> What i want to do is to overwrite TO header from his numeric alias,
> for example.
> if i call to user.user(a)mydomain.com i wannt to forward this call to
> asterisk changing to header from his alias -> 12341(a)mydomain.com
> because asterisk is expected to read user part from sip call and
> check voicemail.
>
> Is any other way to acomplish it?
> Regards.
>
>
>>
>> Okay... first things first. While there is a LITTLE flexibility,
>> AVPops
>> actually relies heavily on the FORMAT of the table you want to
>> load/store data
>> from. For this reason, the alias table isn't really the best thing
>> to grab
>> from. You COULD specify the attribute and value columns and such
>> manually...
>> but it would be a right pain in the ass, I can tell you that.
>>
>>
>> What EXACTLY are you trying to do? Perhaps there's another way to
>> go about it.
>>
>> N.
>>
>> On Wed, 19 Oct 2005 23:50:10, pol novell balcells wrote
>>
>>
>>> Hi SerUsers!
>>> I'm completly crazy tryin' to do the following:
>>> I just want to load from DB user alias and rewrite it into "$to
>>> $ruri", because these calls shoud go directly to asterisk
>>> voicemail
>>> and they are numerical not alphanumeric.
>>> i tried to do the following:
>>>
>>> if(avp_db_load($alias/$username,i:alias")
>>> avp_pushto("$ruri/$to","alias")
>>> just to load from alias table username into an integer called alias
>>> and then pushed to new $ruri.
>>>
>>> I'm new in ser and avps module it's really usefull but a little bit
>>> "unreadable", plz this should work for tomorrow :$ any help
>>> plz!?
>>> be as much especific as can, because i don't know if i have done
>>> the
>>> proper modparams.
>>> these are:
>>>
>>> modparam("avpops", "avp_url", "mysql://ser:heslo@localhost/
>>> ser")
>>> modparam("avpops", "avp_table", "usr_preferences")
>>> #modparam("avpops", "use_domain", "1")
>>> modparam("avpops", "uuid_column", "uuid")
>>> modparam("avpops", "username_column", "username")
>>> modparam("avpops", "domain_column", "domain")
>>> modparam("avpops", "attribute_column", "attribute")
>>> modparam("avpops", "value_column", "value")
>>> modparam("avpops", "type_column", "type")
>>>
>>> THX
>>>
>>> ____________________________________________________________________
>>> _
>>> Mensaje analizado y protegido, tecnologia antivirus
>>> www.trendmicro.es
>>>
>>> _______________________________________________
>>> Serusers mailing list
>>> serusers(a)lists.iptel.org
>>> http://lists.iptel.org/mailman/listinfo/serusers
>>>
>>>
>>
>>
>> _____________________________________________________________________
>> Mensaje analizado y protegido, tecnologia antivirus www.trendmicro.es
>>
>>
>
>
_____________________________________________________________________
Mensaje analizado y protegido, tecnologia antivirus www.trendmicro.es
Check if the both endpoints are receiving the packets properly and also, if
your billing system is working properly. Some bad formed packets may result
in call drop.
Fernando Schmitt
-----Original Message-----
From: serusers-bounces(a)iptel.org [mailto:serusers-bounces@lists.iptel.org] On
Behalf Of serusers-request(a)lists.iptel.org
Sent: quarta-feira, 19 de outubro de 2005 08:00
To: serusers(a)lists.iptel.org
Subject: Serusers Digest, Vol 30, Issue 19
Send Serusers mailing list submissions to
serusers(a)lists.iptel.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.iptel.org/mailman/listinfo/serusers
or, via email, send a message with subject or body 'help' to
serusers-request(a)lists.iptel.org
You can reach the person managing the list at
serusers-owner(a)lists.iptel.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Serusers digest..."
Today's Topics:
1. Re: mangling request URI according to To: and userlocation
value (Francesco Fondelli)
2. call drops after about 30 seconds (maka)
3. 423 message for Register Expires (share phone)
4. SIP Dialer Sending Many BYE Packets (sagar)
5. Re: [OT] MAX TNT as a Media Gateway (Vamsi Pottangi)
6. Can I send Binary Data through SIP IM? (Abhijit A. Mahajani)
7. How many BHCC? (Matteo Piazza)
----------------------------------------------------------------------
Message: 1
Date: Tue, 18 Oct 2005 14:11:11 +0200
From: Francesco Fondelli <francesco.fondelli(a)gmail.com>
Subject: [Serusers] Re: mangling request URI according to To: and
userlocation value
To: serusers(a)lists.iptel.org
Message-ID: <4354E65F.5030601(a)gmail.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
> and assume that entry in userloc has a "Server: Bar 1.0 PBX" value
sorry, here I meant the "User-Agent: 'Bar 1.0 PBX'" entry.
thank you very much
Ciao
FF
------------------------------
Message: 2
Date: Tue, 18 Oct 2005 15:32:30 +0300
From: maka <icokan(a)gmail.com>
Subject: [Serusers] call drops after about 30 seconds
To: SER <serusers(a)lists.iptel.org>
Message-ID:
<826761540510180532v4683e151x2a9a6ba209f1061d(a)mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
hello everyone,
I am using ser-0.9.0 together wit asterisk-1.0.6. I am testing it with a
couple of hardware AT-320 IP phones from Atcom, using a PA168S chip.
They seem to be working fine, with stun behind nat, and they can call other
user-agents (softphones, asterisk adn the pstn through it), but whenever I
make a call between the two phones, everytime the call is dropped after
about 34 seconds, even when calling between phones on Public IP addresses.
I am actually clueless why this happens, I tried changing the NAT ttl value,
bu to no effect, and it is not supposed to be a codec mismatch too since
both phones use absolutely the same codecs, in the same order of preference.
Appreciate the feedback, cheers
--
I'm sick and tired of being sick and tired...
Hi SerUsers!
I'm completly crazy tryin' to do the following:
I just want to load from DB user alias and rewrite it into "$to
$ruri", because these calls shoud go directly to asterisk
voicemail
and they are numerical not alphanumeric.
i tried to do the following:
if(avp_db_load($alias/$username,i:alias")
avp_pushto("$ruri/$to","alias")
just to load from alias table username into an integer called alias
and then pushed to new $ruri.
I'm new in ser and avps module it's really usefull but a little bit
"unreadable", plz this should work for tomorrow :$ any help
plz!?
be as much especific as can, because i don't know if i have done
the
proper modparams.
these are:
modparam("avpops", "avp_url", "mysql://ser:heslo@localhost/
ser")
modparam("avpops", "avp_table", "usr_preferences")
#modparam("avpops", "use_domain", "1")
modparam("avpops", "uuid_column", "uuid")
modparam("avpops", "username_column", "username")
modparam("avpops", "domain_column", "domain")
modparam("avpops", "attribute_column", "attribute")
modparam("avpops", "value_column", "value")
modparam("avpops", "type_column", "type")
THX
_____________________________________________________________________
Mensaje analizado y protegido, tecnologia antivirus www.trendmicro.es
Sorry, i always tend to think more than i write/talk
What i meant was that you can pass the necessary information during the
authentication using the auth_radius module or during feature request
using the avp_radius depending on what you are trying to do with the feature
Lenir wrote:
>I will try that as a workaround.
>
>For the SER-DEVEL and OPENSER-DEVEL guys...can any of you comment on this?
>
>Thanks
>
>-----Original Message-----
>From: Tavis P [mailto:tavis.lists@galaxytelecom.net]
>Sent: Wednesday, October 19, 2005 4:40 PM
>To: Lenir
>Cc: users(a)openser.org; serusers(a)iptel.org
>Subject: Re: group_radius radius_is_user_in
>
>I've never used the group_radius module so i'm not certain what it
>expects from the radius server (its not well documented currently)
>
>Although you may be able to optimize a bit and skip the
>radius_is_user_in function call and simply pass the users group back as
>an SIP-AVP attribute in the radreply table, and then check for that AVP
>in the OpenSER script
>
>What i've done is commented the group checking SQL from the freeradius
>sql.conf file so that when a user authenticates or when an avp_radius
>call is made only 2 SQL queries are sent, instead of the 4-5 used when
>group check is enabled.
>
>Try this, it should work and it will save you ~10 sql queries and a
>radius request/response
>
>
>Lenir wrote:
>
>
>
>>I'm trying to use group_radius module to check if the user is in a
>>particular radius group. I'm calling radius_is_user_in function to do this.
>>Here is the snippet in my config that calls that function:
>>
>>route[2] {
>>
>> # -----------------------------------------------------------------
>> # REGISTER Message Handler
>> # ----------------------------------------------------------------
>> sl_send_reply("100", "Trying");
>>
>> if (!radius_www_authorize("")) {
>> xlog("L_INFO","$ci - $fu - User not authenticated, Radius
>>Authenticating...\n");
>> www_challenge("","0");
>> return;
>> } else {
>> xlog("L_INFO","$ci - $fu - User authenticated...\n");
>> };
>>
>> if (radius_is_user_in("From", "Dialin")){
>> xlog("L_INFO","From: User is in Radius Group
>>
>>
>Dialin!!!!\n");
>
>
>> } else {
>> xlog("L_INFO","From: User *IS NOT* Group Dialin!!!!!\n");
>> };
>>
>> if (radius_is_user_in("From", "Dialin2")){
>> xlog("L_INFO","From: User is in Radius Group
>>Dialin2!!!!\n");
>> } else {
>> xlog("L_INFO","From: User *IS NOT* Group Dialin2!!!!!\n");
>> };
>>
>> #if (!radius_check_to()) {
>> # sl_send_reply("401", "Unauthorized");
>> # return;
>> #};
>>
>> consume_credentials();
>>
>> if (!save("location")) {
>> sl_reply_error();
>> };
>>}
>>
>>
>>-----Original Message-----
>>From: Tavis P [mailto:tavis.lists@galaxytelecom.net]
>>Sent: Wednesday, October 19, 2005 3:59 PM
>>To: Lenir
>>Cc: users(a)openser.org; serusers(a)iptel.org
>>Subject: Re: group_radius radius_is_user_in
>>
>>Well either way the radius server is going to respond with an
>>"Access-Accept" because you have set the auth-type to "none" (which is
>>necessary because you are not authenticating and can not provide the
>>necessary credentials).
>>
>>>From the trace you showed me below, i see two radius requests both for
>>the user 1000 and both of which respond as i would expect.
>>
>>I'm not what you are trying to accomplish, are you using the
>>group_radius module or just loading the group information using avp_radius?
>>
>>
>>Lenir wrote:
>>
>>
>>
>>
>>
>>>This is my users file:
>>>
>>>DEFAULT Auth-Type = System
>>> Fall-Through = 1
>>>
>>>DEFAULT Service-Type == Call-Check, Auth-Type := None
>>>
>>>DEFAULT Service-Type == Group-Check, Auth-Type := None
>>>
>>>DEFAULT Service-Type == SIP-Session, Auth-Type := Digest
>>>
>>>DEFAULT Service-Type == SIP-Callee-AVPs, Auth-Type := None
>>>
>>>DEFAULT Service-Type == SIP-Caller-AVPs, Auth-Type := None
>>>
>>>
>>>mysql> select * from radcheck;
>>>+----+----------+-----------+----+----------+
>>>| id | UserName | Attribute | op | Value |
>>>+----+----------+-----------+----+----------+
>>>| 1 | Jhassell | Password | == | changeme |
>>>| 2 | Rneis | Password | == | changeme |
>>>| 3 | 1000 | Password | == | 1000 |
>>>| 4 | 2000 | Password | == | 2000 |
>>>| 5 | 3000 | Password | == | 3000 |
>>>+----+----------+-----------+----+----------+
>>>5 rows in set (0.00 sec)
>>>
>>>mysql> select * from radreply;
>>>Empty set (0.00 sec)
>>>
>>>mysql> select * from usergroup;
>>>+----+----------+------------+
>>>| id | UserName | GroupName |
>>>+----+----------+------------+
>>>| 1 | Jhassell | Dialin |
>>>| 2 | Rneis | Staticdial |
>>>| 3 | 1000 | Dialin |
>>>| 4 | 2000 | Dialin |
>>>| 5 | 3000 | Dialin |
>>>| 6 | 3000 | Dialin2 |
>>>+----+----------+------------+
>>>6 rows in set (0.00 sec)
>>>
>>>mysql> select * from radgroupcheck;
>>>Empty set (0.00 sec)
>>>
>>>mysql> select * from radgroupreply;
>>>+----+-----------+---------------+----+----------------------------------+
>>>
>>>
>-
>
>
>>>
>>>
>>>
>>>
>>-
>>
>>
>>
>>
>>>---+
>>>| id | GroupName | Attribute | op | Value |
>>>prio |
>>>+----+-----------+---------------+----+----------------------------------+
>>>
>>>
>-
>
>
>>>
>>>
>>>
>>>
>>-
>>
>>
>>
>>
>>>----+
>>>| 1 | Dialin | Reply-Message | = | "Authenticated by group Dialin" |
>>>0 |
>>>| 2 | Dialin2 | Reply-Message | = | "Authenticated by group Dialin2" |
>>>0 |
>>>| 3 | Dialin | SIP-AVP | = | Sip-Group:Dialin |
>>>0 |
>>>+----+-----------+---------------+----+----------------------------------+
>>>
>>>
>-
>
>
>>>
>>>
>>>
>>>
>>-
>>
>>
>>
>>
>>>----+
>>>3 rows in set (0.00 sec)
>>>
>>>mysql> select * from radpostauth;
>>>Empty set (0.00 sec)
>>>
>>>
>>>
>>>Here's the debug, notice how it returns access-accept whether its in the
>>>right group or not. Shouldn't it return access-reject for group Dialin2?
