Madan,
These are some instructions. I copy to the list so that it can be of use for more people:
1. You need to download and install radiusclient from http://www.mcs.de/~lf/radius/.
2. Compile ser and modules (make sure to compile auth_radius module too).
3. Download the latest version of freeradius (0.9.0). The previous one, 0.8.1, crashed when performing digest authentication. You can find it in: http://www.freeradius.org/
4. Don't be confused with the radius client and the radius server side. SER only uses the client side (radiusclient) to build radius requests. Therefore, the line
modparam("auth_radius", "radius_config","/usr/local/etc/raddb/clients.conf")
is incorrect and should be something like this (depending on where you installed radiusclient)
modparam("auth_radius", "radius_config", "/usr/local/etc/radiusclient/radiusclient.conf")
5. Authenticate users from all realms:
Instead of...
if (radius_www_authorize("mydomain", "subscriber")) { www_challenge("mydomain", "0"); break; };
do not specify domain name....
if (method=="REGISTER") {
log(1, "REGISTER: Authenticating user\n");
if (!radius_www_authorize("")) { log(1, "REGISTER: challenging user\n"); www_challenge("", "0"); break; }; save("location"); break; };
6. With these changes, you should see RADIUS messages being generated to your radius server. You then only need to have something like this in your "users" file (radius server):
jaime Auth-Type := Digest, User-Password = "jaime" Reply-Message = "Hello!"
The server will have to be configured to know what "Digest" authentication is. Read rlm_digest in docs to find out how to do it.
In your config, you have 2 if (method==REGISTER). I think you should avoid the 2nd and merge the 2 conditions somehow, since the 2nd if(method==REGISTER) does never get called???
7. For accounting, compile acc module with radius support. For that, uncomment one of the lines in the Makefile.
8. You will probably need to change some "#includes" in <ser_directory>/sip_router/modules/acc/dict.h, to be the same than <ser_directory>/sip_router/etc/radiusclient.h.
9. In SER config file, set accounting flags for INVITE and BYE/CANCEL, and you should be able to see logs generated in your radius server.
This is my ser config file:
# ----------- global configuration parameters ------------------------
debug=3 # debug level (cmd line: -dddddddddd) fork=no log_stderror=yes # (cmd line: -E)
/* Uncomment these lines to enter debugging mode debug=7 fork=no log_stderror=yes */
check_via=no # (cmd. line: -v) dns=no # (cmd. line: -r) rev_dns=no # (cmd. line: -R) port=5060 children=4 fifo="/tmp/ser_fifo"
# ------------------ module loading ----------------------------------
# Uncomment this if you want to use SQL database loadmodule "./modules/mysql/mysql.so"
loadmodule "./modules/sl/sl.so" loadmodule "./modules/tm/tm.so" loadmodule "./modules/rr/rr.so" loadmodule "./modules/maxfwd/maxfwd.so" loadmodule "./modules/usrloc/usrloc.so" loadmodule "./modules/registrar/registrar.so" loadmodule "./modules/uri/uri.so"
# Uncomment this if you want digest authentication # mysql.so must be loaded ! loadmodule "./modules/auth/auth.so" loadmodule "./modules/auth_db/auth_db.so"
loadmodule "modules/acc/acc.so"
loadmodule "./modules/auth_radius/auth_radius.so"
# ----------------- setting module-specific parameters ---------------
# -- usrloc params --
modparam("usrloc", "db_mode", 2)
modparam("auth_radius", "radius_config", "/usr/local/etc/radiusclient/radiusclient.conf")
# -- rr params -- # add value to ;lr param to make some broken UAs happy modparam("rr", "enable_full_lr", 1)
modparam("acc", "log_level", 1) modparam("acc", "radius_flag", 1)
# ------------------------- request routing logic -------------------
alias=domain.com
# main routing logic
route{
# initial sanity checks -- messages with # max_forwards==0, or excessively long requests if (!mf_process_maxfwd_header("10")) { sl_send_reply("483","Too Many Hops"); break; }; if (len_gt( max_len )) { sl_send_reply("513", "Message too big"); break; };
# we record-route all messages -- to make sure that # subsequent messages will go through our proxy; that's # particularly good if upstream and downstream entities # use different transport protocol record_route(); # loose-route processing # if (loose_route()) { # t_relay(); # break; # };
# if the request is for other domain use UsrLoc # (in case, it does not work, use the following command # with proper names and addresses in it)
if (method=="REGISTER") {
log(1, "REGISTER: Authenticating user\n");
if (!radius_www_authorize("")) { log(1, "REGISTER: challenging user\n"); www_challenge("", "0"); break; }; save("location"); break; };
if (method=="INVITE") {
log(1, "INVITE\n"); setflag(1); /* set for accounting (the same value as in log_flag!) */ };
if (method=="MESSAGE") { log(1, "MESSAGE\n"); setflag(1); /* set for accounting (the same value as in log_flag!) */ };
if (method=="BYE" || method=="CANCEL") { log (1, "BYE or CANCEL\n"); setflag(1); };
# native SIP destinations are handled using our USRLOC DB if (!lookup("location")) { sl_send_reply("404", "Not Found"); break; }; if (!t_relay()) { sl_reply_error(); break; };
}
---------------------------------------------------------------
I hope it helps,
Jaime
ah! finally i got somebody who can help me, Jaime you know what i was thinking to drop this and move to another :-) because i had enough of it..its been week on this stuff
so i have done plane vanilla freeradius configuration with default database/structure , i know this has to be changed but problem is ser does nt even communicate with radius :-(
i have compiled ser latest from cvs but when i use radius_www_authorise i got lot of errors on same config line where radius comes into picture like missing load module etc etc..once it worked as well without any errors but with that any user was able to register...i.e no auth
to make my life easier i would need your help right from the scratch
what all i need to do with ser
need config file wrt radius
need freeradius config with wrt ser like table/db structures, sql.conf etc i know i m asking a lot , but please help me out :-) i would really oblige your help
regards, Madan
P.S:- if you ever need help on dns/webservers/mail server please let me know :-)
log-
Aug 4 16:33:29 sip ser: parse error (106,62-63): unknown command, missing loadmodule?
