[Serusers] Re: Radius Authentication and group checking

Hi ser.cfg I sent in my last email not include changes for radius auth , I am testing with prefix radius for is_user_in and www_authorize, anyway this is the error I get when ser trying to check group:

ERROR: No Digest-Nonce: Cannot perform Digest authentication modcall[authenticate]: module "digest" returns invalid for request 13 modcall: group authenticate returns invalid for request 13 auth: Failed to validate the user.

any idea?

rafael

On Mon, 28 Mar 2005 15:11:03 -0500, Rafael J. Risco G.V. rafael.risco@gmail.com wrote:

Hi 2 problems:

1.- Finally I have been able to register users and authenticate INVITEs using radius_www_authorize and proxy_www_authorize functions, but I can´t use "radius_is_user_in" (from group_radius module) for group checking before calling, does someone have done this before? I need this for "Request-URI" to verify if it belongs to a group "deactivated" in Register process or verify if user is in "voicemail" group, same for checking "from" or "credentials" (I can do it using group.so module) please see my ser.cfg and radiusd-X debug below.

2.- There is no "check_to" or "check_from" functions in uri_radius module... Is there any other way to do this using radius?

regards Rafael

PS: freeradius user file:

6604321@10.0.1.22 Auth-Type := Digest, User-Password == "4321" Auth-Type := Accept, Sip-Group = "mobile"

SER.cfg:

          if (method == "REGISTER") {
                  log(1, "ANALYZING REGISTER REQUEST\n");
                  # to use digest authentication
                  if (is_user_in("Request-URI", "deactivated")) {
                          sl_send_reply("403","deactivated");
                          break;
                  };

                  if (!www_authorize("mydomain.com.pe", "subscriber")) {
                          www_challenge("mydomain.com.pe", "0");
                          break;
                  };

                  # only registered users are allowed
                  #if (!check_to()) {
                  #        log(1, "LOG: Hijack attempt\n");
                  #        sl_send_reply("403", "Only registered users..");
                  #        break;
                  #};
                  log(1,"      Registered!!! \n");
                  if (!save("location")) {
                          sl_reply_error();
                  };
                  break;
          };

          if (method == "INVITE" || method== "CANCEL" ) {
                  log(1, "ANALYZING INVITE||CANCEL REQUESTs\n");
                  if (!proxy_authorize("mydomain.com.pe", "subscriber")) {
                          proxy_challenge("mydomain.com.pe", "1");
                          break;
                  };
                   #} else {
                  #if (method == "INVITE" && !check_from()) {
                  #        sl_send_reply("403", "Only registered

users..."); # break; #}; #};

         /* ******** Dial out to Local and PSTN logic ****** */

          # Forward n digit requests to gateway AS5350 (Celulares)
                  if(uri=~"^sip:9" ){
                          log(1," digit expression match - Celulares\n");
                          if (!is_user_in("from", "mobile")) {
                                  sl_send_reply("403", "forbidden...");
                                  break;
                          };
                          rewritehostport("GW_IP:5060");
                          route(1);  ## to nathelper...
                          break;
                  };
           };

Radiusd -X log when trying radius_is_user_in:

