Hello,
I'm trying to set up OpenSER to use Radius authentication, but am having problems. I can't get the OpenSER server to actually send any Radius packets out over the network to my Radius server. I've been sniffing the network with Ethereal and no packets are sent out, even though I get messages in the syslog saying;
Oct 10 16:59:24 ibwok-2mrt71j /usr/sbin/openser[9057]: rc_send_server: no reply from RADIUS server boxster:1812 Oct 10 16:59:24 ibwok-2mrt71j /usr/sbin/openser[9058]: rc_send_server: no reply from RADIUS server boxster:1812 Oct 10 16:59:25 ibwok-2mrt71j /usr/sbin/openser[9059]: rc_send_server: no reply from RADIUS server boxster:1812
and so on.
My openser.cfg file (see below) is pretty much unchanged from the default config file, except adding Radius options as according to this HOWTO http://www.iptel.org/ser/doc/ser_radius/ser_radius.html
I've seen this problem both with the pre-complied Debian packages on a Debian Sarge installation and also when compiled by hand on a Sun Solaris 9 server. I must be missing something from my configuration files, but I can't work out what it is. Does anyone have any ideas?
Thanks in advance,
Matt Williams
------------------------------------------------------------------ openser.cfg ------------------------------------------------------ # # $Id: openser.cfg,v 1.1.1.1 2005/06/13 16:47:30 bogdan_iancu Exp $ # # simple quick-start config script #
# ----------- global configuration parameters ------------------------
#debug=3 # debug level (cmd line: -dddddddddd) #fork=yes #log_stderror=no # (cmd line: -E)
/* Uncomment these lines to enter debugging mode fork=no log_stderror=yes */
check_via=no # (cmd. line: -v) dns=no # (cmd. line: -r) rev_dns=no # (cmd. line: -R) #port=5060 #children=4 fifo="/tmp/openser_fifo" alias=testdomain
# ------------------ module loading ----------------------------------
# Uncomment this if you want to use SQL database #loadmodule "/usr/local/lib/ser/modules/mysql.so"
loadmodule "/usr/lib/openser/modules/sl.so" loadmodule "/usr/lib/openser/modules/tm.so" loadmodule "/usr/lib/openser/modules/rr.so" loadmodule "/usr/lib/openser/modules/maxfwd.so" loadmodule "/usr/lib/openser/modules/usrloc.so" loadmodule "/usr/lib/openser/modules/registrar.so" loadmodule "/usr/lib/openser/modules/textops.so"
# Uncomment this if you want digest authentication # mysql.so must be loaded ! loadmodule "/usr/lib/openser/modules/auth.so" #loadmodule "/usr/lib/openser/modules/auth_db.so" loadmodule "/usr/lib/openser/modules/auth_radius.so"
# ----------------- setting module-specific parameters --------------- modparam("auth_radius", "radius_config", "/etc/radiusclient-ng/radiusclient.conf")
# -- usrloc params --
modparam("usrloc", "db_mode", 0)
# Uncomment this if you want to use SQL database # for persistent storage and comment the previous line #modparam("usrloc", "db_mode", 2)
# -- auth params -- # Uncomment if you are using auth module # #modparam("auth_db", "calculate_ha1", yes) # # If you set "calculate_ha1" parameter to yes (which true in this config), # uncomment also the following parameter) # #modparam("auth_db", "password_column", "password")
# -- rr params -- # add value to ;lr param to make some broken UAs happy modparam("rr", "enable_full_lr", 1)
# ------------------------- request routing logic -------------------
# main routing logic
route{
# initial sanity checks -- messages with # max_forwards==0, or excessively long requests if (!mf_process_maxfwd_header("10")) { sl_send_reply("483","Too Many Hops"); break; }; if (msg:len >= 2048 ) { sl_send_reply("513", "Message too big"); break; };
# we record-route all messages -- to make sure that # subsequent messages will go through our proxy; that's # particularly good if upstream and downstream entities # use different transport protocol if (!method=="REGISTER") record_route();
# subsequent messages withing a dialog should take the # path determined by record-routing if (loose_route()) { # mark routing logic in request append_hf("P-hint: rr-enforced\r\n"); route(1); break; };
if (!uri==myself) { # mark routing logic in request append_hf("P-hint: outbound\r\n"); route(1); break; };