>>>-----------------
>>>rad_recv: Access-Request packet from host xx.xx.xx.xx:33167, id=152,
>>>length=66
>>> User-Name = "1000(a)xx.xx.xx.xx"
>>> Sip-Group = "Dialin"
>>> Service-Type = Group-Check
>>> NAS-IP-Address = 127.0.0.1
>>> NAS-Port = 0
>>>Processing the authorize section of radiusd.conf
>>>modcall: entering group authorize for request 4
>>>modcall[authorize]: module "preprocess" returns ok for request 4
>>>modcall[authorize]: module "chap" returns noop for request 4
>>>modcall[authorize]: module "mschap" returns noop for request 4
>>>modcall[authorize]: module "digest" returns noop for request 4
>>> rlm_realm: Looking up realm "xx.xx.xx.xx" for User-Name =
>>>"1000(a)xx.xx.xx.xx"
>>> rlm_realm: Found realm "xx.xx.xx.xx"
>>> rlm_realm: Adding Stripped-User-Name = "1000"
>>> rlm_realm: Proxying request from user 1000 to realm xx.xx.xx.xx
>>> rlm_realm: Adding Realm = "xx.xx.xx.xx"
>>> rlm_realm: Authentication realm is LOCAL.
>>>modcall[authorize]: module "suffix" returns noop for request 4
>>>rlm_eap: No EAP-Message, not doing EAP
>>>modcall[authorize]: module "eap" returns noop for request 4
>>> users: Matched entry DEFAULT at line 156
>>> users: Matched entry DEFAULT at line 161
>>>modcall[authorize]: module "files" returns ok for request 4
>>>radius_xlat: '1000'
>>>rlm_sql (sql): sql_set_user escaped user --> '1000'
>>>radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
>>>radcheck WHERE Username = '1000' ORDER BY id'
>>>rlm_sql (sql): Reserving sql socket id: 0
>>>rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op
>>>
>>>
>>>
>>>
>>>FROM radcheck WHERE Username = '1000' ORDER BY id
>>
>>
>>
>>
>>>radius_xlat: 'SELECT
>>>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupc
>>>
>>>
>h
>
>
>>>
>>>
>>>
>>>
>>e
>>
>>
>>
>>
>>>ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
>>>usergroup.Username = '1000' AND usergroup.GroupName =
>>>radgroupcheck.GroupName ORDER BY radgroupcheck.id'
>>>rlm_sql_mysql: query: SELECT
>>>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupc
>>>
>>>
>h
>
>
>>>
>>>
>>>
>>>
>>e
>>
>>
>>
>>
>>>ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
>>>usergroup.Username = '1000' AND usergroup.GroupName =
>>>radgroupcheck.GroupName ORDER BY radgroupcheck.id
>>>radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
>>>radreply WHERE Username = '1000' ORDER BY id'
>>>rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op
>>>
>>>
>>>
>>>
>>>FROM radreply WHERE Username = '1000' ORDER BY id
>>
>>
>>
>>
>>>radius_xlat: 'SELECT
>>>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupr
>>>
>>>
>e
>
>
>>>
>>>
>>>
>>>
>>p
>>
>>
>>
>>
>>>ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
>>>usergroup.Username = '1000' AND usergroup.GroupName =
>>>radgroupreply.GroupName ORDER BY radgroupreply.id'
>>>rlm_sql_mysql: query: SELECT
>>>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupr
>>>
>>>
>e
>
>
>>>
>>>
>>>
>>>
>>p
>>
>>
>>
>>
>>>ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
>>>usergroup.Username = '1000' AND usergroup.GroupName =
>>>radgroupreply.GroupName ORDER BY radgroupreply.id
>>>rlm_sql (sql): Checking profile DEFAULT
>>>rlm_sql (sql): sql_set_user escaped user --> 'DEFAULT'
>>>radius_xlat: 'SELECT
>>>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupc
>>>
>>>
>h
>
>
>>>
>>>
>>>
>>>
>>e
>>
>>
>>
>>
>>>ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
>>>usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
>>>radgroupcheck.GroupName ORDER BY radgroupcheck.id'
>>>rlm_sql_mysql: query: SELECT
>>>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupc
>>>
>>>
>h
>
>
>>>
>>>
>>>
>>>
>>e
>>
>>
>>
>>
>>>ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
>>>usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
>>>radgroupcheck.GroupName ORDER BY radgroupcheck.id
>>>radius_xlat: 'SELECT
>>>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupr
>>>
>>>
>e
>
>
>>>
>>>
>>>
>>>
>>p
>>
>>
>>
>>
>>>ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
>>>usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
>>>radgroupreply.GroupName ORDER BY radgroupreply.id'
>>>rlm_sql_mysql: query: SELECT
>>>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupr
>>>
>>>
>e
>
>
>>>
>>>
>>>
>>>
>>p
>>
>>
>>
>>
>>>ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
>>>usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
>>>radgroupreply.GroupName ORDER BY radgroupreply.id
>>>rlm_sql (sql): Released sql socket id: 0
>>>modcall[authorize]: module "sql" returns ok for request 4
>>>modcall: group authorize returns ok for request 4
>>>rad_check_password: Found Auth-Type None
>>>rad_check_password: Auth-Type = Accept, accepting the user
>>>radius_xlat: 'Authenticated by group Dialin'
>>>Sending Access-Accept of id 152 to xx.xx.xx.xx:33167
>>> Reply-Message = "Authenticated by group Dialin"
>>> SIP-AVP = "Sip-Group:Dialin"
>>>Finished request 4
>>>Going to the next request
>>>Waking up in 6 seconds...
>>>rad_recv: Access-Request packet from host xx.xx.xx.xx:33167, id=153,
>>>length=67
>>> User-Name = "1000(a)xx.xx.xx.xx"
>>> Sip-Group = "Dialin2"
>>> Service-Type = Group-Check
>>> NAS-IP-Address = 127.0.0.1
>>> NAS-Port = 0
>>>Processing the authorize section of radiusd.conf
>>>modcall: entering group authorize for request 5
>>>modcall[authorize]: module "preprocess" returns ok for request 5
>>>modcall[authorize]: module "chap" returns noop for request 5
>>>modcall[authorize]: module "mschap" returns noop for request 5
>>>modcall[authorize]: module "digest" returns noop for request 5
>>> rlm_realm: Looking up realm "xx.xx.xx.xx" for User-Name =
>>>"1000(a)xx.xx.xx.xx"
>>> rlm_realm: Found realm "xx.xx.xx.xx"
>>> rlm_realm: Adding Stripped-User-Name = "1000"
>>> rlm_realm: Proxying request from user 1000 to realm xx.xx.xx.xx
>>> rlm_realm: Adding Realm = "xx.xx.xx.xx"
>>> rlm_realm: Authentication realm is LOCAL.
>>>modcall[authorize]: module "suffix" returns noop for request 5
>>>rlm_eap: No EAP-Message, not doing EAP
>>>modcall[authorize]: module "eap" returns noop for request 5
>>> users: Matched entry DEFAULT at line 156
>>> users: Matched entry DEFAULT at line 161
>>>modcall[authorize]: module "files" returns ok for request 5
>>>radius_xlat: '1000'
>>>rlm_sql (sql): sql_set_user escaped user --> '1000'
>>>radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
>>>radcheck WHERE Username = '1000' ORDER BY id'
>>>rlm_sql (sql): Reserving sql socket id: 4
>>>rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op
>>>
>>>
>>>
>>>
>>>FROM radcheck WHERE Username = '1000' ORDER BY id
>>
>>
>>
>>
>>>radius_xlat: 'SELECT
>>>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupc
>>>
>>>
>h
>
>
>>>
>>>
>>>
>>>
>>e
>>
>>
>>
>>
>>>ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
>>>usergroup.Username = '1000' AND usergroup.GroupName =
>>>radgroupcheck.GroupName ORDER BY radgroupcheck.id'
>>>rlm_sql_mysql: query: SELECT
>>>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupc
>>>
>>>
>h
>
>
>>>
>>>
>>>
>>>
>>e
>>
>>
>>
>>
>>>ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
>>>usergroup.Username = '1000' AND usergroup.GroupName =
>>>radgroupcheck.GroupName ORDER BY radgroupcheck.id
>>>radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
>>>radreply WHERE Username = '1000' ORDER BY id'
>>>rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op
>>>
>>>
>>>
>>>
>>>FROM radreply WHERE Username = '1000' ORDER BY id
>>
>>
>>
>>
>>>radius_xlat: 'SELECT
>>>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupr
>>>
>>>
>e
>
>
>>>
>>>
>>>
>>>
>>p
>>
>>
>>
>>
>>>ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
>>>usergroup.Username = '1000' AND usergroup.GroupName =
>>>radgroupreply.GroupName ORDER BY radgroupreply.id'
>>>rlm_sql_mysql: query: SELECT
>>>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupr
>>>
>>>
>e
>
>
>>>
>>>
>>>
>>>
>>p
>>
>>
>>
>>
>>>ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
>>>usergroup.Username = '1000' AND usergroup.GroupName =
>>>radgroupreply.GroupName ORDER BY radgroupreply.id
>>>rlm_sql (sql): Checking profile DEFAULT
>>>rlm_sql (sql): sql_set_user escaped user --> 'DEFAULT'
>>>radius_xlat: 'SELECT
>>>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupc
>>>
>>>
>h
>
>
>>>
>>>
>>>
>>>
>>e
>>
>>
>>
>>
>>>ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
>>>usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
>>>radgroupcheck.GroupName ORDER BY radgroupcheck.id'
>>>rlm_sql_mysql: query: SELECT
>>>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupc
>>>
>>>
>h
>
>
>>>
>>>
>>>
>>>
>>e
>>
>>
>>
>>
>>>ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
>>>usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
>>>radgroupcheck.GroupName ORDER BY radgroupcheck.id
>>>radius_xlat: 'SELECT
>>>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupr
>>>
>>>
>e
>
>
>>>
>>>
>>>
>>>
>>p
>>
>>
>>
>>
>>>ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
>>>usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
>>>radgroupreply.GroupName ORDER BY radgroupreply.id'
>>>rlm_sql_mysql: query: SELECT
>>>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupr
>>>
>>>
>e
>
>
>>>
>>>
>>>
>>>
>>p
>>
>>
>>
>>
>>>ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
>>>usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
>>>radgroupreply.GroupName ORDER BY radgroupreply.id
>>>rlm_sql (sql): Released sql socket id: 4
>>>modcall[authorize]: module "sql" returns ok for request 5
>>>modcall: group authorize returns ok for request 5
>>>rad_check_password: Found Auth-Type None
>>>rad_check_password: Auth-Type = Accept, accepting the user
>>>radius_xlat: 'Authenticated by group Dialin'
>>>Sending Access-Accept of id 153 to xx.xx.xx.xx:33167
>>> Reply-Message = "Authenticated by group Dialin"
>>> SIP-AVP = "Sip-Group:Dialin"
>>>Finished request 5
>>>
>>>-----Original Message-----
>>>From: Tavis P [mailto:tavis.lists@galaxytelecom.net]
>>>Sent: Friday, October 14, 2005 7:21 PM
>>>To: Lenir
>>>Cc: users(a)openser.org; serusers(a)iptel.org
>>>Subject: Re: group_radius radius_is_user_in
>>>
>>>Ugh the subject line is getting really munged up ;P
>>>
>>>Hmmm, what does the output from "radiusd -X" look like for the exchange?
