22 Mar
2005
22 Mar
'05
8:29 a.m.
Trying to make the auth_radius module to work I ran into a peculiar issue.
For example if our UA were to try to register to server "sip.mydomain.com"
...and our ser.cfg had:
if (!radius_www_authorize("mydomain.com")) {
www_challenge("mydomain.com", "1");
}
...then the authentication is not even fired off to the radius. SER
Debugs indicate the radius message is not even constructed.
If on the other hand our ser.cfg has:
if (!radius_www_authorize("")) {
www_challenge("", "1");
}
then the authentication is now fired off to the radius server but the
REALM is sip.mydomain.com.
Why can't one make this work as it does with mysql authentication where
the www_authorize does not need the host part? We need REAM to be
simply the domain part.
The auth_radius readme even says that the realm is **usually** just the
domain of the host. Does this mean something is broken here?
-------------from readme----------------
* realm - Realm is a opaque string that the user agent
should present to the user so he can decide what username
and password to use. Usually this is domain of the host
the server is running on.
Example 1-3. radius_www_authorize usage
...
if (!radius_www_authorize("iptel.org")) {
www_challenge("iptel.org", "1");
};
--
Andres
Network Admin
http://www.telesip.net
22 Mar
22 Mar
7:40 p.m.
Hi Andreas,
Maybe the realm you specify in script doesn't match the realm used by
the client in credentials. If you are running in debug mode (debug>=6)
try to sniff after logs like
"pre_auth(): Credentials with given realm not found"
Anyhow, you could use no domain in script, but to set for "auth" module
the "realm_prefix" to "sip."
Best regards,
Marian
Andres wrote:
Trying to make the auth_radius module to work I ran
into a peculiar issue.
For example if our UA were to try to register to server "sip.mydomain.com"
...and our ser.cfg had:
if (!radius_www_authorize("mydomain.com")) {
www_challenge("mydomain.com", "1");
}
...then the authentication is not even fired off to the radius. SER
Debugs indicate the radius message is not even constructed.
If on the other hand our ser.cfg has:
if (!radius_www_authorize("")) {
www_challenge("", "1");
}
then the authentication is now fired off to the radius server but the
REALM is sip.mydomain.com.
Why can't one make this work as it does with mysql authentication where
the www_authorize does not need the host part? We need REAM to be
simply the domain part.
The auth_radius readme even says that the realm is **usually** just the
domain of the host. Does this mean something is broken here?
-------------from readme----------------
* realm - Realm is a opaque string that the user agent
should present to the user so he can decide what username
and password to use. Usually this is domain of the host
the server is running on.
Example 1-3. radius_www_authorize usage
...
if (!radius_www_authorize("iptel.org")) {
www_challenge("iptel.org", "1");
};
--
Voice System
http://www.voice-system.ro
10:05 p.m.
Marian Dumitru wrote:
Hi Andreas,
Maybe the realm you specify in script doesn't match the realm used by
the client in credentials. If you are running in debug mode (debug>=6)
try to sniff after logs like
It has always been like this with our SER servers. Client registers to
"sip.mydomain.com", but in ser.cfg we have
www_authorize("mydomain.com"). It has never posed a problem with MySQL,
but it does not work with a Radius Config. For example on the Sipura
devices there is a parameter called PROXY which we fill out with
"sip.mydomain.com". I don't see how that PROXY parameter could be
filled with just "mydomain.com", unless we were using SRV records.
"pre_auth(): Credentials with given realm not
found"
Anyhow, you could use no domain in script, but to set for "auth"
module the "realm_prefix" to "sip."
I am not aware of the realm_prefix parameter. Were can I find a usage
description of it? The auth module readme has noting on it.
Thanks,
Best regards,
Marian
Andres wrote:
--
Andres
Network Admin
http://www.telesip.net
Trying to make the auth_radius module to work I
ran into a peculiar
issue.
For example if our UA were to try to register to server
"sip.mydomain.com"
...and our ser.cfg had:
if (!radius_www_authorize("mydomain.com")) {
www_challenge("mydomain.com", "1");
}
...then the authentication is not even fired off to the radius. SER
Debugs indicate the radius message is not even constructed.
If on the other hand our ser.cfg has:
if (!radius_www_authorize("")) {
www_challenge("", "1");
}
then the authentication is now fired off to the radius server but the
REALM is sip.mydomain.com.
Why can't one make this work as it does with mysql authentication
where the www_authorize does not need the host part? We need REAM to
be simply the domain part.