# if the request is for other domain use UsrLoc # (in case, it does not work, use the following command # with proper names and addresses in it) if (uri==myself) {
if (method=="REGISTER") {
# Uncomment this if you want to use digest authentication if (!radius_www_authorize("testdomain")) { www_challenge("testdomain", "1"); break; };
save("location"); break; };
lookup("aliases"); if (!uri==myself) { append_hf("P-hint: outbound alias\r\n"); route(1); break; };
# native SIP destinations are handled using our USRLOC DB if (!lookup("location")) { sl_send_reply("404", "Not Found"); break; }; }; append_hf("P-hint: usrloc applied\r\n"); route(1); }
route[1] { # send it out now; use stateful forwarding as it works reliably # even for UDP2TCP if (!t_relay()) { sl_reply_error(); }; } ------------------------------------------------------------------------
radiusclient.conf ------------------------------------------------------------------------ General settings
# specify which authentication comes first respectively which # authentication is used. possible values are: "radius" and "local". # if you specify "radius,local" then the RADIUS server is asked # first then the local one. if only one keyword is specified only # this server is asked. auth_order radius
# maximum login tries a user has login_tries 4
# timeout for all login tries # if this time is exceeded the user is kicked out login_timeout 60
# name of the nologin file which when it exists disables logins. # it may be extended by the ttyname which will result in # a terminal specific lock (e.g. /etc/nologin.ttyS2 will disable # logins on /dev/ttyS2) nologin /etc/nologin
# name of the issue file. it's only display when no username is passed # on the radlogin command line issue /etc/radiusclient-ng/issue
# RADIUS settings
# RADIUS server to use for authentication requests. this config # item can appear more then one time. if multiple servers are # defined they are tried in a round robin fashion if one # server is not answering. # optionally you can specify a the port number on which is remote # RADIUS listens separated by a colon from the hostname. if # no port is specified /etc/services is consulted of the radius # service. if this fails also a compiled in default is used. authserver boxster
# RADIUS server to use for accouting requests. All that I # said for authserver applies, too. # acctserver boxster
# file holding shared secrets used for the communication # between the RADIUS client and server servers /etc/radiusclient-ng/servers
# dictionary of allowed attributes and values # just like in the normal RADIUS distributions dictionary /etc/radiusclient-ng/dictionary
# program to call for a RADIUS authenticated login login_radius /usr/sbin/login.radius
# file which holds sequence number for communication with the # RADIUS server seqfile /var/run/radius.seq
# file which specifies mapping between ttyname and NAS-Port attribute mapfile /etc/radiusclient-ng/port-id-map
# default authentication realm to append to all usernames if no # realm was explicitly specified by the user # the radiusd directly form Livingston doesnt use any realms, so leave # it blank then default_realm
# time to wait for a reply from the RADIUS server radius_timeout 10
# resend request this many times before trying the next server radius_retries 3
# local address from which radius packets have to be sent bindaddr localhost
# LOCAL settings
# program to execute for local login # it must support the -f flag for preauthenticated login login_local /bin/login
This e-mail and any attachments are confidential and may also be legally privileged and/or copyright material of Intec Telecom Systems PLC (or its affiliated companies). If you are not an intended or authorised recipient of this e-mail or have received it in error, please delete it immediately and notify the sender by e-mail. In such a case, reading, reproducing, printing or further dissemination of this e-mail or its contents is strictly prohibited and may be unlawful.
Intec Telecom Systems PLC does not represent or warrant that an attachment hereto is free from computer viruses or other defects. The opinions expressed in this e-mail and any attachments may be those of the author and are not necessarily those of Intec Telecom Systems PLC.