>>>
>>>
>>>Lenir wrote:
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>>Tavis,
>>>>
>>>>Thanks for your input, that did fix the problem. I did have the "files"
>>>>before "sql" in radiusd.conf. Also I followed your advice about taking
>>>>
>>>>
>out
>
>
>>>>"Auth-Type" out of mysql table and let DEFAULT in users file do the
>>>>
>>>>
>trick.
>
>
>>>>
>>>>
>>>>
>>>>
>>
>>
>>
>>
>>>>However it's semi-working.
>>>>
>>>>Accourding to the snippet from my ser.cfg file, now I get the following
>>>>
>>>>
>in
>
>
>>>>stderr:
>>>>0(4866) 000d2890-d47f0003-4a230347-53c6189b(a)yy.yy.yy.yy -
>>>>sip:1000@xx.xx.xx.xx - User authenticated...
>>>>0(4866) Credentials: User is in Radius Group Dialin!!!!
>>>>0(4866) Credentials: User is in Radius Group Dialin2!!!!
>>>>
>>>>No matter which parameter I use for the function radius_is_user_in(), it
>>>>always returns TRUE. When in fact it should return FALSE for Group
>>>>
>>>>
>>>>
>>>>
>>Dialin2.
>>
>>
>>
>>
>>>>I've tried:
>>>>
>>>>if (radius_is_user_in("From", "Dialin2")){...
>>>>if (radius_is_user_in("Credentials", "Dialin2")){...
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>Here's what I did to fix future problems:
>>>>
>>>>EFAULT Auth-Type = System
>>>> Fall-Through = 1
>>>>
>>>>DEFAULT Service-Type == Call-Check, Auth-Type := Digest
>>>>
>>>>DEFAULT Service-Type == Group-Check, Auth-Type := None
>>>>
>>>>DEFAULT Service-Type == SIP-Session, Auth-Type := Digest
>>>>
>>>>DEFAULT Service-Type == SIP-Callee-AVPs, Auth-Type := None
>>>>
>>>>DEFAULT Service-Type == SIP-Caller-AVPs, Auth-Type := None
>>>>
>>>>
>>>>Also, for those of you using the latest version of freeradius, you may
>>>>
>>>>
>>>>
>>>>
>>have
>>
>>
>>
>>
>>>>to comment out the following lines as they conflict with dictionary.ser
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>(SER
>>>
>>>
>>>
>>>
>>>
>>>
>>>>CVS) and dictionary.sip (comes with radiusclient-NG)
>>>>
>>>>#VALUE Service-Type Voice 12
>>>>#VALUE Service-Type Fax 13
>>>>#VALUE Service-Type Modem-Relay 14
>>>>#VALUE Service-Type IAPP-Register 15
>>>>#VALUE Service-Type IAPP-AP-Check 16
>>>>
>>>>
>>>>Thanks,
>>>>
>>>>
>>>>Lenir
>>>>
>>>>
>>>>-----Original Message-----
>>>>From: serusers-bounces(a)iptel.org [mailto:serusers-bounces@iptel.org] On
>>>>Behalf Of Tavis P
>>>>Sent: Friday, October 14, 2005 1:49 PM
>>>>To: lsantiago(a)globalgatewaycom.com
>>>>Cc: serdev(a)iptel.org; serusers(a)iptel.org; devel(a)openser.org;
>>>>users(a)openser.org
>>>>Subject: [Serusers] Re: [Serdev] group_radius radius_is_user_in
>>>>
>>>>Oops, i spoke too soon
>>>>
>>>>It looks like you have placed the "files" module before the "sql" module
>>>>in your radiusd.conf
>>>>
>>>>Its matching your DEFAULT entry in files (setting the Auth-Type to none)
>>>>but the sql module is later changing the Auth-Type to "digest"
>>>>
>>>>Changing the order would solve this problem, as you want it to match the
>>>>SQL statement first and than the section in the files last (which
>>>>changes the Auth-Type)
>>>>
>>>>Also, you may want to reduce the load on your database by not setting
>>>>the Auth-Type in the database and instead setting in the users file with
>>>>a DEFAULT statement as (at least in my case) it isn't somthing that need
>>>>to be dynamic.
>>>>
>>>>lenirsantiago(a)yahoo.com wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>Hello list,
>>>>>
>>>>>I've been trying my hardest today to get group_radius to work, and its
>>>>>function radius_is_user_in().
>>>>>I'm running ser0.9.4 and freeradius 1.0.4 with the mysql backend and
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>digest
>>>
>>>
>>>
>>>
>>>
>>>
>>>>>authentication.
>>>>>
>>>>>Radius authentication works fine.
>>>>>The problem is that when radius_is_user_in() function gets called, it
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>sends
>>>
>>>
>>>
>>>
>>>
>>>
>>>>>a radius message but without the User-Password field and freeradius
>>>>>complains that it requires it since we are using Digest.
>>>>>I've seen a couple of posts here, but they were never answered:
>>>>>http://mail.iptel.org/pipermail/serusers/2005-March/017342.html
>>>>>http://mail.iptel.org/pipermail/serusers/2005-March/017075.html
>>>>>
>>>>>-----
>>>>>I have a small test in my ser.cfg file:
>>>>> if (!radius_www_authorize("")) {
>>>>> xlog("L_I","%ci - %fu - User not authenticated, Radius
>>>>>Authenticating...\n");
>>>>> www_challenge("","0");
>>>>> break;
>>>>> } else {
>>>>> xlog("L_I","%ci - %fu - User authenticated...\n");
>>>>> };
>>>>>
>>>>> if (radius_is_user_in("From", "Dialin")){
>>>>> xlog("L_I","From: User is in Radius Group Dialin!!!!\n");
>>>>> } else {
>>>>> xlog("L_I","From: User *IS NOT* Group Dialin!!!!!\n");
>>>>> };
>>>>>
>>>>> if (radius_is_user_in("Credentials", "Dialin2")){
>>>>> xlog("L_I","From: User is in Radius Group Dialin2!!!!\n");
>>>>> } else {
>>>>> xlog("L_I","From: User *IS NOT* Group Dialin2!!!!!\n");
>>>>> };
>>>>>
>>>>>-----
>>>>>In /etc/raddb/users file I have the following at line 152:
>>>>>DEFAULT Auth-Type = System
>>>>> Fall-Through = 1
>>>>>
>>>>>DEFAULT Service-Type == Group-Check, Auth-Type := None
>>>>>
>>>>>DEFAULT Service-Type == SIP-Callee-AVPs, Auth-Type := None
>>>>>
>>>>>-----
>>>>>
>>>>>These are mysql tables:
>>>>>
>>>>>+----+----------+-----------+----+----------+
>>>>>| id | UserName | Attribute | op | Value |
>>>>>+----+----------+-----------+----+----------+
>>>>>| 1 | Jhassell | Password | == | changeme |
>>>>>| 2 | Rneis | Password | == | changeme |
>>>>>| 3 | 1000 | Password | == | 1000 |
>>>>>| 4 | 2000 | Password | == | 2000 |
>>>>>| 5 | 3000 | Password | == | 3000 |
>>>>>| 8 | 1000 | Auth-Type | := | Digest |
>>>>>+----+----------+-----------+----+----------+
>>>>>
>>>>>+----+-----------+-----------+----+--------+
>>>>>| id | GroupName | Attribute | op | Value |
>>>>>+----+-----------+-----------+----+--------+
>>>>>| 6 | Dialin | Auth-Type | := | Accept |
>>>>>+----+-----------+-----------+----+--------+
>>>>>
>>>>>+----+-----------+---------------+----+---------------------------------
>>>>>
>>>>>
>-
>
>
>>>>>
>>>>>
>>>>>
>>>>>
>>+
>>
>>
>>
>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>-
>>>
>>>
>>>
>>>
>>>
>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>-
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>----+
>>>>>| id | GroupName | Attribute | op | Value
>>>>>
>>>>>
>>>>>
>>>>>
>>|
>>
>>
>>
>>
>>>>>prio |
>>>>>+----+-----------+---------------+----+---------------------------------
>>>>>
>>>>>
>-
>
>
>>>>>
>>>>>
>>>>>
>>>>>
>>+
>>
>>
>>
>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>-
>>>
>>>
>>>
>>>
>>>
>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>-
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>----+
>>>>>| 1 | Dialin | Reply-Message | = | "Authenticated by group Dialin"
>>>>>
>>>>>
>>>>>
>>>>>
>>|
>>
>>
>>
>>
>>>>>0 |
>>>>>| 2 | Dialin2 | Reply-Message | = | "Authenticated by group Dialin2"
>>>>>
>>>>>
>>>>>
>>>>>
>>|
>>
>>
>>
>>
>>>>>0 |
>>>>>+----+-----------+---------------+----+---------------------------------
>>>>>
>>>>>
>-
>
>
>>>>>
>>>>>
>>>>>
>>>>>
>>+
>>
>>
>>
>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>-
>>>
>>>
>>>
>>>
>>>
>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>-
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>----+
>>>>>
>>>>>+----+----------+---------------+----+------------------+
>>>>>| id | UserName | Attribute | op | Value |
>>>>>+----+----------+---------------+----+------------------+
>>>>>| 1 | 1000 | Reply-Message | = | "Authenticated" |
>>>>>| 2 | 1000 | Sip-Group | = | Dialin |
>>>>>| 3 | 1000 | SIP-AVP | = | Sip-Group:Dialin |
>>>>>+----+----------+---------------+----+------------------+
>>>>>
>>>>>+----+----------+------------+
>>>>>| id | UserName | GroupName |
>>>>>+----+----------+------------+
>>>>>| 1 | Jhassell | Dialin |
>>>>>| 2 | Rneis | Staticdial |
>>>>>| 3 | 1000 | Dialin |
>>>>>| 4 | 2000 | Dialin |
>>>>>| 5 | 3000 | Dialin |
>>>>>| 6 | 3000 | Dialin2 |
>>>>>+----+----------+------------+
>>>>>
>>>>>------
>>>>>
>>>>>This is the debug I get from freeradius for the group check:
>>>>>
>>>>>rad_recv: Access-Request packet from host xx.xx.xx.xx:33025, id=15,
>>>>>length=67
>>>>> User-Name = "1000(a)xx.xx.xx.xx"
>>>>> Sip-Group = "Dialin2"
>>>>> Service-Type = Group-Check
>>>>> NAS-IP-Address = 127.0.0.1
>>>>> NAS-Port = 0
>>>>>Processing the authorize section of radiusd.conf
>>>>>modcall: entering group authorize for request 74
>>>>>modcall[authorize]: module "preprocess" returns ok for request 74
>>>>>modcall[authorize]: module "chap" returns noop for request 74
>>>>>modcall[authorize]: module "mschap" returns noop for request 74
>>>>>modcall[authorize]: module "digest" returns noop for request 74
>>>>>rlm_realm: Looking up realm "xx.xx.xx.xx" for User-Name =
>>>>>"1000(a)xx.xx.xx.xx"
>>>>>rlm_realm: Found realm "xx.xx.xx.xx"
>>>>>rlm_realm: Adding Stripped-User-Name = "1000"
>>>>>rlm_realm: Proxying request from user 1000 to realm xx.xx.xx.xx
>>>>>rlm_realm: Adding Realm = "xx.xx.xx.xx"
>>>>>rlm_realm: Authentication realm is LOCAL.
>>>>>modcall[authorize]: module "suffix" returns noop for request 74
>>>>>rlm_eap: No EAP-Message, not doing EAP
>>>>>modcall[authorize]: module "eap" returns noop for request 74
>>>>>users: Matched entry DEFAULT at line 152
>>>>>users: Matched entry DEFAULT at line 158
>>>>>modcall[authorize]: module "files" returns ok for request 74
>>>>>radius_xlat: '1000'
>>>>>rlm_sql (sql): sql_set_user escaped user --> '1000'
>>>>>rlm_sql (sql): Released sql socket id: 0
>>>>>modcall[authorize]: module "sql" returns ok for request 74
>>>>>modcall: group authorize returns ok for request 74
>>>>>rad_check_password: Found Auth-Type Digest
>>>>>auth: type "digest"
>>>>>Processing the authenticate section of radiusd.conf
>>>>>modcall: entering group authenticate for request 74
>>>>>ERROR: No Digest-Nonce: Cannot perform Digest authentication
>>>>>modcall[authenticate]: module "digest" returns invalid for request 74
>>>>>modcall: group authenticate returns invalid for request 74
>>>>>auth: Failed to validate the user.