rad_recv: Access-Request packet from host 127.0.0.1:36944, id=200, length=323 User-Name = "6604321@10.0.1.22" Digest-Attributes = 0x0a0936363034333231 Digest-Attributes = 0x010b31302e302e312e3232 Digest-Attributes = 0x022a34323438363231313832363734333330343564643863363961336530393638353034363533356538 Digest-Attributes = 0x04187369703a39393130393939304031302e302e312e3232 Digest-Attributes = 0x0308494e56495445 Digest-Attributes = 0x050661757468 Digest-Attributes = 0x090a3030303030353233 Digest-Attributes = 0x08223341394535413233394144323131443939334232303035304241373836433642 Digest-Response = "8c6af680ab513e39c16d38bc14c41fbc" Service-Type = IAPP-Register Sip-URI-User = "6604321" Cisco-AVPair = "call-id=3A9E5A1E-9AD2-11D9-93B2-0050BA786C6B@10.0.1.105" NAS-IP-Address = 127.0.0.1 NAS-Port = 5060 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 18 modcall[authorize]: module "preprocess" returns ok for request 18 modcall[authorize]: module "chap" returns noop for request 18 modcall[authorize]: module "mschap" returns noop for request 18 rlm_digest: Converting Digest-Attributes to something sane... Digest-User-Name = "6604321" Digest-Realm = "10.0.1.22" Digest-Nonce = "424862118267433045dd8c69a3e09685046535e8" Digest-URI = "sip:99109990@10.0.1.22" Digest-Method = "INVITE" Digest-QOP = "auth" Digest-Nonce-Count = "00000523" Digest-CNonce = "3A9E5A239AD211D993B20050BA786C6B" rlm_digest: Adding Auth-Type = DIGEST modcall[authorize]: module "digest" returns ok for request 18 rlm_realm: Looking up realm "10.0.1.22" for User-Name = "6604321@10.0.1.22" rlm_realm: No such realm "10.0.1.22" modcall[authorize]: module "suffix" returns noop for request 18 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 18 users: Matched DEFAULT at 152 users: Matched 6604321@10.0.1.22 at 222 modcall[authorize]: module "files" returns ok for request 18 modcall: group authorize returns ok for request 18 rad_check_password: Found Auth-Type Digest auth: type "digest" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 18 A1 = 6604321:10.0.1.22:4321 A2 = INVITE:sip:99109990@10.0.1.22 H(A1) = 65f1515ce902a1b9dc7886ddc77c96bf H(A2) = 087a284409aebfedefbc657a6a55fc29 KD = 65f1515ce902a1b9dc7886ddc77c96bf:424862118267433045dd8c69a3e09685046535e8:00000523:3A9E5A239AD211D993B20050BA786C6B:auth:087a284409aebfedefbc657a6a55fc29 EXPECTED 8c6af680ab513e39c16d38bc14c41fbc RECEIVED 8c6af680ab513e39c16d38bc14c41fbc modcall[authenticate]: module "digest" returns ok for request 18 modcall: group authenticate returns ok for request 18 Sending Access-Accept of id 200 to 127.0.0.1:36944 Sip-Group = "mobile" Finished request 18

Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 127.0.0.1:36944, id=201, length=65 User-Name = "6604321@10.0.1.22" Sip-Group = "mobile" Service-Type = Voice NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 19 modcall[authorize]: module "preprocess" returns ok for request 19 modcall[authorize]: module "chap" returns noop for request 19 modcall[authorize]: module "mschap" returns noop for request 19 modcall[authorize]: module "digest" returns noop for request 19 rlm_realm: Looking up realm "10.0.1.22" for User-Name = "6604321@10.0.1.22" rlm_realm: No such realm "10.0.1.22" modcall[authorize]: module "suffix" returns noop for request 19 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 19 users: Matched DEFAULT at 152 users: Matched 6604321@10.0.1.22 at 222 modcall[authorize]: module "files" returns ok for request 19 modcall: group authorize returns ok for request 19 rad_check_password: Found Auth-Type Digest auth: type "digest" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 19 ERROR: No Digest-Nonce: Cannot perform Digest authentication modcall[authenticate]: module "digest" returns invalid for request 19 modcall: group authenticate returns invalid for request 19 auth: Failed to validate the user. Delaying request 19 for 1 seconds Finished request 19 Going to the next request Waking up in 6 seconds...