Hi Matthew,
first of all you should get the outgoing RADIUS packages - be sure you are listening on the proper interface for traffic to boxster (is this name resolvable via DNS?).
regards, bogdan
Matthew Williams wrote:
Hello,
I'm trying to set up OpenSER to use Radius authentication, but am having problems. I can't get the OpenSER server to actually send any Radius packets out over the network to my Radius server. I've been sniffing the network with Ethereal and no packets are sent out, even though I get messages in the syslog saying;
Oct 10 16:59:24 ibwok-2mrt71j /usr/sbin/openser[9057]: rc_send_server: no reply from RADIUS server boxster:1812 Oct 10 16:59:24 ibwok-2mrt71j /usr/sbin/openser[9058]: rc_send_server: no reply from RADIUS server boxster:1812 Oct 10 16:59:25 ibwok-2mrt71j /usr/sbin/openser[9059]: rc_send_server: no reply from RADIUS server boxster:1812
and so on.
My openser.cfg file (see below) is pretty much unchanged from the default config file, except adding Radius options as according to this HOWTO http://www.iptel.org/ser/doc/ser_radius/ser_radius.html
I've seen this problem both with the pre-complied Debian packages on a Debian Sarge installation and also when compiled by hand on a Sun Solaris 9 server. I must be missing something from my configuration files, but I can't work out what it is. Does anyone have any ideas?
Thanks in advance,
Matt Williams
openser.cfg
# # $Id: openser.cfg,v 1.1.1.1 2005/06/13 16:47:30 bogdan_iancu Exp $ # # simple quick-start config script #
# ----------- global configuration parameters ------------------------
#debug=3 # debug level (cmd line: -dddddddddd) #fork=yes #log_stderror=no # (cmd line: -E)
/* Uncomment these lines to enter debugging mode fork=no log_stderror=yes */
check_via=no # (cmd. line: -v) dns=no # (cmd. line: -r) rev_dns=no # (cmd. line: -R) #port=5060 #children=4 fifo="/tmp/openser_fifo" alias=testdomain
# ------------------ module loading ----------------------------------
# Uncomment this if you want to use SQL database #loadmodule "/usr/local/lib/ser/modules/mysql.so"
loadmodule "/usr/lib/openser/modules/sl.so" loadmodule "/usr/lib/openser/modules/tm.so" loadmodule "/usr/lib/openser/modules/rr.so" loadmodule "/usr/lib/openser/modules/maxfwd.so" loadmodule "/usr/lib/openser/modules/usrloc.so" loadmodule "/usr/lib/openser/modules/registrar.so" loadmodule "/usr/lib/openser/modules/textops.so"
# Uncomment this if you want digest authentication # mysql.so must be loaded ! loadmodule "/usr/lib/openser/modules/auth.so" #loadmodule "/usr/lib/openser/modules/auth_db.so" loadmodule "/usr/lib/openser/modules/auth_radius.so"
# ----------------- setting module-specific parameters --------------- modparam("auth_radius", "radius_config", "/etc/radiusclient-ng/radiusclient.conf")
# -- usrloc params --
modparam("usrloc", "db_mode", 0)
# Uncomment this if you want to use SQL database # for persistent storage and comment the previous line #modparam("usrloc", "db_mode", 2)
# -- auth params -- # Uncomment if you are using auth module # #modparam("auth_db", "calculate_ha1", yes) # # If you set "calculate_ha1" parameter to yes (which true in this config), # uncomment also the following parameter) # #modparam("auth_db", "password_column", "password")
# -- rr params -- # add value to ;lr param to make some broken UAs happy modparam("rr", "enable_full_lr", 1)
# ------------------------- request routing logic -------------------
# main routing logic
route{
# initial sanity checks -- messages with # max_forwards==0, or excessively long requests if (!mf_process_maxfwd_header("10")) { sl_send_reply("483","Too Many Hops"); break; }; if (msg:len >= 2048 ) { sl_send_reply("513", "Message too big"); break; };
# we record-route all messages -- to make sure that # subsequent messages will go through our proxy; that's # particularly good if upstream and downstream entities # use different transport protocol if (!method=="REGISTER") record_route();
# subsequent messages withing a dialog should take the # path determined by record-routing if (loose_route()) { # mark routing logic in request append_hf("P-hint: rr-enforced\r\n"); route(1); break; };
if (!uri==myself) { # mark routing logic in request append_hf("P-hint: outbound\r\n"); route(1); break; };