>>>>>Delaying request 74 for 1 seconds
>>>>>Finished request 74
>>>>>Going to the next request
>>>>>--- Walking the entire request list ---
>>>>>Waking up in 1 seconds...
>>>>>--- Walking the entire request list ---
>>>>>Waking up in 1 seconds...
>>>>>--- Walking the entire request list ---
>>>>>Sending Access-Reject of id 15 to xx.xx.xx.xx:33025
>>>>> Reply-Message = "Authenticated"
>>>>>Waking up in 4 seconds...
>>>>>--- Walking the entire request list ---
>>>>>Cleaning up request 74 ID 15 with timestamp 434f1121
>>>>>Nothing to do. Sleeping until we see a request.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>Any help in this matter would be deeply appreciated,
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>Lenir
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>_______________________________________________
>>>>>Serdev mailing list
>>>>>Serdev(a)iptel.org
>>>>>http://mail.iptel.org/mailman/listinfo/serdev
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>_______________________________________________
>>>>Serusers mailing list
>>>>Serusers(a)iptel.org
>>>>http://mail.iptel.org/mailman/listinfo/serusers
>>>>
>>>>
>>>>_______________________________________________
>>>>Serdev mailing list
>>>>Serdev(a)iptel.org
>>>>http://mail.iptel.org/mailman/listinfo/serdev
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>>
>>
>
>
>
>
>
>
I've never used the group_radius module so i'm not certain what it
expects from the radius server (its not well documented currently)
Although you may be able to optimize a bit and skip the
radius_is_user_in function call and simply pass the users group back as
an SIP-AVP attribute in the radreply table, and then check for that AVP
in the OpenSER script
What i've done is commented the group checking SQL from the freeradius
sql.conf file so that when a user authenticates or when an avp_radius
call is made only 2 SQL queries are sent, instead of the 4-5 used when
group check is enabled.
Try this, it should work and it will save you ~10 sql queries and a
radius request/response
Lenir wrote:
>I'm trying to use group_radius module to check if the user is in a
>particular radius group. I'm calling radius_is_user_in function to do this.
>Here is the snippet in my config that calls that function:
>
>route[2] {
>
> # -----------------------------------------------------------------
> # REGISTER Message Handler
> # ----------------------------------------------------------------
> sl_send_reply("100", "Trying");
>
> if (!radius_www_authorize("")) {
> xlog("L_INFO","$ci - $fu - User not authenticated, Radius
>Authenticating...\n");
> www_challenge("","0");
> return;
> } else {
> xlog("L_INFO","$ci - $fu - User authenticated...\n");
> };
>
> if (radius_is_user_in("From", "Dialin")){
> xlog("L_INFO","From: User is in Radius Group Dialin!!!!\n");
> } else {
> xlog("L_INFO","From: User *IS NOT* Group Dialin!!!!!\n");
> };
>
> if (radius_is_user_in("From", "Dialin2")){
> xlog("L_INFO","From: User is in Radius Group
>Dialin2!!!!\n");
> } else {
> xlog("L_INFO","From: User *IS NOT* Group Dialin2!!!!!\n");
> };
>
> #if (!radius_check_to()) {
> # sl_send_reply("401", "Unauthorized");
> # return;
> #};
>
> consume_credentials();
>
> if (!save("location")) {
> sl_reply_error();
> };
>}
>
>
>-----Original Message-----
>From: Tavis P [mailto:tavis.lists@galaxytelecom.net]
>Sent: Wednesday, October 19, 2005 3:59 PM
>To: Lenir
>Cc: users(a)openser.org; serusers(a)iptel.org
>Subject: Re: group_radius radius_is_user_in
>
>Well either way the radius server is going to respond with an
>"Access-Accept" because you have set the auth-type to "none" (which is
>necessary because you are not authenticating and can not provide the
>necessary credentials).
>
>>From the trace you showed me below, i see two radius requests both for
>the user 1000 and both of which respond as i would expect.
>
>I'm not what you are trying to accomplish, are you using the
>group_radius module or just loading the group information using avp_radius?
>
>
>Lenir wrote:
>
>
>
>>This is my users file:
>>
>>DEFAULT Auth-Type = System
>> Fall-Through = 1
>>
>>DEFAULT Service-Type == Call-Check, Auth-Type := None
>>
>>DEFAULT Service-Type == Group-Check, Auth-Type := None
>>
>>DEFAULT Service-Type == SIP-Session, Auth-Type := Digest
>>
>>DEFAULT Service-Type == SIP-Callee-AVPs, Auth-Type := None
>>
>>DEFAULT Service-Type == SIP-Caller-AVPs, Auth-Type := None
>>
>>
>>mysql> select * from radcheck;
>>+----+----------+-----------+----+----------+
>>| id | UserName | Attribute | op | Value |
>>+----+----------+-----------+----+----------+
>>| 1 | Jhassell | Password | == | changeme |
>>| 2 | Rneis | Password | == | changeme |
>>| 3 | 1000 | Password | == | 1000 |
>>| 4 | 2000 | Password | == | 2000 |
>>| 5 | 3000 | Password | == | 3000 |
>>+----+----------+-----------+----+----------+
>>5 rows in set (0.00 sec)
>>
>>mysql> select * from radreply;
>>Empty set (0.00 sec)
>>
>>mysql> select * from usergroup;
>>+----+----------+------------+
>>| id | UserName | GroupName |
>>+----+----------+------------+
>>| 1 | Jhassell | Dialin |
>>| 2 | Rneis | Staticdial |
>>| 3 | 1000 | Dialin |
>>| 4 | 2000 | Dialin |
>>| 5 | 3000 | Dialin |
>>| 6 | 3000 | Dialin2 |
>>+----+----------+------------+
>>6 rows in set (0.00 sec)
>>
>>mysql> select * from radgroupcheck;
>>Empty set (0.00 sec)
>>
>>mysql> select * from radgroupreply;
>>+----+-----------+---------------+----+----------------------------------+-
>>
>>
>-
>
>
>>---+
>>| id | GroupName | Attribute | op | Value |
>>prio |
>>+----+-----------+---------------+----+----------------------------------+-
>>
>>
>-
>
>
>>----+
>>| 1 | Dialin | Reply-Message | = | "Authenticated by group Dialin" |
>>0 |
>>| 2 | Dialin2 | Reply-Message | = | "Authenticated by group Dialin2" |
>>0 |
>>| 3 | Dialin | SIP-AVP | = | Sip-Group:Dialin |
>>0 |
>>+----+-----------+---------------+----+----------------------------------+-
>>
>>
>-
>
>
>>----+
>>3 rows in set (0.00 sec)
>>
>>mysql> select * from radpostauth;
>>Empty set (0.00 sec)
>>
>>
>>
>>Here's the debug, notice how it returns access-accept whether its in the
>>right group or not. Shouldn't it return access-reject for group Dialin2?
>>-----------------
>>rad_recv: Access-Request packet from host xx.xx.xx.xx:33167, id=152,
>>length=66
>> User-Name = "1000(a)xx.xx.xx.xx"
>> Sip-Group = "Dialin"
>> Service-Type = Group-Check
>> NAS-IP-Address = 127.0.0.1
>> NAS-Port = 0
>> Processing the authorize section of radiusd.conf
>>modcall: entering group authorize for request 4
>> modcall[authorize]: module "preprocess" returns ok for request 4
>> modcall[authorize]: module "chap" returns noop for request 4
>> modcall[authorize]: module "mschap" returns noop for request 4
>> modcall[authorize]: module "digest" returns noop for request 4
>> rlm_realm: Looking up realm "xx.xx.xx.xx" for User-Name =
>>"1000(a)xx.xx.xx.xx"
>> rlm_realm: Found realm "xx.xx.xx.xx"
>> rlm_realm: Adding Stripped-User-Name = "1000"
>> rlm_realm: Proxying request from user 1000 to realm xx.xx.xx.xx
>> rlm_realm: Adding Realm = "xx.xx.xx.xx"
>> rlm_realm: Authentication realm is LOCAL.
>> modcall[authorize]: module "suffix" returns noop for request 4
>> rlm_eap: No EAP-Message, not doing EAP
>> modcall[authorize]: module "eap" returns noop for request 4
>> users: Matched entry DEFAULT at line 156
>> users: Matched entry DEFAULT at line 161
>> modcall[authorize]: module "files" returns ok for request 4
>>radius_xlat: '1000'
>>rlm_sql (sql): sql_set_user escaped user --> '1000'
>>radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
>>radcheck WHERE Username = '1000' ORDER BY id'
>>rlm_sql (sql): Reserving sql socket id: 0
>>rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op
>>
>>
>>FROM radcheck WHERE Username = '1000' ORDER BY id
>
>
>>radius_xlat: 'SELECT
>>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupch
>>
>>
>e
>
>
>>ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
>>usergroup.Username = '1000' AND usergroup.GroupName =
>>radgroupcheck.GroupName ORDER BY radgroupcheck.id'
>>rlm_sql_mysql: query: SELECT
>>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupch
>>
>>
>e
>
>
>>ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
>>usergroup.Username = '1000' AND usergroup.GroupName =
>>radgroupcheck.GroupName ORDER BY radgroupcheck.id
>>radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
>>radreply WHERE Username = '1000' ORDER BY id'
>>rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op
>>
>>
>>FROM radreply WHERE Username = '1000' ORDER BY id
>
>
>>radius_xlat: 'SELECT
>>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupre
>>
>>
>p
>
>
>>ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
>>usergroup.Username = '1000' AND usergroup.GroupName =
>>radgroupreply.GroupName ORDER BY radgroupreply.id'
>>rlm_sql_mysql: query: SELECT
>>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupre
>>
>>
>p
>
>
>>ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
>>usergroup.Username = '1000' AND usergroup.GroupName =
>>radgroupreply.GroupName ORDER BY radgroupreply.id
>>rlm_sql (sql): Checking profile DEFAULT
>>rlm_sql (sql): sql_set_user escaped user --> 'DEFAULT'
>>radius_xlat: 'SELECT
>>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupch
>>
>>
>e
>
>
>>ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
>>usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
>>radgroupcheck.GroupName ORDER BY radgroupcheck.id'
>>rlm_sql_mysql: query: SELECT
>>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupch
>>
>>
>e
>
>
>>ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
>>usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
>>radgroupcheck.GroupName ORDER BY radgroupcheck.id
>>radius_xlat: 'SELECT
>>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupre
>>
>>
>p
>
>
>>ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
>>usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
>>radgroupreply.GroupName ORDER BY radgroupreply.id'
>>rlm_sql_mysql: query: SELECT
>>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupre
>>
>>
>p
>
>
>>ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
>>usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
>>radgroupreply.GroupName ORDER BY radgroupreply.id
>>rlm_sql (sql): Released sql socket id: 0
>> modcall[authorize]: module "sql" returns ok for request 4
>>modcall: group authorize returns ok for request 4
>> rad_check_password: Found Auth-Type None
>> rad_check_password: Auth-Type = Accept, accepting the user
>>radius_xlat: 'Authenticated by group Dialin'
>>Sending Access-Accept of id 152 to xx.xx.xx.xx:33167
>> Reply-Message = "Authenticated by group Dialin"
>> SIP-AVP = "Sip-Group:Dialin"
>>Finished request 4
>>Going to the next request
>>Waking up in 6 seconds...
>>rad_recv: Access-Request packet from host xx.xx.xx.xx:33167, id=153,
>>length=67
>> User-Name = "1000(a)xx.xx.xx.xx"
>> Sip-Group = "Dialin2"
>> Service-Type = Group-Check
>> NAS-IP-Address = 127.0.0.1
>> NAS-Port = 0
>> Processing the authorize section of radiusd.conf
>>modcall: entering group authorize for request 5
>> modcall[authorize]: module "preprocess" returns ok for request 5
>> modcall[authorize]: module "chap" returns noop for request 5
>> modcall[authorize]: module "mschap" returns noop for request 5
>> modcall[authorize]: module "digest" returns noop for request 5
>> rlm_realm: Looking up realm "xx.xx.xx.xx" for User-Name =
>>"1000(a)xx.xx.xx.xx"
>> rlm_realm: Found realm "xx.xx.xx.xx"
>> rlm_realm: Adding Stripped-User-Name = "1000"
>> rlm_realm: Proxying request from user 1000 to realm xx.xx.xx.xx
>> rlm_realm: Adding Realm = "xx.xx.xx.xx"
>> rlm_realm: Authentication realm is LOCAL.
