1 Oct
2003
1 Oct
'03
7:45 p.m.
OK, I figured out that I had messed up the digest file that I was using
with radclient. I now get a correct response using radclient to test
against the freeradius server. When I try to auth from ser though, I am
getting a failure. Group authenticate returns reject. I'm not
intending to do any group authentication. I tried loading the
group_radius module instead of the group module and I also tried loading
no group modules, but I still get the same error.
Please see my radiusd-x output...
modcall: group authorize returns ok
rad_check_password: Found Auth-Type Digest
auth: type "digest"
modcall: entering group authenticate
A1 = sdolloff:voip2.test.net:test
A2 = REGISTER:sip:voip2.test.net
KD =
ad3c99a75e03ad3ead8254ce95a59a3b:3f7b05a030240eba31ec566b2d783170e9c9830
0:797c155d7796a9cb0be4154d07e88417
rlm_digest: FAILED authentication
modcall[authenticate]: module "digest" returns reject
modcall: group authenticate returns reject
auth: Failed to validate the user.
Stephen
-----Original Message-----
From: Daniel-Constantin Mierla
[mailto:Daniel-Constantin.Mierla@fokus.fraunhofer.de]
Sent: Wednesday, October 01, 2003 3:39 AM
To: Steve Dolloff
Cc: Serusers
Subject: Re: [Serusers] SER/SIP & RADIUS/Auth-Type = Digest
Hello,
comments inline.
On 9/30/2003 10:32 PM, Steve Dolloff wrote:
I have installed freeradius according to the "HOW
TO" for radius and
now
I am seeing the following error. I assume that since I
am seeing
errors
on both servers that it is a problem with either the
dictionary or the
client. Here are the new error logs... any ideas?
rad_recv: Access-Request packet from host 209.242.100.153:33612,
id=103,
length=148
User-Name = "sdolloff"
Digest-Response = "631d6d73147add2f9e437f59bbc3aeb7"
Digest-Attributes = "\001\017voip2.test.net"
Digest-Attributes = "\002\006test"
Digest-Attributes = "\003\010INVITE"
Digest-Attributes = "\004\034sip:5555551212@example.com"
Digest-Attributes = "\006\005MD5"
Digest-Attributes = "\n\nsdolloff"
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
modcall[authorize]: module "chap" returns noop
rlm_eap: EAP-Message not found
modcall[authorize]: module "eap" returns noop
rlm_digest: Converting Digest-Attributes to something sane...
Digest-Realm = "voip2.test.net"
Digest-Nonce = "test"
Digest-Method = "INVITE"
Digest-Uri = "sip:5555551212@example.com"
Digest-Algorithm = "MD5"
Digest-User-Name = "sdolloff"
rlm_digest: Adding Auth-Type = DIGEST
modcall[authorize]: module "digest" returns ok
rlm_realm: No '@' in User-Name = "sdolloff", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop
users: Matched DEFAULT at 152
modcall[authorize]: module "files" returns ok
modcall[authorize]: module "mschap" returns noop
modcall: group authorize returns ok
rad_check_password: Found Auth-Type DIGEST
auth: type "digest"
modcall: entering group authenticate
rlm_digest: Configuration item "User-Password" is required for
authentication.
It seems that the "User-Password" attribute is missing for user
"sdolloff" in radius users file. It should look like the example from
Radius HOW-TO:
http://iptel.org/ser/doc/ser_radius/ser_radius.html#AEN139.
Daniel
modcall[authenticate]: module "digest"
returns invalid
modcall: group authenticate returns invalid
auth: Failed to validate the user.
Delaying request 6 for 1 seconds
Finished request 6
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 103 to 209.242.100.153:33612
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 6 ID 103 with timestamp 3f79e7dc
Nothing to do. Sleeping until we see a request.
Subject: Re: [Serusers] SER/SIP & RADIUS/Auth-Type = Digest
On (30.09.03 13:54), Steve Dolloff wrote:
209.242.100.153 for
'sdolloff(a)voip2.test.net' is ignored;no password
or CHAP password is used
Your RADIUS server has to support Digest Authentication, and the line
above seems to indicate that it does not do that.
If you can change your Radius server software, give Freeradius or
Radiator (commercial, but excellent) a try. If you can not, try to
educate your existing server to do CHAP-Type authentication.
hope that helps.
Alex Mayrhofer
nic.at
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers
1 Oct
1 Oct
8:16 p.m.
New subject: [Serusers] SER/SIP & RADIUS/Auth-Type = Digest
On 10/1/2003 6:45 PM, Steve Dolloff wrote:
[...]
Please see my radiusd-x output...
modcall: group authorize returns ok
rad_check_password: Found Auth-Type Digest
auth: type "digest"
modcall: entering group authenticate
A1 = sdolloff:voip2.test.net:test
A2 = REGISTER:sip:voip2.test.net
KD =
ad3c99a75e03ad3ead8254ce95a59a3b:3f7b05a030240eba31ec566b2d783170e9c9830
0:797c155d7796a9cb0be4154d07e88417
rlm_digest: FAILED authentication
modcall[authenticate]: module "digest" returns reject
The only thing I think it could be wrong is the password. Is it 'test'
for user 'sdolloff'? Perhaps someone that has more experience using
Radius can help you more.
modcall: group authenticate returns reject
I am not sure, I never really used it, but I don't think that this
message is related to the group module of ser.
