Hello,
please take care of the backward compatibility files, if you are using FreeRADIUS. There are two files to config the clients, "clients.conf" (new one and this is recommendable to be used) and "clients" (obsoleted but still kept for compatibility).
Cheers, Daniel
PS. Please keep cc-ing to mailing list so everybody can benefit of the answers or can come with solutions.
On 03/30/06 15:27, Nguyen Duc Phi wrote:
Hello,
I checked file config on radiusclient and Radius server again, shared secret on both server and client the same. I dont know why they not agree? Please help me out of this problem. thank in advance.
Best regards, Nguyen
Here my config file
Freeradius run at 192.168.212.10
/usr/local/etc/raddb/clients.conf
client 192.168.212.9 { secret = testing123 shortname = 192.168.212.9 }
openser run at 192.168.212.9
/usr/local/etc/radiusclient-ng/servers
#Server Name or Client/Server pair Key #---------------- --------------- #portmaster.elemental.net hardlyasecret #portmaster2.elemental.net donttellanyone 192.168.212.10 testing123
----- Original Message ----- From: "Daniel-Constantin Mierla" daniel@voice-system.ro To: "Nguyen Duc Phi" ndphi@vdc.com.vn; users@openser.org Sent: Thursday, March 30, 2006 6:36 PM Subject: Re: [Users] Radius Authentication failed ?
Hello,
here you can find the description of this error:
http://docs.hp.com/en/T1428-90025/ch08s02.html
Received invalid reply digest from server => Server and client do not agree on shared secret => Verify the shared secret in the clients file agrees with the secret configured on the client.
I started an OpenSER-Radius tutorial, but due to time constraints it is not finished yet. Hopefully in next days will be ready. I will post it on the web and announce on the mailing list.
Cheers, Daniel
On 03/30/06 14:24, Nguyen Duc Phi wrote:
Thanks for supporting, Here is syslog of radiusclient.
Mar 30 18:00:49 sipserver openser: rc_check_reply: received invalid reply digest from RADIUS server
----- Original Message ----- From: "Daniel-Constantin Mierla" daniel@voice-system.ro To: "Nguyen Duc Phi" ndphi@vdc.com.vn Cc: users@openser.org Sent: Thursday, March 30, 2006 6:12 PM Subject: Re: [Users] Radius Authentication failed ?
Have you got any message is syslog coming from radiusclient-ng library? The FreeRadius server reports ok for authentication.
Cheers, Daniel
On 03/30/06 05:15, Nguyen Duc Phi wrote:
I config openser authenticate from Radius. when softphone register to openser, Freeradius response "Sending Access-Accept" but openser inform "ERROR:auth_radius:radius_authorize_sterman: rc_auth failed" So softphone not registered. I search this title in google and find on "*OpenSER Users Mailing List*", I didnt find solution to fix problem. Could someone help me fix this problem ? Here is list of product's version I used. openser-1.0.1 OS : CentOS-4 x86_64 radiusclient-ng-0.5.2 freeradius-1.0.5 openser show debug : 8(8985) parse_headers: flags=ffffffffffffffff 8(8985) check_via_address(192.168.212.123, 192.168.212.123, 0) 8(8985) DEBUG:destroy_avp_list: destroying list (nil) 8(8985) receive_msg: cleaning up 7(8982) SIP Request: 7(8982) method: <REGISTER> 7(8982) uri: sip:vdc.com.vn 7(8982) version: <SIP/2.0> 7(8982) parse_headers: flags=2 7(8982) DEBUG: get_hdr_body : content_length=0 7(8982) get_hdr_field: cseq <CSeq>: <2> <REGISTER> 7(8982) DEBUG:parse_to:end of header reached, state=9 7(8982) DEBUG: get_hdr_field: <To> [23]; uri=[sip:5001@vdc.com.vn] 7(8982) DEBUG: to body [sip:5001@vdc.com.vn ] 7(8982) Found param type 235, <rport> = <n/a>; state=6 7(8982) Found param type 232, <branch> = <z9hG4bKc0a8d47b0131c9b1442b39c80000367c00000003>; state=16 7(8982) end of header reached, state=5 7(8982) parse_headers: Via found, flags=2 7(8982) parse_headers: this is the first via 7(8982) After parse_msg... 7(8982) preparing to run routing scripts... 