>> modcall[authorize]: module "suffix" returns noop for request 5
>> rlm_eap: No EAP-Message, not doing EAP
>> modcall[authorize]: module "eap" returns noop for request 5
>> users: Matched entry DEFAULT at line 156
>> users: Matched entry DEFAULT at line 161
>> modcall[authorize]: module "files" returns ok for request 5
>>radius_xlat: '1000'
>>rlm_sql (sql): sql_set_user escaped user --> '1000'
>>radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
>>radcheck WHERE Username = '1000' ORDER BY id'
>>rlm_sql (sql): Reserving sql socket id: 4
>>rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op
>>
>>
>>FROM radcheck WHERE Username = '1000' ORDER BY id
>
>
>>radius_xlat: 'SELECT
>>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupch
>>
>>
>e
>
>
>>ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
>>usergroup.Username = '1000' AND usergroup.GroupName =
>>radgroupcheck.GroupName ORDER BY radgroupcheck.id'
>>rlm_sql_mysql: query: SELECT
>>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupch
>>
>>
>e
>
>
>>ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
>>usergroup.Username = '1000' AND usergroup.GroupName =
>>radgroupcheck.GroupName ORDER BY radgroupcheck.id
>>radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
>>radreply WHERE Username = '1000' ORDER BY id'
>>rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op
>>
>>
>>FROM radreply WHERE Username = '1000' ORDER BY id
>
>
>>radius_xlat: 'SELECT
>>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupre
>>
>>
>p
>
>
>>ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
>>usergroup.Username = '1000' AND usergroup.GroupName =
>>radgroupreply.GroupName ORDER BY radgroupreply.id'
>>rlm_sql_mysql: query: SELECT
>>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupre
>>
>>
>p
>
>
>>ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
>>usergroup.Username = '1000' AND usergroup.GroupName =
>>radgroupreply.GroupName ORDER BY radgroupreply.id
>>rlm_sql (sql): Checking profile DEFAULT
>>rlm_sql (sql): sql_set_user escaped user --> 'DEFAULT'
>>radius_xlat: 'SELECT
>>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupch
>>
>>
>e
>
>
>>ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
>>usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
>>radgroupcheck.GroupName ORDER BY radgroupcheck.id'
>>rlm_sql_mysql: query: SELECT
>>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupch
>>
>>
>e
>
>
>>ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
>>usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
>>radgroupcheck.GroupName ORDER BY radgroupcheck.id
>>radius_xlat: 'SELECT
>>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupre
>>
>>
>p
>
>
>>ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
>>usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
>>radgroupreply.GroupName ORDER BY radgroupreply.id'
>>rlm_sql_mysql: query: SELECT
>>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupre
>>
>>
>p
>
>
>>ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
>>usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
>>radgroupreply.GroupName ORDER BY radgroupreply.id
>>rlm_sql (sql): Released sql socket id: 4
>> modcall[authorize]: module "sql" returns ok for request 5
>>modcall: group authorize returns ok for request 5
>> rad_check_password: Found Auth-Type None
>> rad_check_password: Auth-Type = Accept, accepting the user
>>radius_xlat: 'Authenticated by group Dialin'
>>Sending Access-Accept of id 153 to xx.xx.xx.xx:33167
>> Reply-Message = "Authenticated by group Dialin"
>> SIP-AVP = "Sip-Group:Dialin"
>>Finished request 5
>>
>>-----Original Message-----
>>From: Tavis P [mailto:tavis.lists@galaxytelecom.net]
>>Sent: Friday, October 14, 2005 7:21 PM
>>To: Lenir
>>Cc: users(a)openser.org; serusers(a)iptel.org
>>Subject: Re: group_radius radius_is_user_in
>>
>>Ugh the subject line is getting really munged up ;P
>>
>>Hmmm, what does the output from "radiusd -X" look like for the exchange?
>>
>>
>>Lenir wrote:
>>
>>
>>
>>
>>
>>>Tavis,
>>>
>>>Thanks for your input, that did fix the problem. I did have the "files"
>>>before "sql" in radiusd.conf. Also I followed your advice about taking out
>>>"Auth-Type" out of mysql table and let DEFAULT in users file do the trick.
>>>
>>>
>
>
>
>>>However it's semi-working.
>>>
>>>Accourding to the snippet from my ser.cfg file, now I get the following in
>>>stderr:
>>>0(4866) 000d2890-d47f0003-4a230347-53c6189b(a)yy.yy.yy.yy -
>>>sip:1000@xx.xx.xx.xx - User authenticated...
>>>0(4866) Credentials: User is in Radius Group Dialin!!!!
>>>0(4866) Credentials: User is in Radius Group Dialin2!!!!
>>>
>>>No matter which parameter I use for the function radius_is_user_in(), it
>>>always returns TRUE. When in fact it should return FALSE for Group
>>>
>>>
>Dialin2.
>
>
>>>I've tried:
>>>
>>>if (radius_is_user_in("From", "Dialin2")){...
>>>if (radius_is_user_in("Credentials", "Dialin2")){...
>>>
>>>
>>>
>>>
>>>
>>>Here's what I did to fix future problems:
>>>
>>>EFAULT Auth-Type = System
>>> Fall-Through = 1
>>>
>>>DEFAULT Service-Type == Call-Check, Auth-Type := Digest
>>>
>>>DEFAULT Service-Type == Group-Check, Auth-Type := None
>>>
>>>DEFAULT Service-Type == SIP-Session, Auth-Type := Digest
>>>
>>>DEFAULT Service-Type == SIP-Callee-AVPs, Auth-Type := None
>>>
>>>DEFAULT Service-Type == SIP-Caller-AVPs, Auth-Type := None
>>>
>>>
>>>Also, for those of you using the latest version of freeradius, you may
>>>
>>>
>have
>
>
>>>to comment out the following lines as they conflict with dictionary.ser
>>>
>>>
>>>
>>>
>>(SER
>>
>>
>>
>>
>>>CVS) and dictionary.sip (comes with radiusclient-NG)
>>>
>>>#VALUE Service-Type Voice 12
>>>#VALUE Service-Type Fax 13
>>>#VALUE Service-Type Modem-Relay 14
>>>#VALUE Service-Type IAPP-Register 15
>>>#VALUE Service-Type IAPP-AP-Check 16
>>>
>>>
>>>Thanks,
>>>
>>>
>>>Lenir
>>>
>>>
>>>-----Original Message-----
>>>From: serusers-bounces(a)iptel.org [mailto:serusers-bounces@iptel.org] On
>>>Behalf Of Tavis P
>>>Sent: Friday, October 14, 2005 1:49 PM
>>>To: lsantiago(a)globalgatewaycom.com
>>>Cc: serdev(a)iptel.org; serusers(a)iptel.org; devel(a)openser.org;
>>>users(a)openser.org
>>>Subject: [Serusers] Re: [Serdev] group_radius radius_is_user_in
>>>
>>>Oops, i spoke too soon
>>>
>>>It looks like you have placed the "files" module before the "sql" module
>>>in your radiusd.conf
>>>
>>>Its matching your DEFAULT entry in files (setting the Auth-Type to none)
>>>but the sql module is later changing the Auth-Type to "digest"
>>>
>>>Changing the order would solve this problem, as you want it to match the
>>>SQL statement first and than the section in the files last (which
>>>changes the Auth-Type)
>>>
>>>Also, you may want to reduce the load on your database by not setting
>>>the Auth-Type in the database and instead setting in the users file with
>>>a DEFAULT statement as (at least in my case) it isn't somthing that need
>>>to be dynamic.
>>>
>>>lenirsantiago(a)yahoo.com wrote:
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>>Hello list,
>>>>
>>>>I've been trying my hardest today to get group_radius to work, and its
>>>>function radius_is_user_in().
>>>>I'm running ser0.9.4 and freeradius 1.0.4 with the mysql backend and
>>>>
>>>>
>>>>
>>>>
>>digest
>>
>>
>>
>>
>>>>authentication.
>>>>
>>>>Radius authentication works fine.
>>>>The problem is that when radius_is_user_in() function gets called, it
>>>>
>>>>
>>>>
>>>>
>>sends
>>
>>
>>
>>
>>>>a radius message but without the User-Password field and freeradius
>>>>complains that it requires it since we are using Digest.
>>>>I've seen a couple of posts here, but they were never answered:
>>>>http://mail.iptel.org/pipermail/serusers/2005-March/017342.html
>>>>http://mail.iptel.org/pipermail/serusers/2005-March/017075.html
>>>>
>>>>-----
>>>>I have a small test in my ser.cfg file:
>>>> if (!radius_www_authorize("")) {
>>>> xlog("L_I","%ci - %fu - User not authenticated, Radius
>>>>Authenticating...\n");
>>>> www_challenge("","0");
>>>> break;
>>>> } else {
>>>> xlog("L_I","%ci - %fu - User authenticated...\n");
>>>> };
>>>>
>>>> if (radius_is_user_in("From", "Dialin")){
>>>> xlog("L_I","From: User is in Radius Group Dialin!!!!\n");
>>>> } else {
>>>> xlog("L_I","From: User *IS NOT* Group Dialin!!!!!\n");
>>>> };
>>>>
>>>> if (radius_is_user_in("Credentials", "Dialin2")){
>>>> xlog("L_I","From: User is in Radius Group Dialin2!!!!\n");
>>>> } else {
>>>> xlog("L_I","From: User *IS NOT* Group Dialin2!!!!!\n");
>>>> };
>>>>
>>>>-----
>>>>In /etc/raddb/users file I have the following at line 152:
>>>>DEFAULT Auth-Type = System
>>>> Fall-Through = 1
>>>>
>>>>DEFAULT Service-Type == Group-Check, Auth-Type := None
>>>>
>>>>DEFAULT Service-Type == SIP-Callee-AVPs, Auth-Type := None
>>>>
>>>>-----
>>>>
>>>>These are mysql tables:
>>>>
>>>>+----+----------+-----------+----+----------+
>>>>| id | UserName | Attribute | op | Value |
>>>>+----+----------+-----------+----+----------+
>>>>| 1 | Jhassell | Password | == | changeme |
>>>>| 2 | Rneis | Password | == | changeme |
>>>>| 3 | 1000 | Password | == | 1000 |
>>>>| 4 | 2000 | Password | == | 2000 |
>>>>| 5 | 3000 | Password | == | 3000 |
>>>>| 8 | 1000 | Auth-Type | := | Digest |
>>>>+----+----------+-----------+----+----------+
>>>>
>>>>+----+-----------+-----------+----+--------+
>>>>| id | GroupName | Attribute | op | Value |
>>>>+----+-----------+-----------+----+--------+
>>>>| 6 | Dialin | Auth-Type | := | Accept |
>>>>+----+-----------+-----------+----+--------+
>>>>
>>>>+----+-----------+---------------+----+----------------------------------
>>>>
>>>>
>+
>
>
>>>>
>>>>
>>>>
>>>>
>>-
>>
>>
>>
>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>-
>>>
>>>
>>>
>>>
>>>
>>>
>>>>----+
>>>>| id | GroupName | Attribute | op | Value
>>>>
>>>>
>|
>
>
>>>>prio |
>>>>+----+-----------+---------------+----+----------------------------------
>>>>
>>>>
>+
>
>
>>>>
>>>>
>>>>
>>>>
>>-
>>
>>
>>
>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>-
>>>
>>>
>>>
>>>
>>>
>>>
>>>>----+
>>>>| 1 | Dialin | Reply-Message | = | "Authenticated by group Dialin"
>>>>
>>>>
>|
>
>
>>>>0 |
>>>>| 2 | Dialin2 | Reply-Message | = | "Authenticated by group Dialin2"
>>>>
>>>>
>|
>
>
>>>>0 |
>>>>+----+-----------+---------------+----+----------------------------------
>>>>
>>>>
>+
>
>
>>>>
>>>>
>>>>
>>>>
>>-
>>
>>
>>
>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>-
>>>
>>>
>>>
>>>
>>>
>>>
>>>>----+
>>>>
>>>>+----+----------+---------------+----+------------------+
>>>>| id | UserName | Attribute | op | Value |
>>>>+----+----------+---------------+----+------------------+
>>>>| 1 | 1000 | Reply-Message | = | "Authenticated" |
>>>>| 2 | 1000 | Sip-Group | = | Dialin |
>>>>| 3 | 1000 | SIP-AVP | = | Sip-Group:Dialin |
>>>>+----+----------+---------------+----+------------------+
>>>>
>>>>+----+----------+------------+
>>>>| id | UserName | GroupName |
>>>>+----+----------+------------+
>>>>| 1 | Jhassell | Dialin |
>>>>| 2 | Rneis | Staticdial |
>>>>| 3 | 1000 | Dialin |
>>>>| 4 | 2000 | Dialin |
>>>>| 5 | 3000 | Dialin |
>>>>| 6 | 3000 | Dialin2 |
>>>>+----+----------+------------+
>>>>
>>>>------
>>>>
>>>>This is the debug I get from freeradius for the group check:
>>>>
>>>>rad_recv: Access-Request packet from host xx.xx.xx.xx:33025, id=15,
>>>>length=67
>>>> User-Name = "1000(a)xx.xx.xx.xx"
>>>> Sip-Group = "Dialin2"
>>>> Service-Type = Group-Check
>>>> NAS-IP-Address = 127.0.0.1
>>>> NAS-Port = 0
>>>>Processing the authorize section of radiusd.conf
>>>>modcall: entering group authorize for request 74
>>>>modcall[authorize]: module "preprocess" returns ok for request 74
>>>>modcall[authorize]: module "chap" returns noop for request 74
>>>>modcall[authorize]: module "mschap" returns noop for request 74
>>>>modcall[authorize]: module "digest" returns noop for request 74
>>>> rlm_realm: Looking up realm "xx.xx.xx.xx" for User-Name =
>>>>"1000(a)xx.xx.xx.xx"
>>>> rlm_realm: Found realm "xx.xx.xx.xx"
>>>> rlm_realm: Adding Stripped-User-Name = "1000"
>>>> rlm_realm: Proxying request from user 1000 to realm xx.xx.xx.xx
>>>> rlm_realm: Adding Realm = "xx.xx.xx.xx"
>>>> rlm_realm: Authentication realm is LOCAL.
