RE: [Serusers] Radius Authentication Help

-----Original Message----- From: serusers-bounces(a)lists.iptel.org [mailto:serusers-bounces@lists.iptel.org] On Behalf Of Sean Lowry Sent: Thursday, 15 July 2004 7:26 PM To: serusers(a)lists.iptel.org Subject: [Serusers] Radius Authentication Help running on debian ser verion = 0.8.12 ser-radius-module = 0.8.12 Ser.cfg # # $Id: ser.cfg,v 1.21.4.1 2003/11/10 15:35:15 andrei Exp $ # # simple quick-start config script # # ----------- global configuration parameters ------------------------ #debug=4 # debug level (cmd line: -dddddddddd) #fork=yes log_stderror=yes # (cmd line: -E) /* Uncomment these lines to enter debugging mode #debug=7 fork=no log_stderror=yes */ # ----------------- setting module-specific parameters --------------- # -- usrloc params -- #modparam("usrloc", "db_url", "mysql://ser:heslo@hosthost/ser") modparam("usrloc", "db_mode", 1) # Uncomment this if you want to use SQL database # for persistent storage and comment the previous line # -- auth params -- # Uncomment if you are using auth module # #modparam("auth_db", "calculate_ha1", yes) # # If you set "calculate_ha1" parameter to yes (which true in this config), # uncomment also the following parameter) # #modparam("auth_db", "password_column", "password") modparam("auth_radius", "radius_config", "/etc/radiusclient/radiusclient.conf") #modparam("auth_radius", "service_type", 15) #group radius modparam("group_radius", "radius_config", "/etc/radiusclient/radiusclient.conf") modparam("group_radius", "use_domain", 1) # -- rr params -- # add value to ;lr param to make some broken UAs happy modparam("rr", "enable_full_lr", 1) modparam("registrar", "default_expires", 120) #sets default for expiry if registrant doesn't specify modparam("registrar", "default_q", 1000)# sets default q value in registration # ------------------------- request routing logic ------------------- # main routing logic route{ # initial sanity checks -- messages with # max_forwards==0, or excessively long requests if (!mf_process_maxfwd_header("10")) { sl_send_reply("483","Too Many Hops"); break; }; if ( msg:len > max_len ) { sl_send_reply("513", "Message too big"); break; }; # we record-route all messages -- to make sure that # subsequent messages will go through our proxy; that's # particularly good if upstream and downstream entities # use different transport protocol record_route(); # loose-route processing if (loose_route()) { t_relay(); break; }; # if the request is for other domain use UsrLoc # (in case, it does not work, use the following command # with proper names and addresses in it) if (uri==myself) { if (method=="REGISTER") { if (search("^(Contact|m): .*@(--private--information)")) { log("LOG: alert: someone trying to set aor==contact\n"); sl_send_reply("476", "No Server Address in Contacts Allowed" ); break; }; # Uncomment this if you want to use digest authentication log(1, "REGISTER: Authenticating user\n"); if (!radius_www_authorize("")) { log(1, "REGISTER: challenging user\n"); www_challenge("", "1"); break; }; save("location"); break; }; if (uri=~"^sip:71[0-9]{2}@.*") { #xlog("L_ERR", "LOG - method<%rm> uri<%ru> from<%fu> to<%tu>\n"); rewritehostport("192.168.1.252"); forward(uri:host, uri:port); xlog("L_ERR", "LOG - method<%rm> uri<%ru> from<%fu> to<%tu>\n"); break; }; # native SIP destinations are handled using our USRLOC DB if (!lookup("location")) { sl_send_reply("404", "Not Found"); break; }; }; # forward to current uri now; use stateful forwarding; that # works reliably even if we forward from TCP to UDP if (!t_relay()) { sl_reply_error(); }; } Error when running this configuration stateless - initializing Maxfwd module- initializing . sip:/etc/ser# acc - initializing exec - initializing print - initializing textops - initializing voicemail - initializing 5(14802) REGISTER: Authenticating user 5(14802) REGISTER: challenging user 6(14806) REGISTER: Authenticating user 6(14806) sterman(): Unable to add PW_DIGEST_USER_NAME attribute 6(14806) REGISTER: challenging user 5(14802) REGISTER: Authenticating user 5(14802) sterman(): Unable to add PW_DIGEST_USER_NAME attribute 5(14802) REGISTER: challenging user 6(14806) REGISTER: Authenticating user 6(14806) sterman(): Unable to add PW_DIGEST_USER_NAME attribute 6(14806) REGISTER: challenging user now if i uncomment out the radius service type #modparam("auth_radius", "service_type", 15) sip:/etc/ser# stateless - initializing Maxfwd module- initializing acc - initializing exec - initializing print - initializing textops - initializing voicemail - initializing 7(14958) REGISTER: Authenticating user 7(14958) REGISTER: challenging user 8(14959) REGISTER: Authenticating user 8(14959) sterman(): Unable to add PW_USER_NAME attribute 8(14959) REGISTER: challenging user 7(14958) REGISTER: Authenticating user 7(14958) sterman(): Unable to add PW_USER_NAME attribute 7(14958) REGISTER: challenging user 8(14959) REGISTER: Authenticating user 8(14959) sterman(): Unable to add PW_USER_NAME attribute 8(14959) REGISTER: challenging user 7(14958) REGISTER: Authenticating user 7(14958) sterman(): Unable to add PW_USER_NAME attribute 7(14958) REGISTER: challenging user 8(14959) REGISTER: Authenticating user 8(14959) sterman(): Unable to add PW_USER_NAME attribute 8(14959) REGISTER: challenging user now i have freeradius running in debug so i can see if anything it talking to it and i see nothing at all from freeradius. sip:/home/sean# freeradius -x Starting - reading configuration files ... Using deprecated naslist file. Support for this will go away soon. Using deprecated clients file. Support for this will go away soon. Using deprecated realms file. Support for this will go away soon. Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded DIGEST Module: Instantiated digest (digest) Module: Loaded System Module: Instantiated unix (unix) Module: Loaded eap rlm_eap: Loaded and initialized the type md5 rlm_eap: Loaded and initialized the type leap Module: Instantiated eap (eap) Module: Loaded preprocess Module: Instantiated preprocess (preprocess) Module: Loaded realm Module: Instantiated realm (suffix) Module: Loaded SQL rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to radius@localhost:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_mysql #1 rlm_sql_mysql: Starting connect to MySQL server for #1 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_mysql #2 rlm_sql_mysql: Starting connect to MySQL server for #2 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 rlm_sql_mysql: Starting connect to MySQL server for #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 rlm_sql_mysql: Starting connect to MySQL server for #4 rlm_sql (sql): Connected new DB handle, #4 Module: Instantiated sql (sql) Module: Loaded Acct-Unique-Session-Id Module: Instantiated acct_unique (acct_unique) Module: Loaded detail Module: Instantiated detail (detail) Module: Loaded radutmp Module: Instantiated radutmp (radutmp) Initializing the thread pool... Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp. Ready to process requests. i have tested the raidus server to see if it's authenticating. Sending Access-Request of id 7 to 127.0.0.1:1812 User-Name = "bob" User-Password = "bob" NAS-IP-Address = ~~~changed private~~~ NAS-Port = 1814 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=7, length=20 everything is working as you would expect does anyone have any ideas at all as to where i'm going wrong. Thanks in advance Sean _______________________________________________ Serusers mailing list serusers(a)lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers