall: group authenticate returns reject auth: Failed to validate the user.
Stephen
-----Original Message----- From: Daniel-Constantin Mierla [mailto:Daniel-Constantin.Mierla@fokus.fraunhofer.de] Sent: Wednesday, October 01, 2003 3:39 AM To: Steve Dolloff Cc: Serusers Subject: Re: [Serusers] SER/SIP & RADIUS/Auth-Type = Digest
Hello, comments inline.
On 9/30/2003 10:32 PM, Steve Dolloff wrote:
I have installed freeradius according to the "HOW TO" for radius and
now
I am seeing the following error. I assume that since I am seeing
errors
on both servers that it is a problem with either the dictionary or the client. Here are the new error logs... any ideas?
rad_recv: Access-Request packet from host 209.242.100.153:33612,
id=103,
length=148 User-Name = "sdolloff" Digest-Response = "631d6d73147add2f9e437f59bbc3aeb7" Digest-Attributes = "\001\017voip2.test.net" Digest-Attributes = "\002\006test" Digest-Attributes = "\003\010INVITE" Digest-Attributes = "\004\034sip:5555551212@example.com" Digest-Attributes = "\006\005MD5" Digest-Attributes = "\n\nsdolloff" modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "chap" returns noop rlm_eap: EAP-Message not found modcall[authorize]: module "eap" returns noop rlm_digest: Converting Digest-Attributes to something sane... Digest-Realm = "voip2.test.net" Digest-Nonce = "test" Digest-Method = "INVITE" Digest-Uri = "sip:5555551212@example.com" Digest-Algorithm = "MD5" Digest-User-Name = "sdolloff" rlm_digest: Adding Auth-Type = DIGEST modcall[authorize]: module "digest" returns ok rlm_realm: No '@' in User-Name = "sdolloff", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop users: Matched DEFAULT at 152 modcall[authorize]: module "files" returns ok modcall[authorize]: module "mschap" returns noop modcall: group authorize returns ok rad_check_password: Found Auth-Type DIGEST auth: type "digest" modcall: entering group authenticate rlm_digest: Configuration item "User-Password" is required for authentication.
It seems that the "User-Password" attribute is missing for user "sdolloff" in radius users file. It should look like the example from Radius HOW-TO: http://iptel.org/ser/doc/ser_radius/ser_radius.html#AEN139.
Daniel
modcall[authenticate]: module "digest" returns invalid modcall: group authenticate returns invalid auth: Failed to validate the user. Delaying request 6 for 1 seconds Finished request 6 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 103 to 209.242.100.153:33612 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 6 ID 103 with timestamp 3f79e7dc Nothing to do. Sleeping until we see a request. Subject: Re: [Serusers] SER/SIP & RADIUS/Auth-Type = Digest
On (30.09.03 13:54), Steve Dolloff wrote:
209.242.100.153 for 'sdolloff@voip2.test.net' is ignored;no password or CHAP password is used
Your RADIUS server has to support Digest Authentication, and the line above seems to indicate that it does not do that.
If you can change your Radius server software, give Freeradius or Radiator (commercial, but excellent) a try. If you can not, try to educate your existing server to do CHAP-Type authentication.
hope that helps.
Alex Mayrhofer nic.at
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
On 10/1/2003 6:45 PM, Steve Dolloff wrote:
[...]
Please see my radiusd-x output...
modcall: group authorize returns ok rad_check_password: Found Auth-Type Digest auth: type "digest" modcall: entering group authenticate A1 = sdolloff:voip2.test.net:test A2 = REGISTER:sip:voip2.test.net KD = ad3c99a75e03ad3ead8254ce95a59a3b:3f7b05a030240eba31ec566b2d783170e9c9830 0:797c155d7796a9cb0be4154d07e88417 rlm_digest: FAILED authentication modcall[authenticate]: module "digest" returns reject
The only thing I think it could be wrong is the password. Is it 'test' for user 'sdolloff'? Perhaps someone that has more experience using Radius can help you more.
modcall: group authenticate returns reject
I am not sure, I never really used it, but I don't think that this message is related to the group module of ser.
}Daniel
auth: Failed to validate the user.