}Daniel
auth: Failed to validate the user.
Stephen
-----Original Message-----
From: Daniel-Constantin Mierla
[mailto:Daniel-Constantin.Mierla@fokus.fraunhofer.de]
Sent: Wednesday, October 01, 2003 3:39 AM
To: Steve Dolloff
Cc: Serusers
Subject: Re: [Serusers] SER/SIP & RADIUS/Auth-Type = Digest
Hello,
comments inline.
On 9/30/2003 10:32 PM, Steve Dolloff wrote:
I have installed freeradius according to the
"HOW TO" for radius and
now
I am seeing the following error. I assume that
since I am seeing
errors
on both servers that it is a problem with either
the dictionary or the
client. Here are the new error logs... any ideas?
rad_recv: Access-Request packet from host 209.242.100.153:33612,
id=103,
length=148
User-Name = "sdolloff"
Digest-Response = "631d6d73147add2f9e437f59bbc3aeb7"
Digest-Attributes = "\001\017voip2.test.net"
Digest-Attributes = "\002\006test"
Digest-Attributes = "\003\010INVITE"
Digest-Attributes = "\004\034sip:5555551212@example.com"
Digest-Attributes = "\006\005MD5"
Digest-Attributes = "\n\nsdolloff"
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
modcall[authorize]: module "chap" returns noop
rlm_eap: EAP-Message not found
modcall[authorize]: module "eap" returns noop
rlm_digest: Converting Digest-Attributes to something sane...
Digest-Realm = "voip2.test.net"
Digest-Nonce = "test"
Digest-Method = "INVITE"
Digest-Uri = "sip:5555551212@example.com"
Digest-Algorithm = "MD5"
Digest-User-Name = "sdolloff"
rlm_digest: Adding Auth-Type = DIGEST
modcall[authorize]: module "digest" returns ok
rlm_realm: No '@' in User-Name = "sdolloff", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop
users: Matched DEFAULT at 152
modcall[authorize]: module "files" returns ok
modcall[authorize]: module "mschap" returns noop
modcall: group authorize returns ok
rad_check_password: Found Auth-Type DIGEST
auth: type "digest"
modcall: entering group authenticate
rlm_digest: Configuration item "User-Password" is required for
authentication.
It seems that the "User-Password" attribute is missing for user
"sdolloff" in radius users file. It should look like the example from
Radius HOW-TO:
http://iptel.org/ser/doc/ser_radius/ser_radius.html#AEN139.
Daniel
modcall[authenticate]: module "digest"
returns invalid
modcall: group authenticate returns invalid
auth: Failed to validate the user.
Delaying request 6 for 1 seconds
Finished request 6
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 103 to 209.242.100.153:33612
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 6 ID 103 with timestamp 3f79e7dc
Nothing to do. Sleeping until we see a request.
Subject: Re: [Serusers] SER/SIP & RADIUS/Auth-Type = Digest
On (30.09.03 13:54), Steve Dolloff wrote:
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers
209.242.100.153 for
'sdolloff(a)voip2.test.net' is ignored;no password
or CHAP password is used
Your RADIUS server has to support Digest Authentication, and the line
above seems to indicate that it does not do that.
If you can change your Radius server software, give Freeradius or
Radiator (commercial, but excellent) a try. If you can not, try to
educate your existing server to do CHAP-Type authentication.
hope that helps.
Alex Mayrhofer
nic.at
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers
8:58 p.m.
New subject: [Serusers] SER/SIP & RADIUS/Auth-Type = Digest
On 01-10 11:45, Steve Dolloff wrote:
OK, I figured out that I had messed up the digest file
that I was using
with radclient. I now get a correct response using radclient to test
against the freeradius server. When I try to auth from ser though, I am
getting a failure. Group authenticate returns reject. I'm not
intending to do any group authentication. I tried loading the
group_radius module instead of the group module and I also tried loading
no group modules, but I still get the same error.
Please see my radiusd-x output...
modcall: group authorize returns ok
rad_check_password: Found Auth-Type Digest
auth: type "digest"
modcall: entering group authenticate
A1 = sdolloff:voip2.test.net:test
A2 = REGISTER:sip:voip2.test.net
KD =
ad3c99a75e03ad3ead8254ce95a59a3b:3f7b05a030240eba31ec566b2d783170e9c9830
0:797c155d7796a9cb0be4154d07e88417
rlm_digest: FAILED authentication
modcall[authenticate]: module "digest" returns reject
modcall: group authenticate returns reject
auth: Failed to validate the user.
This is group module of the radius server, not ser. What is more
important is that the digest module of the radius server returns
reject, that's the reason why it doesn't authenticate. What's in your
users file ?
Jan.
7723
days inactive
7723
days old
2 comments
3 participants
participants (3)
-
Daniel-Constantin Mierla -
Jan Janak -
Steve Dolloff