>>>>modcall[authorize]: module "suffix" returns noop for request 74
>>>>rlm_eap: No EAP-Message, not doing EAP
>>>>modcall[authorize]: module "eap" returns noop for request 74
>>>> users: Matched entry DEFAULT at line 152
>>>> users: Matched entry DEFAULT at line 158
>>>>modcall[authorize]: module "files" returns ok for request 74
>>>>radius_xlat: '1000'
>>>>rlm_sql (sql): sql_set_user escaped user --> '1000'
>>>>rlm_sql (sql): Released sql socket id: 0
>>>>modcall[authorize]: module "sql" returns ok for request 74
>>>>modcall: group authorize returns ok for request 74
>>>>rad_check_password: Found Auth-Type Digest
>>>>auth: type "digest"
>>>>Processing the authenticate section of radiusd.conf
>>>>modcall: entering group authenticate for request 74
>>>>ERROR: No Digest-Nonce: Cannot perform Digest authentication
>>>>modcall[authenticate]: module "digest" returns invalid for request 74
>>>>modcall: group authenticate returns invalid for request 74
>>>>auth: Failed to validate the user.
>>>>Delaying request 74 for 1 seconds
>>>>Finished request 74
>>>>Going to the next request
>>>>--- Walking the entire request list ---
>>>>Waking up in 1 seconds...
>>>>--- Walking the entire request list ---
>>>>Waking up in 1 seconds...
>>>>--- Walking the entire request list ---
>>>>Sending Access-Reject of id 15 to xx.xx.xx.xx:33025
>>>> Reply-Message = "Authenticated"
>>>>Waking up in 4 seconds...
>>>>--- Walking the entire request list ---
>>>>Cleaning up request 74 ID 15 with timestamp 434f1121
>>>>Nothing to do. Sleeping until we see a request.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>Any help in this matter would be deeply appreciated,
>>>>
>>>>
>>>>
>>>>
>>>>Lenir
>>>>
>>>>
>>>>
>>>>
>>>>_______________________________________________
>>>>Serdev mailing list
>>>>Serdev(a)iptel.org
>>>>http://mail.iptel.org/mailman/listinfo/serdev
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>_______________________________________________
>>>Serusers mailing list
>>>Serusers(a)iptel.org
>>>http://mail.iptel.org/mailman/listinfo/serusers
>>>
>>>
>>>_______________________________________________
>>>Serdev mailing list
>>>Serdev(a)iptel.org
>>>http://mail.iptel.org/mailman/listinfo/serdev
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>>
>>
>
>
>
>
>
>
Hi,
I am trying to figure out how to solve the follwoing problem.
I have two subnetworks, A and B, with different private ip adressing
schemes (IP@A <mailto:IP@A> ) and (IP@B <mailto:IP@B> ).
SER is installed in a computer with network interfaces towards both
subnetworks.
SER's SIP signalling proxying operation works properly within the
subnetworks and when trying to set up a communication between users in A
and B. But in that last case, obviously there is no media at all
circulating among the subnetworks.
Portaone's RTP proxy has been installed and configured in the computer
with interfaces towards both subnetworks where SER is installed.
I am trying to configure SER so that, based on the nathelper module,
when communication between both subnetworks occurs, the RTP proxy is
involved and the communication (also media and not only signalling) is
possible. BUT I am making something wrong, becouse it does not work ...
Can anyone give me a hand /hint?
Thanks a lot in advance / in any case.
My SER config file is the following:
#
# ----------- global configuration parameters ------------------------
/* Uncomment these lines to enter debugging mode
debug=7
fork=no
log_stderror=yes
*/
check_via=no # (cmd. line: -v)
dns=no # (cmd. line: -r)
rev_dns=no # (cmd. line: -R)
fifo="/tmp/ser_fifo"
fifo_mode=0662
alias=wirelessip.x.x.x
alias=sip..x.x.x
alias=x.x.x
log_stderror=no
debug=3
children=3
mhomed=1
# ------------------ module loading ----------------------------------
# Uncomment this if you want to use SQL database
loadmodule "/lib/ser/modules/mysql.so"
loadmodule "/lib/ser/modules/sl.so"
loadmodule "/lib/ser/modules/tm.so"
loadmodule "/lib/ser/modules/rr.so"
loadmodule "/lib/ser/modules/maxfwd.so"
loadmodule "/lib/ser/modules/usrloc.so"
loadmodule "/lib/ser/modules/textops.so"
loadmodule "/lib/ser/modules/registrar.so"
# Uncomment this if you want digest authentication
# mysql.so must be loaded !
loadmodule "/lib/ser/modules/auth.so"
loadmodule "/lib/ser/modules/auth_db.so"
# For NAT support / media proxying
loadmodule "/lib/ser/modules/nathelper.so"
# ----------------- setting module-specific parameters ---------------
# -- usrloc params --
#modparam("usrloc", "db_mode", 0)
# Uncomment this if you want to use SQL database
# for persistent storage and comment the previous line
modparam("usrloc", "db_mode", 2)
# -- auth params --
# Uncomment if you are using auth module
modparam("auth_db", "calculate_ha1", yes)
# If you set "calculate_ha1" parameter to yes (which true in this
config),
# uncomment also the following parameter)
modparam("auth_db", "password_column", "password")
# -- rr params --
# add value to ;lr param to make some broken UAs happy
modparam("rr", "enable_full_lr", 1)
# For NAT
# We will use flag 6 to mark NATed contacts
modparam("registrar", "nat_flag", 6)
# Enable NAT pinging
modparam("nathelper", "natping_interval", 60)
# Ping only contacts that are known to be
# behind NAT
modparam("nathelper", "ping_nated_only", 1)
# ------------------------- request routing logic -------------------
# main routing logic
route{
# initial sanity checks -- messages with
# max_forwards==0, or excessively long requests
if (!mf_process_maxfwd_header("10")) {
sl_send_reply("483","Too Many Hops");
break;
};
if ( msg:len > max_len ) {
sl_send_reply("513", "Message too big");
break;
};
# special handling for NATed clients; first, nat test is
# executed: it looks for via!=received and RFC1918 addresses
# in Contact (may fail if line-folding used); also,
# the received test should, if complete, should check all
# vias for presence of received
if (nat_uac_test("3")) {
# allow RR-ed requests, as these may indicate that
# a NAT-enabled proxy takes care of it; unless it is
# a REGISTER
if (method == "REGISTER" || ! search("^Record-Route:")) {
log("LOG: Someone trying to register from private IP, rewriting\n");
# This will work only for user agents that support symmetric
# communication. We tested quite many of them and majority is
# smart smart enough to be symmetric. In some phones, like
# it takes a configuration option. With Cisco 7960, it is
# called NAT_Enable=Yes, with kphone it is called
# "symmetric media" and "symmetric signaling". (The latter
# not part of public released yet.)
fix_nated_contact(); # Rewrite contact with source IP of signalling
if (method == "INVITE") {
fix_nated_sdp("1"); # Add direction=active to SDP
};
force_rport(); # Add rport parameter to topmost Via
setflag(6); # Mark as NATed
};
};
# we record-route all messages -- to make sure that
# subsequent messages will go through our proxy; that's
# particularly good if upstream and downstream entities
# use different transport protocol
record_route();
# loose-route processing
if (loose_route()) {
t_relay();
break;
};
lookup("aliases");
# if the request is for other domain use UsrLoc
# (in case, it does not work, use the following command
# with proper names and addresses in it)
if (uri==myself) {
if (method=="REGISTER") {
# Uncomment this if you want to use digest authentication
if (!www_authorize("com.dtu.dk", "subscriber")) {
www_challenge("com.dtu.dk", "0");
break;
};
save("location");
break;
};
# native SIP destinations are handled using our USRLOC DB
if (!lookup("location")) {
sl_send_reply("404", "Not Found");
break;
};
};
# forward to current uri now; use stateful forwarding; that
# works reliably even if we forward from TCP to UDP
if (!t_relay()) {
sl_reply_error();
};
}
#
# Forcing media relay if necessary
#
route[1] {
#if (uri=~"[@:](192\.168\.|10\.|172\.16)" && !search("^Route:")){
# sl_send_reply("479", "We don't forward to private IP addresses");
# break;
#};
#if (isflagset(6)) {
force_rtp_proxy(); # I force everything through the proxy
t_on_reply("1");
append_hf("P-Behind-NAT: Yes\r\n");
#};
if (!t_relay()) {
sl_reply_error();
break;
};
}
onreply_route[1] {
if (status =~ "(183)|2[0-9][0-9]") {
fix_nated_contact();
force_rtp_proxy();
};
}
Well either way the radius server is going to respond with an
"Access-Accept" because you have set the auth-type to "none" (which is
necessary because you are not authenticating and can not provide the
necessary credentials).
>From the trace you showed me below, i see two radius requests both for
the user 1000 and both of which respond as i would expect.
I'm not what you are trying to accomplish, are you using the
group_radius module or just loading the group information using avp_radius?