rad_recv: Access-Request packet from host 127.0.0.1:36945, id=202, length=323 User-Name = "6604321@10.0.1.22" Digest-Attributes = 0x0a0936363034333231 Digest-Attributes = 0x010b31302e302e312e3232 Digest-Attributes = 0x022a34323438363231313832363734333330343564643863363961336530393638353034363533356538 Digest-Attributes = 0x04187369703a39393130393939304031302e302e312e3232 Digest-Attributes = 0x0308494e56495445 Digest-Attributes = 0x050661757468 Digest-Attributes = 0x090a3030303030353233 Digest-Attributes = 0x08223341394535413234394144323131443939334232303035304241373836433642 Digest-Response = "f8421d39192c34c441a52f0a5f7c9939" Service-Type = IAPP-Register Sip-URI-User = "6604321" Cisco-AVPair = "call-id=3A9E5A1E-9AD2-11D9-93B2-0050BA786C6B@10.0.1.105" NAS-IP-Address = 127.0.0.1 NAS-Port = 5060 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 20 modcall[authorize]: module "preprocess" returns ok for request 20 modcall[authorize]: module "chap" returns noop for request 20 modcall[authorize]: module "mschap" returns noop for request 20 rlm_digest: Converting Digest-Attributes to something sane... Digest-User-Name = "6604321" Digest-Realm = "10.0.1.22" Digest-Nonce = "424862118267433045dd8c69a3e09685046535e8" Digest-URI = "sip:99109990@10.0.1.22" Digest-Method = "INVITE" Digest-QOP = "auth" Digest-Nonce-Count = "00000523" Digest-CNonce = "3A9E5A249AD211D993B20050BA786C6B" rlm_digest: Adding Auth-Type = DIGEST modcall[authorize]: module "digest" returns ok for request 20 rlm_realm: Looking up realm "10.0.1.22" for User-Name = "6604321@10.0.1.22" rlm_realm: No such realm "10.0.1.22" modcall[authorize]: module "suffix" returns noop for request 20 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 20 users: Matched DEFAULT at 152 users: Matched 6604321@10.0.1.22 at 222 modcall[authorize]: module "files" returns ok for request 20 modcall: group authorize returns ok for request 20 rad_check_password: Found Auth-Type Digest auth: type "digest" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 20 A1 = 6604321:10.0.1.22:4321 A2 = INVITE:sip:99109990@10.0.1.22 H(A1) = 65f1515ce902a1b9dc7886ddc77c96bf H(A2) = 087a284409aebfedefbc657a6a55fc29 KD = 65f1515ce902a1b9dc7886ddc77c96bf:424862118267433045dd8c69a3e09685046535e8:00000523:3A9E5A249AD211D993B20050BA786C6B:auth:087a284409aebfedefbc657a6a55fc29 EXPECTED f8421d39192c34c441a52f0a5f7c9939 RECEIVED f8421d39192c34c441a52f0a5f7c9939 modcall[authenticate]: module "digest" returns ok for request 20 modcall: group authenticate returns ok for request 20 Sending Access-Accept of id 202 to 127.0.0.1:36945 Sip-Group = "mobile" Finished request 20 Going to the next request

--- Walking the entire request list --- Sending Access-Reject of id 201 to 127.0.0.1:36944 Waking up in 4 seconds... rad_recv: Access-Request packet from host 127.0.0.1:36945, id=203, length=65 User-Name = "6604321@10.0.1.22" Sip-Group = "mobile" Service-Type = Voice NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 21 modcall[authorize]: module "preprocess" returns ok for request 21 modcall[authorize]: module "chap" returns noop for request 21 modcall[authorize]: module "mschap" returns noop for request 21 modcall[authorize]: module "digest" returns noop for request 21 rlm_realm: Looking up realm "10.0.1.22" for User-Name = "6604321@10.0.1.22" rlm_realm: No such realm "10.0.1.22" modcall[authorize]: module "suffix" returns noop for request 21 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 21 users: Matched DEFAULT at 152 users: Matched 6604321@10.0.1.22 at 222 modcall[authorize]: module "files" returns ok for request 21 modcall: group authorize returns ok for request 21 rad_check_password: Found Auth-Type Digest auth: type "digest" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 21 ERROR: No Digest-Nonce: Cannot perform Digest authentication modcall[authenticate]: module "digest" returns invalid for request 21 modcall: group authenticate returns invalid for request 21 auth: Failed to validate the user. Delaying request 21 for 1 seconds Finished request 21 Going to the next request Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 18 ID 200 with timestamp 424860e5 Cleaning up request 19 ID 201 with timestamp 424860e5 Sending Access-Reject of id 203 to 127.0.0.1:36945 Waking up in 2 seconds...