Stephen
-----Original Message----- From: Daniel-Constantin Mierla [mailto:Daniel-Constantin.Mierla@fokus.fraunhofer.de] Sent: Wednesday, October 01, 2003 3:39 AM To: Steve Dolloff Cc: Serusers Subject: Re: [Serusers] SER/SIP & RADIUS/Auth-Type = Digest
Hello, comments inline.
On 9/30/2003 10:32 PM, Steve Dolloff wrote:
I have installed freeradius according to the "HOW TO" for radius and
now
I am seeing the following error. I assume that since I am seeing
errors
on both servers that it is a problem with either the dictionary or the client. Here are the new error logs... any ideas?
rad_recv: Access-Request packet from host 209.242.100.153:33612,
id=103,
length=148 User-Name = "sdolloff" Digest-Response = "631d6d73147add2f9e437f59bbc3aeb7" Digest-Attributes = "\001\017voip2.test.net" Digest-Attributes = "\002\006test" Digest-Attributes = "\003\010INVITE" Digest-Attributes = "\004\034sip:5555551212@example.com" Digest-Attributes = "\006\005MD5" Digest-Attributes = "\n\nsdolloff" modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "chap" returns noop rlm_eap: EAP-Message not found modcall[authorize]: module "eap" returns noop rlm_digest: Converting Digest-Attributes to something sane... Digest-Realm = "voip2.test.net" Digest-Nonce = "test" Digest-Method = "INVITE" Digest-Uri = "sip:5555551212@example.com" Digest-Algorithm = "MD5" Digest-User-Name = "sdolloff" rlm_digest: Adding Auth-Type = DIGEST modcall[authorize]: module "digest" returns ok rlm_realm: No '@' in User-Name = "sdolloff", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop users: Matched DEFAULT at 152 modcall[authorize]: module "files" returns ok modcall[authorize]: module "mschap" returns noop modcall: group authorize returns ok rad_check_password: Found Auth-Type DIGEST auth: type "digest" modcall: entering group authenticate rlm_digest: Configuration item "User-Password" is required for authentication.
It seems that the "User-Password" attribute is missing for user "sdolloff" in radius users file. It should look like the example from Radius HOW-TO: http://iptel.org/ser/doc/ser_radius/ser_radius.html#AEN139.
Daniel
modcall[authenticate]: module "digest" returns invalid modcall: group authenticate returns invalid auth: Failed to validate the user. Delaying request 6 for 1 seconds Finished request 6 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 103 to 209.242.100.153:33612 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 6 ID 103 with timestamp 3f79e7dc Nothing to do. Sleeping until we see a request. Subject: Re: [Serusers] SER/SIP & RADIUS/Auth-Type = Digest
On (30.09.03 13:54), Steve Dolloff wrote:
209.242.100.153 for 'sdolloff@voip2.test.net' is ignored;no password or CHAP password is used
Your RADIUS server has to support Digest Authentication, and the line above seems to indicate that it does not do that.
If you can change your Radius server software, give Freeradius or Radiator (commercial, but excellent) a try. If you can not, try to educate your existing server to do CHAP-Type authentication.
hope that helps.
Alex Mayrhofer nic.at
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
On 01-10 11:45, Steve Dolloff wrote:
OK, I figured out that I had messed up the digest file that I was using with radclient. I now get a correct response using radclient to test against the freeradius server. When I try to auth from ser though, I am getting a failure. Group authenticate returns reject. I'm not intending to do any group authentication. I tried loading the group_radius module instead of the group module and I also tried loading no group modules, but I still get the same error.
Please see my radiusd-x output...
modcall: group authorize returns ok rad_check_password: Found Auth-Type Digest auth: type "digest" modcall: entering group authenticate A1 = sdolloff:voip2.test.net:test A2 = REGISTER:sip:voip2.test.net KD = ad3c99a75e03ad3ead8254ce95a59a3b:3f7b05a030240eba31ec566b2d783170e9c9830 0:797c155d7796a9cb0be4154d07e88417 rlm_digest: FAILED authentication modcall[authenticate]: module "digest" returns reject modcall: group authenticate returns reject auth: Failed to validate the user.
This is group module of the radius server, not ser. What is more important is that the digest module of the radius server returns reject, that's the reason why it doesn't authenticate. What's in your users file ?
Jan.
-
Daniel-Constantin Mierla -
Jan Janak -
Steve Dolloff