The auth_radius readme even says that the realm is **usually** just
the domain of the host. Does this mean something is broken here?
-------------from readme----------------
* realm - Realm is a opaque string that the user agent
should present to the user so he can decide what username
and password to use. Usually this is domain of the host
the server is running on.
Example 1-3. radius_www_authorize usage
...
if (!radius_www_authorize("iptel.org")) {
www_challenge("iptel.org", "1");
};
10:50 p.m.
Andres wrote:
The "realm_prefix" parameter exists in 0.8.14, 0.9.0 and CVS head, but
for all versions, the module documentation is outdated.
Shortly you can define this realm prefix to be ignored (stripped) when
the authentication is performed.
Best regards,
Marian
--
Voice System
http://www.voice-system.ro
Marian Dumitru wrote:
I'm not sure about the meaning of the SIPURA configuration parameters.
What's important for authentication are the username, domain and
password. Now, if you specify in the script a authentication domain, it
should be the same as the one configured in the client devices.
Just to doublecheck, look on the network in the authentication reply,
what realm attribute the client used.
Hi Andreas,
Maybe the realm you specify in script doesn't match the realm used by
the client in credentials. If you are running in debug mode (debug>=6)
try to sniff after logs like
It has always been like this with our SER servers. Client registers to
"sip.mydomain.com", but in ser.cfg we have
www_authorize("mydomain.com"). It has never posed a problem with MySQL,
but it does not work with a Radius Config. For example on the Sipura
devices there is a parameter called PROXY which we fill out with
"sip.mydomain.com". I don't see how that PROXY parameter could be
filled with just "mydomain.com", unless we were using SRV records. "pre_auth(): Credentials with given
realm not found"
Anyhow, you could use no domain in script, but to set for "auth"
module the "realm_prefix" to "sip."
I am not aware of the realm_prefix parameter. Were can I find a usage
description of it? The auth module readme has noting on it.
23 Mar
23 Mar
12:10 a.m.
I'm not sure about the meaning of the SIPURA configuration parameters.
What's important for authentication are the username, domain and
password. Now, if you specify in the script a authentication domain,
it should be the same as the one configured in the client devices.
Just to doublecheck, look on the network in the authentication reply,
what realm attribute the client used.
The Authentication Reply **always** has the realm that SER tells the
UA. The UA does not have a realm/domain config (this is true for all
Cisco ATAs, Linksys, and Sipura devices we use). The UA only has:
username, password, and proxy. SER extracts the "host.domain" from the
proxy part and sends back the challenge with that as realm. What we
want is to be able to tell SER to send back whatever realm we want,
ie...mydomain.com. NOT sip.mydomain.com.
I tried setting the realm_prefix paramenter like you suggested but still
get in the DEBUGs:
authorize(): Credentials realm and URI host do not match
...and the Radius is never queried.
So I went straight to authorize.c and took out:
/*
if (puri.host.len != cred->digest.realm.len) {
DBG("authorize(): Credentials realm and URI host do not
match\n");
return -1;
}
if (strncasecmp(puri.host.s, cred->digest.realm.s,
puri.host.len) != 0) {
DBG("authorize(): Credentials realm and URI host do not
match\n");
return -1;
}
*/
Now its all working fine.
Thanks Marian.
--
Andres
Network Admin
http://www.telesip.net
1:46 p.m.
Hi Andres,
It's good it works now, but the fact that you had to strip out the
verification if the credential domain is the same with To/From one,
means there is something strange in your SIPURA configuration.
Probably the SIPURA uses sip.domain.com as account domain (used in From
and To) and domain.com domain for authentication.
Best regards,
Marian
Andres wrote:
I tried setting the realm_prefix paramenter like you suggested but still
get in the DEBUGs:
authorize(): Credentials realm and URI host do not match
...and the Radius is never queried.
So I went straight to authorize.c and took out:
/*
if (puri.host.len != cred->digest.realm.len) {
DBG("authorize(): Credentials realm and URI host do not
match\n"); return -1;
}
if (strncasecmp(puri.host.s, cred->digest.realm.s, puri.host.len)
!= 0) {
DBG("authorize(): Credentials realm and URI host do not
match\n");
return -1;
}
*/
Now its all working fine.
Thanks Marian.
--
Voice System
http://www.voice-system.ro
7191
days inactive
7192
days old
5 comments
2 participants
participants (2)
-
Andres -
Marian Dumitru