7(8982) DEBUG:maxfwd:is_maxfwd_present: value = 70 7(8982) parse_headers: flags=200 7(8982) found end of header 7(8982) find_first_route: No Route headers found 7(8982) loose_route: There is no Route HF 7(8982) grep_sock_info - checking if host==us: 10==9 && [vdc.com.vn] == [127.0.0.1] 7(8982) grep_sock_info - checking if port 5060 matches port 5060 7(8982) grep_sock_info - checking if host==us: 10==13 && [vdc.com.vn] == [192.168.212.9] 7(8982) grep_sock_info - checking if port 5060 matches port 5060 7(8982) grep_sock_info - checking if host==us: 10==9 && [vdc.com.vn] == [127.0.0.1] 7(8982) grep_sock_info - checking if port 5060 matches port 5060 7(8982) grep_sock_info - checking if host==us: 10==13 && [vdc.com.vn] == [192.168.212.9] 7(8982) grep_sock_info - checking if port 5060 matches port 5060 7(8982) grep_sock_info - checking if host==us: 10==9 && [vdc.com.vn] == [127.0.0.1] 7(8982) grep_sock_info - checking if port 5060 matches port 5060 7(8982) grep_sock_info - checking if host==us: 10==13 && [vdc.com.vn] == [192.168.212.9] 7(8982) grep_sock_info - checking if port 5060 matches port 5060 7(8982) grep_sock_info - checking if host==us: 10==9 && [vdc.com.vn] == [127.0.0.1] 7(8982) grep_sock_info - checking if port 5060 matches port 5060 7(8982) grep_sock_info - checking if host==us: 10==13 && [vdc.com.vn] == [192.168.212.9] 7(8982) grep_sock_info - checking if port 5060 matches port 5060 7(8982) check_nonce(): comparing [442b360523cece6362803c97fa7fb10b37680cd8] and [442b360523cece6362803c97fa7fb10b37680cd8] 7(8982) ERROR:auth_radius:radius_authorize_sterman: rc_auth failed 7(8982) build_auth_hf(): 'WWW-Authenticate: Digest realm="vdc.com.vn", nonce="442b360523cece6362803c97fa7fb10b37680cd8" ' 7(8982) parse_headers: flags=ffffffffffffffff 7(8982) check_via_address(192.168.212.123, 192.168.212.123, 0) 7(8982) DEBUG:destroy_avp_list: destroying list (nil) 7(8982) receive_msg: cleaning up Radius show debug: rad_recv: Access-Request packet from host 192.168.212.9:32826, id=205, length=203 User-Name = "5001@vdc.com.vn mailto:5001@vdc.com.vn" Digest-Attributes = 0x0a0635303031 Digest-Attributes = 0x010c7664632e636f6d2e766e Digest-Attributes = 0x022a34343262333630353233636563653633363238303363393766613766623130623337363830636438
Digest-Attributes = 0x04107369703a7664632e636f6d2e766e Digest-Attributes = 0x030a5245474953544552 Digest-Response = "1c3d532fc6c1c37004c6df6027e6242c" Service-Type = 0x0000000f00000000 Sip-Uri-User = "5001" NAS-Port = 0x000013c400000000 NAS-IP-Address = 0xc0a8d40900000000Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 Invalid operator for item Suffix: reverting to '==' Invalid operator for item Suffix: reverting to '==' Invalid operator for item Suffix: reverting to '==' Invalid operator for item Suffix: reverting to '==' Invalid operator for item Suffix: reverting to '==' Invalid operator for item Suffix: reverting to '==' Invalid operator for item Suffix: reverting to '==' Invalid operator for item Suffix: reverting to '==' hints: Matched DEFAULT at 82 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_digest: Converting Digest-Attributes to something sane... Digest-User-Name = "5001" Digest-Realm = "vdc.com.vn" Digest-Nonce = "442b360523cece6362803c97fa7fb10b37680cd8" Digest-URI = "sip:vdc.com.vn" Digest-Method = "REGISTER" rlm_digest: Adding Auth-Type = DIGEST modcall[authorize]: module "digest" returns ok for request 0 rlm_realm: No '@' mailto:%27@%27 in User-Name = "5001", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 radius_xlat: '5001' rlm_sql (sql): sql_set_user escaped user --> '5001' radius_xlat: 'SELECT 1 as id,'5001' as UserName,'User-Password' as Attribute,subscriber_password as Value,'==' as op FROM subscribers WHERE subscriber_username = '5001'AND subscriber_status=1' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: '' radius_xlat: 'SELECT 1 as id,'5001' as UserName,'Session-Timeout' as Attribute,getSessionTime('5001','')as Value,'=' as op FROM dual' radius_xlat: '' rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type DIGEST auth: type "digest" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 A1 = 5001:vdc.com.vn:test A2 = REGISTER:sip:vdc.com.vn H(A1) = 454e15015603bd4bd79faf0c5ddd3346 H(A2) = ac5bd79ed3d6bd2bddcb1cffafbbd09a KD = 454e15015603bd4bd79faf0c5ddd3346:442b360523cece6362803c97fa7fb10b37680cd8:ac5bd79ed3d6bd2bddcb1cffafbbd09a
EXPECTED 1c3d532fc6c1c37004c6df6027e6242c RECEIVED 1c3d532fc6c1c37004c6df6027e6242c modcall[authenticate]: module "digest" returns ok for request 0 modcall: group authenticate returns ok for request 0 Login OK: [5001] (from client 192.168.212.9 port 3134307025) Sending Access-Accept of id 205 to 192.168.212.9:32826 Session-Timeout = 60 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 205 with timestamp 442b3adf Nothing to do. Sleeping until we see a request. Best regards, Nguyen
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users