here is my ser.cfg file
# # $Id: ser.cfg,v 1.21 2003/06/04 13:47:36 jiri Exp $ # # simple quick-start config script #
# ----------- global configuration parameters ------------------------
#debug=3 # debug level (cmd line: -dddddddddd) #fork=yes #log_stderror=no # (cmd line: -E)
/* Uncomment these lines to enter debugging mode debug=7 fork=no log_stderror=yes */
check_via=no # (cmd. line: -v) dns=no # (cmd. line: -r) rev_dns=no # (cmd. line: -R) port=5060 children=4 fifo="/tmp/ser_fifo"
# ------------------ module loading ----------------------------------
# Uncomment this if you want to use SQL database loadmodule "/usr/local/lib/ser/modules/mysql.so" loadmodule "/usr/local/lib/ser/modules/sl.so" loadmodule "/usr/local/lib/ser/modules/tm.so" loadmodule "/usr/local/lib/ser/modules/rr.so" loadmodule "/usr/local/lib/ser/modules/maxfwd.so" loadmodule "/usr/local/lib/ser/modules/usrloc.so" loadmodule "/usr/local/lib/ser/modules/registrar.so" loadmodule "/usr/local/lib/ser/modules/auth_radius.so" #loadmodule "/usr/local/lib/ser/modules/uri_radius.so" loadmodule "/usr/local/lib/ser/modules/uri.so" # Uncomment this if you want digest authentication # mysql.so must be loaded ! loadmodule "/usr/local/lib/ser/modules/auth.so" loadmodule "/usr/local/lib/ser/modules/auth_db.so"
# ----------------- setting module-specific parameters ---------------
# -- usrloc params --
#modparam("usrloc", "db_mode", 0)
# Uncomment this if you want to use SQL database # for persistent storage and comment the previous line modparam("usrloc", "db_mode", 1) modparam("auth_radius", "radius_config","/usr/local/etc/raddb/clients.conf") #modparam("uri_radius", "service_type", 11) # -- auth params -- # Uncomment if you are using auth module # modparam("auth_db", "calculate_ha1", yes)
# If you set "calculate_ha1" parameter to yes (which true in this config), # uncomment also the following parameter) # modparam("auth_db", "password_column", "password") modparam("usrloc", "db_url", "sql://root:heslo@localhost/ser") # -- rr params -- # add value to ;lr param to make some broken UAs happy modparam("rr", "enable_full_lr", 1)
# ------------------------- request routing logic -------------------
# main routing logic
route{
# initial sanity checks -- messages with # max_forwards==0, or excessively long requests if (!mf_process_maxfwd_header("10")) { sl_send_reply("483","Too Many Hops"); break; }; if (len_gt( max_len )) { sl_send_reply("513", "Message too big"); break; };
# we record-route all messages -- to make sure that # subsequent messages will go through our proxy; that's # particularly good if upstream and downstream entities # use different transport protocol record_route(); # loose-route processing if (loose_route()) { t_relay(); break; };
# if the request is for other domain use UsrLoc # (in case, it does not work, use the following command # with proper names and addresses in it) if (uri=~"sip.net4india.com") {
if (method=="REGISTER") {
# Uncomment this if you want to use digest authentication # if (!www_authorize("mydomain", "subscriber")) { if (radius_www_authorize("mydomain", "subscriber")) { www_challenge("mydomain", "0"); break; };
save("location"); break; };
##LOGGING FOR TESTING if (method=="REGISTER") {
log(1, "REGISTER received\n"); } else { log(1, "non-REGISTER received\n"); }; if (uri=~"sip:.*[@:]mydomain") { log(1, "request for mydomain\n"); } else { log(1, "request for other domain received\n"); };# native SIP destinations are handled using our USRLOC DB if (!lookup("location")) { sl_send_reply("404", "Not Found"); break; }; #}; # forward to current uri now; use stateful forwarding; that # works reliably even if we forward from TCP to UDP if (!t_relay()) { sl_reply_error(); };
}; }
----- Original Message ----- From: jaime@umtstrial.co.uk To: madan.r@net4india.net Sent: Monday, August 04, 2003 3:50 PM Subject: Re: ser radius conf
Hi Madan,
I was able to use FreeRadius for authentication and accounting. Let me know how far you are with your config and I'll try to guide you.
Jaime
Hi Jaime got ur email id from ser mailing lsit need ur help if you were able to configure the ser sip with free
radius
regards, madan