<div dir="ltr">Hello,<div><br></div><div>thanks for sharing back the solution. It will be useful in the future for people facing the same issue.</div><div><br></div><div>Probably we should update the very old tutorial for using Radius (<a href="https://www.kamailio.org/docs/openser-radius-1.0.x.html">https://www.kamailio.org/docs/openser-radius-1.0.x.html</a>). I can take the time to put it on gihub (probably as markdown file so we can use mkdocs to publish it in nice html output), but I need people using Radius these days to contribute updates, because I don't use Radius anymore for many years.</div><div><br></div><div>Is anyone interested in helping with it?</div><div><br></div><div>Cheers,<br>Daniel</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, May 22, 2017 at 8:56 AM, Donat Zenichev <span dir="ltr"><<a href="mailto:donat.zenichev@gmail.com" target="_blank">donat.zenichev@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">What did you mean, when you ask for 'backend'?<div>If you meant an storage, so it's not a .txt users file, I'm using db - radcheck table.</div><div><br></div><div>So guys, the I've solved the problem.</div><div>It wasn't consisted of kamailio functions or radius configuration.</div><div><br></div><div>So you're free to use: www_challenge("$fd", "1"), until up radius_www_authorize("$fd",<wbr>"$fU") comes up.</div><div>Qop parameter does what he does and changes nothing within radius authentication process.</div><div><br></div><div><br></div><div>My problem was about username column in radcheck table.</div><div>It's not enough to insert an username, you ought to use full URI, like: username@my.proxy.domain</div><div>Also don't forget about attributes of the row that belongs to a certain user agent.</div><div><br></div><div>So my part of table for one of users looks like that:</div><div>;-----------------------------<wbr>------------------------------<wbr>------------------------------<wbr>--------------------------;</div><div>;---id---;---username-------;-<wbr>-----attribute---------;------<wbr>op-------;----------value-----<wbr>----------------;</div><div>;-----------------------------<wbr>------------------------------<wbr>------------------------------<wbr>--------------------------;</div><div>;__1__;__ua@dom.com_;__User-<wbr>Password_;___==_____;_____<wbr>hereuapassowrd____;</div><div>;__2__;__ua@dom.com_;__Auth-<wbr>Type_____;___:=______;_____<wbr>Digest____________;</div><div>;__....</div><div><br></div><div>Actually, I don't know why, but there is just a few articles all over the net, that describes a bit the functionality and processing with auth_radius module.</div><div>I hope my case will be useful for others, who uses kamailio + radius/db</div><div><br></div><div>But I have a problem how to request AVPs for a certain user from RADIUS, I found some solutions with SIP-AVP attribute, but still haven't done it.</div><div>Now I have to databases, one for Kamailio (that contains users AVPs, that Kamailio gets by avp_db_query) and second for users credentials (that are used while authorization on INVITE, REGISTER requests).</div><div><br></div><div>And as for the future, I have a goal to store passwords in ha1, haven't started to discover this.</div><div><br></div><div><br></div><div><br></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">2017-05-18 17:11 GMT+03:00 Donat Zenichev <span dir="ltr"><<a href="mailto:donat.zenichev@gmail.com" target="_blank">donat.zenichev@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi all.<div>Have a problem with radius authorization.</div><div><br></div><div>I'm using auth_radius.so</div><div><br></div><div>modparams, only path to client file:</div><div>modparam("auth_radius", "radius_config", "/etc/radiusclient/radiusclien<wbr>t.conf")<br></div><div><br></div><div>Freeradius installed and is working properly, radtest authentication from kamailio host succeed .</div><div><br></div><div>How authorization block looks like:</div><div><br></div><div><div><span class="m_8478217945391471683m_-8491949050999333774gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>if (!is_present_hf("Authorization<wbr>")) {</div><div><span class="m_8478217945391471683m_-8491949050999333774gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>xlog("L_NOTICE", "----- Athorization HF is not found - passing the challenge -----\n");</div><div><br></div><div><span class="m_8478217945391471683m_-8491949050999333774gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>if (nat_uac_test("2")) {</div><div><span class="m_8478217945391471683m_-8491949050999333774gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>force_rport();</div><div><span class="m_8478217945391471683m_-8491949050999333774gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>}</div><div><br></div><div><span class="m_8478217945391471683m_-8491949050999333774gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>www_challenge("$fd", "1");</div><div><span class="m_8478217945391471683m_-8491949050999333774gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>exit;</div></div><div><br></div><div><br></div><div><div><span class="m_8478217945391471683m_-8491949050999333774gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>if (!radius_www_authorize("$fd","<wbr>$fU")) {</div><div><br></div><div><span class="m_8478217945391471683m_-8491949050999333774gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>if (nat_uac_test("2")) {</div><div><span class="m_8478217945391471683m_-8491949050999333774gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>force_rport();</div><div><span class="m_8478217945391471683m_-8491949050999333774gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>}</div><div><span class="m_8478217945391471683m_-8491949050999333774gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>xlog("L_NOTICE", "----- Registeration $au@$ar ($fU) from $si:$sp Rejected. Code: $rc -----\n");</div><div><br></div><div><span class="m_8478217945391471683m_-8491949050999333774gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>sl_send_reply("401","Unauthori<wbr>zed");</div><div><span class="m_8478217945391471683m_-8491949050999333774gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>exit;</div></div><div><br></div><div>Radius log is filled by rows like:</div><div>Auth: [digest] Cleartext-Password or Digest-HA1 is required for authentication.<br></div><div><br></div><div>Tried to use radius_www_authorize without $fU - didn't change anything.</div><div>Tried to use www_challenge without qop - didn't change anything.<br></div><div><br></div><div>So, this solution is quite simple, but I have a fail while digest authentication.</div><div>Any ideas? </div><span class="m_8478217945391471683HOEnZb"><font color="#888888"><div><br clear="all"><div><br></div>-- <br><div class="m_8478217945391471683m_-8491949050999333774gmail_signature"><div dir="ltr"><span>-- <br></span>BR, Donat Zenichev
<br>Wnet VoIP team
<br>Tel: +380(44) 5-900-808
<br><a href="http://wnet.ua" target="_blank">http://wnet.ua</a></div></div>
</div></font></span></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="m_8478217945391471683gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><span>-- <br></span>BR, Donat Zenichev
<br>Wnet VoIP team
<br>Tel: +380(44) 5-900-808
<br><a href="http://wnet.ua" target="_blank">http://wnet.ua</a></div></div>
</div>
</div></div><br>______________________________<wbr>_________________<br>
Kamailio (SER) - Users Mailing List<br>
<a href="mailto:sr-users@lists.kamailio.org">sr-users@lists.kamailio.org</a><br>
<a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" rel="noreferrer" target="_blank">https://lists.kamailio.org/<wbr>cgi-bin/mailman/listinfo/sr-<wbr>users</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div>Daniel-Constantin Mierla - <a href="http://www.asipto.com" target="_blank">http://www.asipto.com</a></div><div><a href="http://twitter.com/#!/miconda" target="_blank">http://twitter.com/#!/miconda</a> - <a href="http://www.linkedin.com/in/miconda" target="_blank">http://www.linkedin.com/in/miconda</a></div></div></div></div></div>
</div>