# if the request is for other domain use UsrLoc # (in case, it does not work, use the following command # with proper names and addresses in it) if (uri==myself) {
if (method=="REGISTER") {# Uncomment this if you want to use digest authentication if (!radius_www_authorize("testdomain")) { www_challenge("testdomain", "1"); break; };
save("location"); break; }; lookup("aliases"); if (!uri==myself) { append_hf("P-hint: outbound alias\r\n"); route(1); break; }; # native SIP destinations are handled using our USRLOC DB if (!lookup("location")) { sl_send_reply("404", "Not Found"); break; };}; append_hf("P-hint: usrloc applied\r\n"); route(1); }
route[1] { # send it out now; use stateful forwarding as it works reliably # even for UDP2TCP if (!t_relay()) { sl_reply_error(); }; }
radiusclient.conf
General settings
# specify which authentication comes first respectively which # authentication is used. possible values are: "radius" and "local". # if you specify "radius,local" then the RADIUS server is asked # first then the local one. if only one keyword is specified only # this server is asked. auth_order radius
# maximum login tries a user has login_tries 4
# timeout for all login tries # if this time is exceeded the user is kicked out login_timeout 60
# name of the nologin file which when it exists disables logins. # it may be extended by the ttyname which will result in # a terminal specific lock (e.g. /etc/nologin.ttyS2 will disable # logins on /dev/ttyS2) nologin /etc/nologin
# name of the issue file. it's only display when no username is passed # on the radlogin command line issue /etc/radiusclient-ng/issue
# RADIUS settings
# RADIUS server to use for authentication requests. this config # item can appear more then one time. if multiple servers are # defined they are tried in a round robin fashion if one # server is not answering. # optionally you can specify a the port number on which is remote # RADIUS listens separated by a colon from the hostname. if # no port is specified /etc/services is consulted of the radius # service. if this fails also a compiled in default is used. authserver boxster
# RADIUS server to use for accouting requests. All that I # said for authserver applies, too. # acctserver boxster
# file holding shared secrets used for the communication # between the RADIUS client and server servers /etc/radiusclient-ng/servers
# dictionary of allowed attributes and values # just like in the normal RADIUS distributions dictionary /etc/radiusclient-ng/dictionary
# program to call for a RADIUS authenticated login login_radius /usr/sbin/login.radius
# file which holds sequence number for communication with the # RADIUS server seqfile /var/run/radius.seq
# file which specifies mapping between ttyname and NAS-Port attribute mapfile /etc/radiusclient-ng/port-id-map
# default authentication realm to append to all usernames if no # realm was explicitly specified by the user # the radiusd directly form Livingston doesnt use any realms, so leave # it blank then default_realm
# time to wait for a reply from the RADIUS server radius_timeout 10
# resend request this many times before trying the next server radius_retries 3
# local address from which radius packets have to be sent bindaddr localhost
# LOCAL settings
# program to execute for local login # it must support the -f flag for preauthenticated login login_local /bin/login
This e-mail and any attachments are confidential and may also be legally privileged and/or copyright material of Intec Telecom Systems PLC (or its affiliated companies). If you are not an intended or authorised recipient of this e-mail or have received it in error, please delete it immediately and notify the sender by e-mail. In such a case, reading, reproducing, printing or further dissemination of this e-mail or its contents is strictly prohibited and may be unlawful.
Intec Telecom Systems PLC does not represent or warrant that an attachment hereto is free from computer viruses or other defects. The opinions expressed in this e-mail and any attachments may be those of the author and are not necessarily those of Intec Telecom Systems PLC.
