<div dir="ltr">Well, actually I can try.<div>What will be the main goal of this edition?</div><div><br></div><div>Now I'm trying to find all features (about Radius) that have any influence on authentication process.</div><div>And one more question, is it possible to discuss the refurbish actions of the article not at sr-list, but in personal mailing?</div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">2017-05-22 9:56 GMT+03:00 Donat Zenichev <span dir="ltr"><<a href="mailto:donat.zenichev@gmail.com" target="_blank">donat.zenichev@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">What did you mean, when you ask for 'backend'?<div>If you meant an storage, so it's not a .txt users file, I'm using db - radcheck table.</div><div><br></div><div>So guys, the I've solved the problem.</div><div>It wasn't consisted of kamailio functions or radius configuration.</div><div><br></div><div>So you're free to use: www_challenge("$fd", "1"), until up radius_www_authorize("$fd",<wbr>"$fU") comes up.</div><div>Qop parameter does what he does and changes nothing within radius authentication process.</div><div><br></div><div><br></div><div>My problem was about username column in radcheck table.</div><div>It's not enough to insert an username, you ought to use full URI, like: username@my.proxy.domain</div><div>Also don't forget about attributes of the row that belongs to a certain user agent.</div><div><br></div><div>So my part of table for one of users looks like that:</div><div>;-----------------------------<wbr>------------------------------<wbr>------------------------------<wbr>--------------------------;</div><div>;---id---;---username-------;-<wbr>-----attribute---------;------<wbr>op-------;----------value-----<wbr>----------------;</div><div>;-----------------------------<wbr>------------------------------<wbr>------------------------------<wbr>--------------------------;</div><div>;__1__;__ua@dom.com_;__User-<wbr>Password_;___==_____;_____<wbr>hereuapassowrd____;</div><div>;__2__;__ua@dom.com_;__Auth-<wbr>Type_____;___:=______;_____<wbr>Digest____________;</div><div>;__....</div><div><br></div><div>Actually, I don't know why, but there is just a few articles all over the net, that describes a bit the functionality and processing with auth_radius module.</div><div>I hope my case will be useful for others, who uses kamailio + radius/db</div><div><br></div><div>But I have a problem how to request AVPs for a certain user from RADIUS, I found some solutions with SIP-AVP attribute, but still haven't done it.</div><div>Now I have to databases, one for Kamailio (that contains users AVPs, that Kamailio gets by avp_db_query) and second for users credentials (that are used while authorization on INVITE, REGISTER requests).</div><div><br></div><div>And as for the future, I have a goal to store passwords in ha1, haven't started to discover this.</div><div><br></div><div><br></div><div><br></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">2017-05-18 17:11 GMT+03:00 Donat Zenichev <span dir="ltr"><<a href="mailto:donat.zenichev@gmail.com" target="_blank">donat.zenichev@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi all.<div>Have a problem with radius authorization.</div><div><br></div><div>I'm using auth_radius.so</div><div><br></div><div>modparams, only path to client file:</div><div>modparam("auth_radius", "radius_config", "/etc/radiusclient/radiusclien<wbr>t.conf")<br></div><div><br></div><div>Freeradius installed and is working properly, radtest authentication from kamailio host succeed .</div><div><br></div><div>How authorization block looks like:</div><div><br></div><div><div><span class="m_3241262929955839750m_-8491949050999333774gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>if (!is_present_hf("Authorization<wbr>")) {</div><div><span class="m_3241262929955839750m_-8491949050999333774gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>xlog("L_NOTICE", "----- Athorization HF is not found - passing the challenge -----\n");</div><div><br></div><div><span class="m_3241262929955839750m_-8491949050999333774gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>if (nat_uac_test("2")) {</div><div><span class="m_3241262929955839750m_-8491949050999333774gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>force_rport();</div><div><span class="m_3241262929955839750m_-8491949050999333774gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>}</div><div><br></div><div><span class="m_3241262929955839750m_-8491949050999333774gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>www_challenge("$fd", "1");</div><div><span class="m_3241262929955839750m_-8491949050999333774gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>exit;</div></div><div><br></div><div><br></div><div><div><span class="m_3241262929955839750m_-8491949050999333774gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>if (!radius_www_authorize("$fd","<wbr>$fU")) {</div><div><br></div><div><span class="m_3241262929955839750m_-8491949050999333774gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>if (nat_uac_test("2")) {</div><div><span class="m_3241262929955839750m_-8491949050999333774gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>force_rport();</div><div><span class="m_3241262929955839750m_-8491949050999333774gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>}</div><div><span class="m_3241262929955839750m_-8491949050999333774gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>xlog("L_NOTICE", "----- Registeration $au@$ar ($fU) from $si:$sp Rejected. Code: $rc -----\n");</div><div><br></div><div><span class="m_3241262929955839750m_-8491949050999333774gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>sl_send_reply("401","Unauthori<wbr>zed");</div><div><span class="m_3241262929955839750m_-8491949050999333774gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>exit;</div></div><div><br></div><div>Radius log is filled by rows like:</div><div>Auth: [digest] Cleartext-Password or Digest-HA1 is required for authentication.<br></div><div><br></div><div>Tried to use radius_www_authorize without $fU - didn't change anything.</div><div>Tried to use www_challenge without qop - didn't change anything.<br></div><div><br></div><div>So, this solution is quite simple, but I have a fail while digest authentication.</div><div>Any ideas? </div><span class="m_3241262929955839750HOEnZb"><font color="#888888"><div><br clear="all"><div><br></div>-- <br><div class="m_3241262929955839750m_-8491949050999333774gmail_signature"><div dir="ltr"><span>-- <br></span>BR, Donat Zenichev
<br>Wnet VoIP team
<br>Tel: +380(44) 5-900-808
<br><a href="http://wnet.ua" target="_blank">http://wnet.ua</a></div></div>
</div></font></span></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="m_3241262929955839750gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><span>-- <br></span>BR, Donat Zenichev
<br>Wnet VoIP team
<br>Tel: +380(44) 5-900-808
<br><a href="http://wnet.ua" target="_blank">http://wnet.ua</a></div></div>
</div>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><span>-- <br></span>BR, Donat Zenichev
<br>Wnet VoIP team
<br>Tel: +380(44) 5-900-808
<br><a href="http://wnet.ua" target="_blank">http://wnet.ua</a></div></div>
</div>