Lenir wrote:
>This is my users file:
>
>DEFAULT Auth-Type = System
> Fall-Through = 1
>
>DEFAULT Service-Type == Call-Check, Auth-Type := None
>
>DEFAULT Service-Type == Group-Check, Auth-Type := None
>
>DEFAULT Service-Type == SIP-Session, Auth-Type := Digest
>
>DEFAULT Service-Type == SIP-Callee-AVPs, Auth-Type := None
>
>DEFAULT Service-Type == SIP-Caller-AVPs, Auth-Type := None
>
>
>mysql> select * from radcheck;
>+----+----------+-----------+----+----------+
>| id | UserName | Attribute | op | Value |
>+----+----------+-----------+----+----------+
>| 1 | Jhassell | Password | == | changeme |
>| 2 | Rneis | Password | == | changeme |
>| 3 | 1000 | Password | == | 1000 |
>| 4 | 2000 | Password | == | 2000 |
>| 5 | 3000 | Password | == | 3000 |
>+----+----------+-----------+----+----------+
>5 rows in set (0.00 sec)
>
>mysql> select * from radreply;
>Empty set (0.00 sec)
>
>mysql> select * from usergroup;
>+----+----------+------------+
>| id | UserName | GroupName |
>+----+----------+------------+
>| 1 | Jhassell | Dialin |
>| 2 | Rneis | Staticdial |
>| 3 | 1000 | Dialin |
>| 4 | 2000 | Dialin |
>| 5 | 3000 | Dialin |
>| 6 | 3000 | Dialin2 |
>+----+----------+------------+
>6 rows in set (0.00 sec)
>
>mysql> select * from radgroupcheck;
>Empty set (0.00 sec)
>
>mysql> select * from radgroupreply;
>+----+-----------+---------------+----+----------------------------------+--
>---+
>| id | GroupName | Attribute | op | Value |
>prio |
>+----+-----------+---------------+----+----------------------------------+--
>----+
>| 1 | Dialin | Reply-Message | = | "Authenticated by group Dialin" |
>0 |
>| 2 | Dialin2 | Reply-Message | = | "Authenticated by group Dialin2" |
>0 |
>| 3 | Dialin | SIP-AVP | = | Sip-Group:Dialin |
>0 |
>+----+-----------+---------------+----+----------------------------------+--
>----+
>3 rows in set (0.00 sec)
>
>mysql> select * from radpostauth;
>Empty set (0.00 sec)
>
>
>
>Here's the debug, notice how it returns access-accept whether its in the
>right group or not. Shouldn't it return access-reject for group Dialin2?
>-----------------
>rad_recv: Access-Request packet from host xx.xx.xx.xx:33167, id=152,
>length=66
> User-Name = "1000(a)xx.xx.xx.xx"
> Sip-Group = "Dialin"
> Service-Type = Group-Check
> NAS-IP-Address = 127.0.0.1
> NAS-Port = 0
> Processing the authorize section of radiusd.conf
>modcall: entering group authorize for request 4
> modcall[authorize]: module "preprocess" returns ok for request 4
> modcall[authorize]: module "chap" returns noop for request 4
> modcall[authorize]: module "mschap" returns noop for request 4
> modcall[authorize]: module "digest" returns noop for request 4
> rlm_realm: Looking up realm "xx.xx.xx.xx" for User-Name =
>"1000(a)xx.xx.xx.xx"
> rlm_realm: Found realm "xx.xx.xx.xx"
> rlm_realm: Adding Stripped-User-Name = "1000"
> rlm_realm: Proxying request from user 1000 to realm xx.xx.xx.xx
> rlm_realm: Adding Realm = "xx.xx.xx.xx"
> rlm_realm: Authentication realm is LOCAL.
> modcall[authorize]: module "suffix" returns noop for request 4
> rlm_eap: No EAP-Message, not doing EAP
> modcall[authorize]: module "eap" returns noop for request 4
> users: Matched entry DEFAULT at line 156
> users: Matched entry DEFAULT at line 161
> modcall[authorize]: module "files" returns ok for request 4
>radius_xlat: '1000'
>rlm_sql (sql): sql_set_user escaped user --> '1000'
>radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
>radcheck WHERE Username = '1000' ORDER BY id'
>rlm_sql (sql): Reserving sql socket id: 0
>rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op
>FROM radcheck WHERE Username = '1000' ORDER BY id
>radius_xlat: 'SELECT
>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche
>ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
>usergroup.Username = '1000' AND usergroup.GroupName =
>radgroupcheck.GroupName ORDER BY radgroupcheck.id'
>rlm_sql_mysql: query: SELECT
>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche
>ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
>usergroup.Username = '1000' AND usergroup.GroupName =
>radgroupcheck.GroupName ORDER BY radgroupcheck.id
>radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
>radreply WHERE Username = '1000' ORDER BY id'
>rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op
>FROM radreply WHERE Username = '1000' ORDER BY id
>radius_xlat: 'SELECT
>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep
>ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
>usergroup.Username = '1000' AND usergroup.GroupName =
>radgroupreply.GroupName ORDER BY radgroupreply.id'
>rlm_sql_mysql: query: SELECT
>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep
>ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
>usergroup.Username = '1000' AND usergroup.GroupName =
>radgroupreply.GroupName ORDER BY radgroupreply.id
>rlm_sql (sql): Checking profile DEFAULT
>rlm_sql (sql): sql_set_user escaped user --> 'DEFAULT'
>radius_xlat: 'SELECT
>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche
>ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
>usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
>radgroupcheck.GroupName ORDER BY radgroupcheck.id'
>rlm_sql_mysql: query: SELECT
>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche
>ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
>usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
>radgroupcheck.GroupName ORDER BY radgroupcheck.id
>radius_xlat: 'SELECT
>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep
>ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
>usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
>radgroupreply.GroupName ORDER BY radgroupreply.id'
>rlm_sql_mysql: query: SELECT
>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep
>ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
>usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
>radgroupreply.GroupName ORDER BY radgroupreply.id
>rlm_sql (sql): Released sql socket id: 0
> modcall[authorize]: module "sql" returns ok for request 4
>modcall: group authorize returns ok for request 4
> rad_check_password: Found Auth-Type None
> rad_check_password: Auth-Type = Accept, accepting the user
>radius_xlat: 'Authenticated by group Dialin'
>Sending Access-Accept of id 152 to xx.xx.xx.xx:33167
> Reply-Message = "Authenticated by group Dialin"
> SIP-AVP = "Sip-Group:Dialin"
>Finished request 4
>Going to the next request
>Waking up in 6 seconds...
>rad_recv: Access-Request packet from host xx.xx.xx.xx:33167, id=153,
>length=67
> User-Name = "1000(a)xx.xx.xx.xx"
> Sip-Group = "Dialin2"
> Service-Type = Group-Check
> NAS-IP-Address = 127.0.0.1
> NAS-Port = 0
> Processing the authorize section of radiusd.conf
>modcall: entering group authorize for request 5
> modcall[authorize]: module "preprocess" returns ok for request 5
> modcall[authorize]: module "chap" returns noop for request 5
> modcall[authorize]: module "mschap" returns noop for request 5
> modcall[authorize]: module "digest" returns noop for request 5
> rlm_realm: Looking up realm "xx.xx.xx.xx" for User-Name =
>"1000(a)xx.xx.xx.xx"
> rlm_realm: Found realm "xx.xx.xx.xx"
> rlm_realm: Adding Stripped-User-Name = "1000"
> rlm_realm: Proxying request from user 1000 to realm xx.xx.xx.xx
> rlm_realm: Adding Realm = "xx.xx.xx.xx"
> rlm_realm: Authentication realm is LOCAL.
> modcall[authorize]: module "suffix" returns noop for request 5
> rlm_eap: No EAP-Message, not doing EAP
> modcall[authorize]: module "eap" returns noop for request 5
> users: Matched entry DEFAULT at line 156
> users: Matched entry DEFAULT at line 161
> modcall[authorize]: module "files" returns ok for request 5
>radius_xlat: '1000'
>rlm_sql (sql): sql_set_user escaped user --> '1000'
>radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
>radcheck WHERE Username = '1000' ORDER BY id'
>rlm_sql (sql): Reserving sql socket id: 4
>rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op
>FROM radcheck WHERE Username = '1000' ORDER BY id
>radius_xlat: 'SELECT
>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche
>ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
>usergroup.Username = '1000' AND usergroup.GroupName =
>radgroupcheck.GroupName ORDER BY radgroupcheck.id'
>rlm_sql_mysql: query: SELECT
>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche
>ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
>usergroup.Username = '1000' AND usergroup.GroupName =
>radgroupcheck.GroupName ORDER BY radgroupcheck.id
>radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
>radreply WHERE Username = '1000' ORDER BY id'
>rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op
>FROM radreply WHERE Username = '1000' ORDER BY id
>radius_xlat: 'SELECT
>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep
>ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
>usergroup.Username = '1000' AND usergroup.GroupName =
>radgroupreply.GroupName ORDER BY radgroupreply.id'
>rlm_sql_mysql: query: SELECT
>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep
>ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
>usergroup.Username = '1000' AND usergroup.GroupName =
>radgroupreply.GroupName ORDER BY radgroupreply.id
>rlm_sql (sql): Checking profile DEFAULT
>rlm_sql (sql): sql_set_user escaped user --> 'DEFAULT'
>radius_xlat: 'SELECT
>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche
>ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
>usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
>radgroupcheck.GroupName ORDER BY radgroupcheck.id'
>rlm_sql_mysql: query: SELECT
>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche
>ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
>usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
>radgroupcheck.GroupName ORDER BY radgroupcheck.id
>radius_xlat: 'SELECT
>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep
>ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
>usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
>radgroupreply.GroupName ORDER BY radgroupreply.id'
>rlm_sql_mysql: query: SELECT
>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep
>ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
>usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
>radgroupreply.GroupName ORDER BY radgroupreply.id
>rlm_sql (sql): Released sql socket id: 4
> modcall[authorize]: module "sql" returns ok for request 5
>modcall: group authorize returns ok for request 5
> rad_check_password: Found Auth-Type None
> rad_check_password: Auth-Type = Accept, accepting the user
>radius_xlat: 'Authenticated by group Dialin'
>Sending Access-Accept of id 153 to xx.xx.xx.xx:33167
> Reply-Message = "Authenticated by group Dialin"
> SIP-AVP = "Sip-Group:Dialin"
>Finished request 5
>
>-----Original Message-----
>From: Tavis P [mailto:tavis.lists@galaxytelecom.net]
>Sent: Friday, October 14, 2005 7:21 PM
>To: Lenir
>Cc: users(a)openser.org; serusers(a)iptel.org
>Subject: Re: group_radius radius_is_user_in
>
>Ugh the subject line is getting really munged up ;P
>
>Hmmm, what does the output from "radiusd -X" look like for the exchange?
>
>
>Lenir wrote:
>
>
>
>>Tavis,
>>
>>Thanks for your input, that did fix the problem. I did have the "files"
>>before "sql" in radiusd.conf. Also I followed your advice about taking out
>>"Auth-Type" out of mysql table and let DEFAULT in users file do the trick.
>>
>>However it's semi-working.
>>
>>Accourding to the snippet from my ser.cfg file, now I get the following in
>>stderr:
>>0(4866) 000d2890-d47f0003-4a230347-53c6189b(a)yy.yy.yy.yy -
>>sip:1000@xx.xx.xx.xx - User authenticated...
>>0(4866) Credentials: User is in Radius Group Dialin!!!!
>>0(4866) Credentials: User is in Radius Group Dialin2!!!!
>>
>>No matter which parameter I use for the function radius_is_user_in(), it
>>always returns TRUE. When in fact it should return FALSE for Group Dialin2.
>>I've tried:
>>
>>if (radius_is_user_in("From", "Dialin2")){...
>>if (radius_is_user_in("Credentials", "Dialin2")){...
>>
>>
>>
>>
>>
>>Here's what I did to fix future problems:
>>
>>EFAULT Auth-Type = System
>> Fall-Through = 1
>>
>>DEFAULT Service-Type == Call-Check, Auth-Type := Digest
>>
>>DEFAULT Service-Type == Group-Check, Auth-Type := None
>>
>>DEFAULT Service-Type == SIP-Session, Auth-Type := Digest
>>
>>DEFAULT Service-Type == SIP-Callee-AVPs, Auth-Type := None
>>
>>DEFAULT Service-Type == SIP-Caller-AVPs, Auth-Type := None
>>
>>
>>Also, for those of you using the latest version of freeradius, you may have
>>to comment out the following lines as they conflict with dictionary.ser
>>
>>
>(SER
>
>
>>CVS) and dictionary.sip (comes with radiusclient-NG)
>>
>>#VALUE Service-Type Voice 12
>>#VALUE Service-Type Fax 13
>>#VALUE Service-Type Modem-Relay 14
>>#VALUE Service-Type IAPP-Register 15
>>#VALUE Service-Type IAPP-AP-Check 16
>>
>>
>>Thanks,
>>
>>
>>Lenir
>>
>>
>>-----Original Message-----
>>From: serusers-bounces(a)iptel.org [mailto:serusers-bounces@iptel.org] On
>>Behalf Of Tavis P
>>Sent: Friday, October 14, 2005 1:49 PM
>>To: lsantiago(a)globalgatewaycom.com
>>Cc: serdev(a)iptel.org; serusers(a)iptel.org; devel(a)openser.org;
>>users(a)openser.org
>>Subject: [Serusers] Re: [Serdev] group_radius radius_is_user_in
>>
>>Oops, i spoke too soon
>>
>>It looks like you have placed the "files" module before the "sql" module
>>in your radiusd.conf
>>
>>Its matching your DEFAULT entry in files (setting the Auth-Type to none)
>>but the sql module is later changing the Auth-Type to "digest"
>>
>>Changing the order would solve this problem, as you want it to match the
>>SQL statement first and than the section in the files last (which
>>changes the Auth-Type)
>>
>>Also, you may want to reduce the load on your database by not setting
>>the Auth-Type in the database and instead setting in the users file with
>>a DEFAULT statement as (at least in my case) it isn't somthing that need
>>to be dynamic.