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
Hi Bogdan,
On Monday 10 Oct 2005 20:52, Bogdan-Andrei Iancu wrote:
first of all you should get the outgoing RADIUS packages - be sure you are listening on the proper interface for traffic to boxster (is this name resolvable via DNS?).
If by the outgoing Radius packages, you mean the openser-radius-modules, and libradius-ng Debian packages, I have both of those installed.
Also boxster is also resolvable by DNS. I also have the 'radclient' utility from freeradius installed on the server that has OpenSER running on it, and that is able to successfully send Radius packets to the Radius server on boxster using the hostname. I can see these Radius packets from radclient in Ethereal successfully. Hence I'm still stumped as to why OpenSER isn't sending any Radius packets.
Regards,
Matt
This e-mail and any attachments are confidential and may also be legally privileged and/or copyright material of Intec Telecom Systems PLC (or its affiliated companies). If you are not an intended or authorised recipient of this e-mail or have received it in error, please delete it immediately and notify the sender by e-mail. In such a case, reading, reproducing, printing or further dissemination of this e-mail or its contents is strictly prohibited and may be unlawful.
Intec Telecom Systems PLC does not represent or warrant that an attachment hereto is free from computer viruses or other defects. The opinions expressed in this e-mail and any attachments may be those of the author and are not necessarily those of Intec Telecom Systems PLC.
Hello,
Just in case other people have this problem, I eventually discovered the problem I was having with no Radius packets being sent out from OpenSER (and indeed SER. After breaking out GDB and DDD and stepping through the code, I found that the fopen(rc_conf_str(rh, "servers"), "r") in rc_find_server() in the radiusclient-ng library was failing.
A quick look at the permissions of the 'servers' config file for the radiusclient-ng and I it soon all became clear. Only root could read the file, not the openser user. D'oh! :-) For some reason the error message wasn't being stored in the syslog for that.
Regards,
Matt Williams
This e-mail and any attachments are confidential and may also be legally privileged and/or copyright material of Intec Telecom Systems PLC (or its affiliated companies). If you are not an intended or authorised recipient of this e-mail or have received it in error, please delete it immediately and notify the sender by e-mail. In such a case, reading, reproducing, printing or further dissemination of this e-mail or its contents is strictly prohibited and may be unlawful.
Intec Telecom Systems PLC does not represent or warrant that an attachment hereto is free from computer viruses or other defects. The opinions expressed in this e-mail and any attachments may be those of the author and are not necessarily those of Intec Telecom Systems PLC.
Hi Matthew!
could you please post the problem&solution to the wiki? http://openser.org/dokuwiki/doku.php?id=radius
thanks klaus
Matthew Williams wrote:
Hello,
Just in case other people have this problem, I eventually discovered the problem I was having with no Radius packets being sent out from OpenSER (and indeed SER. After breaking out GDB and DDD and stepping through the code, I found that the fopen(rc_conf_str(rh, "servers"), "r") in rc_find_server() in the radiusclient-ng library was failing.
A quick look at the permissions of the 'servers' config file for the radiusclient-ng and I it soon all became clear. Only root could read the file, not the openser user. D'oh! :-) For some reason the error message wasn't being stored in the syslog for that.
Regards,
Matt Williams
This e-mail and any attachments are confidential and may also be legally privileged and/or copyright material of Intec Telecom Systems PLC (or its affiliated companies). If you are not an intended or authorised recipient of this e-mail or have received it in error, please delete it immediately and notify the sender by e-mail. In such a case, reading, reproducing, printing or further dissemination of this e-mail or its contents is strictly prohibited and may be unlawful.
Intec Telecom Systems PLC does not represent or warrant that an attachment hereto is free from computer viruses or other defects. The opinions expressed in this e-mail and any attachments may be those of the author and are not necessarily those of Intec Telecom Systems PLC.
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
-
Bogdan-Andrei Iancu -
Klaus Darilion -
Matthew Williams