>>
>>lenirsantiago(a)yahoo.com wrote:
>>
>>
>>
>>
>>
>>>Hello list,
>>>
>>>I've been trying my hardest today to get group_radius to work, and its
>>>function radius_is_user_in().
>>>I'm running ser0.9.4 and freeradius 1.0.4 with the mysql backend and
>>>
>>>
>digest
>
>
>>>authentication.
>>>
>>>Radius authentication works fine.
>>>The problem is that when radius_is_user_in() function gets called, it
>>>
>>>
>sends
>
>
>>>a radius message but without the User-Password field and freeradius
>>>complains that it requires it since we are using Digest.
>>>I've seen a couple of posts here, but they were never answered:
>>>http://mail.iptel.org/pipermail/serusers/2005-March/017342.html
>>>http://mail.iptel.org/pipermail/serusers/2005-March/017075.html
>>>
>>>-----
>>>I have a small test in my ser.cfg file:
>>> if (!radius_www_authorize("")) {
>>> xlog("L_I","%ci - %fu - User not authenticated, Radius
>>>Authenticating...\n");
>>> www_challenge("","0");
>>> break;
>>> } else {
>>> xlog("L_I","%ci - %fu - User authenticated...\n");
>>> };
>>>
>>> if (radius_is_user_in("From", "Dialin")){
>>> xlog("L_I","From: User is in Radius Group Dialin!!!!\n");
>>> } else {
>>> xlog("L_I","From: User *IS NOT* Group Dialin!!!!!\n");
>>> };
>>>
>>> if (radius_is_user_in("Credentials", "Dialin2")){
>>> xlog("L_I","From: User is in Radius Group Dialin2!!!!\n");
>>> } else {
>>> xlog("L_I","From: User *IS NOT* Group Dialin2!!!!!\n");
>>> };
>>>
>>>-----
>>>In /etc/raddb/users file I have the following at line 152:
>>>DEFAULT Auth-Type = System
>>> Fall-Through = 1
>>>
>>>DEFAULT Service-Type == Group-Check, Auth-Type := None
>>>
>>>DEFAULT Service-Type == SIP-Callee-AVPs, Auth-Type := None
>>>
>>>-----
>>>
>>>These are mysql tables:
>>>
>>>+----+----------+-----------+----+----------+
>>>| id | UserName | Attribute | op | Value |
>>>+----+----------+-----------+----+----------+
>>>| 1 | Jhassell | Password | == | changeme |
>>>| 2 | Rneis | Password | == | changeme |
>>>| 3 | 1000 | Password | == | 1000 |
>>>| 4 | 2000 | Password | == | 2000 |
>>>| 5 | 3000 | Password | == | 3000 |
>>>| 8 | 1000 | Auth-Type | := | Digest |
>>>+----+----------+-----------+----+----------+
>>>
>>>+----+-----------+-----------+----+--------+
>>>| id | GroupName | Attribute | op | Value |
>>>+----+-----------+-----------+----+--------+
>>>| 6 | Dialin | Auth-Type | := | Accept |
>>>+----+-----------+-----------+----+--------+
>>>
>>>+----+-----------+---------------+----+----------------------------------+
>>>
>>>
>-
>
>
>>>
>>>
>>>
>>>
>>-
>>
>>
>>
>>
>>>----+
>>>| id | GroupName | Attribute | op | Value |
>>>prio |
>>>+----+-----------+---------------+----+----------------------------------+
>>>
>>>
>-
>
>
>>>
>>>
>>>
>>>
>>-
>>
>>
>>
>>
>>>----+
>>>| 1 | Dialin | Reply-Message | = | "Authenticated by group Dialin" |
>>>0 |
>>>| 2 | Dialin2 | Reply-Message | = | "Authenticated by group Dialin2" |
>>>0 |
>>>+----+-----------+---------------+----+----------------------------------+
>>>
>>>
>-
>
>
>>>
>>>
>>>
>>>
>>-
>>
>>
>>
>>
>>>----+
>>>
>>>+----+----------+---------------+----+------------------+
>>>| id | UserName | Attribute | op | Value |
>>>+----+----------+---------------+----+------------------+
>>>| 1 | 1000 | Reply-Message | = | "Authenticated" |
>>>| 2 | 1000 | Sip-Group | = | Dialin |
>>>| 3 | 1000 | SIP-AVP | = | Sip-Group:Dialin |
>>>+----+----------+---------------+----+------------------+
>>>
>>>+----+----------+------------+
>>>| id | UserName | GroupName |
>>>+----+----------+------------+
>>>| 1 | Jhassell | Dialin |
>>>| 2 | Rneis | Staticdial |
>>>| 3 | 1000 | Dialin |
>>>| 4 | 2000 | Dialin |
>>>| 5 | 3000 | Dialin |
>>>| 6 | 3000 | Dialin2 |
>>>+----+----------+------------+
>>>
>>>------
>>>
>>>This is the debug I get from freeradius for the group check:
>>>
>>>rad_recv: Access-Request packet from host xx.xx.xx.xx:33025, id=15,
>>>length=67
>>> User-Name = "1000(a)xx.xx.xx.xx"
>>> Sip-Group = "Dialin2"
>>> Service-Type = Group-Check
>>> NAS-IP-Address = 127.0.0.1
>>> NAS-Port = 0
>>>Processing the authorize section of radiusd.conf
>>>modcall: entering group authorize for request 74
>>>modcall[authorize]: module "preprocess" returns ok for request 74
>>>modcall[authorize]: module "chap" returns noop for request 74
>>>modcall[authorize]: module "mschap" returns noop for request 74
>>>modcall[authorize]: module "digest" returns noop for request 74
>>> rlm_realm: Looking up realm "xx.xx.xx.xx" for User-Name =
>>>"1000(a)xx.xx.xx.xx"
>>> rlm_realm: Found realm "xx.xx.xx.xx"
>>> rlm_realm: Adding Stripped-User-Name = "1000"
>>> rlm_realm: Proxying request from user 1000 to realm xx.xx.xx.xx
>>> rlm_realm: Adding Realm = "xx.xx.xx.xx"
>>> rlm_realm: Authentication realm is LOCAL.
>>>modcall[authorize]: module "suffix" returns noop for request 74
>>>rlm_eap: No EAP-Message, not doing EAP
>>>modcall[authorize]: module "eap" returns noop for request 74
>>> users: Matched entry DEFAULT at line 152
>>> users: Matched entry DEFAULT at line 158
>>>modcall[authorize]: module "files" returns ok for request 74
>>>radius_xlat: '1000'
>>>rlm_sql (sql): sql_set_user escaped user --> '1000'
>>>rlm_sql (sql): Released sql socket id: 0
>>>modcall[authorize]: module "sql" returns ok for request 74
>>>modcall: group authorize returns ok for request 74
>>>rad_check_password: Found Auth-Type Digest
>>>auth: type "digest"
>>>Processing the authenticate section of radiusd.conf
>>>modcall: entering group authenticate for request 74
>>>ERROR: No Digest-Nonce: Cannot perform Digest authentication
>>>modcall[authenticate]: module "digest" returns invalid for request 74
>>>modcall: group authenticate returns invalid for request 74
>>>auth: Failed to validate the user.
>>>Delaying request 74 for 1 seconds
>>>Finished request 74
>>>Going to the next request
>>>--- Walking the entire request list ---
>>>Waking up in 1 seconds...
>>>--- Walking the entire request list ---
>>>Waking up in 1 seconds...
>>>--- Walking the entire request list ---
>>>Sending Access-Reject of id 15 to xx.xx.xx.xx:33025
>>> Reply-Message = "Authenticated"
>>>Waking up in 4 seconds...
>>>--- Walking the entire request list ---
>>>Cleaning up request 74 ID 15 with timestamp 434f1121
>>>Nothing to do. Sleeping until we see a request.
>>>
>>>
>>>
>>>
>>>
>>>Any help in this matter would be deeply appreciated,
>>>
>>>
>>>
>>>
>>>Lenir
>>>
>>>
>>>
>>>
>>>_______________________________________________
>>>Serdev mailing list
>>>Serdev(a)iptel.org
>>>http://mail.iptel.org/mailman/listinfo/serdev
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>_______________________________________________
>>Serusers mailing list
>>Serusers(a)iptel.org
>>http://mail.iptel.org/mailman/listinfo/serusers
>>
>>
>>_______________________________________________
>>Serdev mailing list
>>Serdev(a)iptel.org
>>http://mail.iptel.org/mailman/listinfo/serdev
>>
>>
>>
>>
>>
>>
>
>
>
>
>
>
I set the username and password in the config file with:
# User and Group To Run SER As
user=openser
group=openser
Although i'm sure you can use the command line switches as well
Besides the usual checking for adequate permissions (use "strace -fF"
can be useful for this in some situations) i've not done anything special
Chrooting is similar, use strace to find which libraries, dev nodes and
support files it needs and create the chroot environment using that
information
What problem are you having?
Nelson Silva wrote:
> Tavis: want to share how you did it ?
>
> thk
>
> Nelson Silva
> -----------------
> email: nelson.silva(a)neuvex.com
> website: http://www.neuvex.com
>
>
> Date: Mon, 17 Oct 2005 11:05:21 -0700
> From: Tavis P <tavis.lists(a)galaxytelecom.net
> <javascript:top.opencompose('tavis.lists(a)galaxytelecom.net','','','1')>>
> Subject: Re: [Users] Openser as non root
> To: Users(a)openser.org
> <javascript:top.opencompose('Users(a)openser.org','','','1')>
> Message-ID: <4353E7E1.2020109(a)galaxytelecom.net
> <javascript:top.opencompose('4353E7E1.2020109(a)galaxytelecom.net','','','1')>>
> Content-Type: text/plain; charset=ISO-8859-1
>
> I'm currently running OpenSER both as non root and also chrooted without
> issue
>
> Nelson Silva wrote:
>
> > Anyone got a info how to make openser for non root ?
> >
> > for example, openser -U openser -G openser ?
> >
> >
> >
> > thk
> >
> > Nelson Silva
> > -----------------
> > email: nelson.silva(a)neuvex.com
> <javascript:top.opencompose('nelson.silva(a)neuvex.com','','','1')>
> > website: http://www.neuvex.com
> <http://webmail.neuvex.comparse.pl?redirect=http%3A%2F%2Fwww.neuvex.com>
> >
> >
> >------------------------------------------------------------------------
> >
> >_______________________________________________
> >Users mailing list
> >Users(a)openser.org
> <javascript:top.opencompose('Users(a)openser.org','','','1')>
> >http://openser.org/cgi-bin/mailman/listinfo/users
> <http://webmail.neuvex.comparse.pl?redirect=http%3A%2F%2Fopenser.org%2Fcgi-b…>
> >
> >
>
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Users mailing list
>Users(a)openser.org
>http://openser.org/cgi-bin/mailman/listinfo/users
>
>
Hi!
I have a problem with is_method in reply route:
is_method("INVITE|UPDATE")
does not trigger on a reply to an INVITE, whereas
is_method("INVITE")
works.
in request route blocks, is_method("INVITE|UPDATE") works fine.
is there a knwon issue? I can't find the cause :-(
regards
klaus
Hi everybody,
in term of days, we will start the work of preparing the next release -
docs, compilation warnings, version setting, packages,etc.
to speed the things up and to end the bug fixing period, please
everybody report if there are any remaining known bugs or problems -
just to know about them and fix them ASAP.
critical ones are fixed (the ones in TM).
there are still couple of crashes reported in uac_redirect and uac (from
mangling part) modules - we are working on it.
thanks and regards,
bogdan
