Bruno,
Firstly, thanx for answering ...
I'm playing with this right now, so I'll try to comment a bit
Lucas Aimaretto wrote:
... And this is the radclient OUTPUT ...
Received response ID 86, code 2, length = 52 Vendor-9-Attr-102 = 0x683332332d6372656469742d616d6f756e743d31392e3030
the correct response should be
Login OK: [test] (from client localhost port 0) Sending Access-Accept of id 188 to 127.0.0.1:32769 Reply-Message = "Hello, test with digest"
if I recall correctly, IC-RADIUS is based on Cistron RADIUS. Cistron RADIUS don't have digest auth support, and it seems never will. Cistron's author recommend to use FreeRADIUS instead, which has the Digest support and correctly give the result shown above
You know, after searching at http://icradius.sourceforge.net/modules.php?name=Web_Links&l_op=viewlink &cid=7 found that ...
"Description: icradius "REQUIRES" the following Perl Modules all of which are available at the link above:
- Authen::RADIUS - Digest::MD5 - Date::Calc - Bit::Vector - DBI - DBD::mysql"
... So I believe, Icradius does support digest Authentication. In fact, I have an utility for radius testing called NT-RADPING (really cool!!) and did a test again user 1992005 ... Whatch out the RADIUS OUTPUT and look at the CHAP-Password attribute ...
radrecv: Access Request from host c0a801b2 code=1, id=1, length=62 User-Name = "110" CHAP-Password = "xt\265\256ohy\257xY\034\214x_X$\277" Username is now 110 Calling station Id is now (null) credit_amount (215.49) Sending Access Ack of id 1 to c0a801b2 (nas lucas) Credit-Amount = "V9:T102:L27:683332332d6372656469742d616d6f756e743d3231352e3439" Sending Access Accept of id 1 to c0a801b2 (nas lucas) SQL: Socket 0 used for 0.48 seconds SQL: Released socket 0
So you see, that I got an access-accept. In the utility I wrote down the password as plain-text, but you see, at the radius output it is encrypted.
Questions:
- Although I sent to radius diferent ATTRIBUTES, RADIUS recognized
all of them (except for one, Digest-Response) as Digest-Attributes. Why is that?
may be because IC-RADIUS doesn't have digest support?
I don't think digest support has to do with the attributes not being recognized. I think it is something else ... But do not know what is it.
And I believe icradius supports digest auth, cause I made a test ... I called from user 1992005 to user 1992003 ... Radius authenticated user 1992005 and called was established, so, SER also understood RADIUS respones ... Look at radius output ...
radrecv: Access Request from host c0a801fd code=1, id=17, length=215 User-Name = "1992005@192.168.1.253" Digest-Attributes = "\012\0111992005" Digest-Attributes = "\001\017192.168.1.253" Digest-Attributes = "\002*419a7a30c9fe08ae43336232e7b687fb633edbd6" Digest-Attributes = "\004\033sip:1992003@192.168.1.253" Digest-Attributes = "\003\010INVITE" Digest-Response = "afae2bb3cf9dfb3a3d2dd10f5fd29132" Service-Type = Sip-Session Sip-Uri-User = "1992005" NAS-IP-Address = 192.168.1.253 NAS-Port-Id = 5060 Username is now 1992005@192.168.1.253 Calling station Id is now (null) credit_amount (19.00) Sending Access Ack of id 17 to c0a801fd (nas linux) Credit-Amount = "V9:T102:L26:683332332d6372656469742d616d6f756e743d31392e3030" Sending Access Accept of id 17 to c0a801b2 (nas lucas) SQL: Socket 0 used for 0.75 seconds SQL: Released socket 0
The thing here is why some attributes are recognized and other not. For example: digest-respones, Sip-Uri-user (which are new attributes that I added myself to the general dictionary, and got them from the dictionary.ser) and are recognized. Some others not (digest-realm, digest-nonce, etc, taken out from the same dictionary.ser) and are only recognized as Digest-Attributes ... :S ... No idea ...
Any ideas ???
hope this helps
Thanx!
Cheers
Regards,
!3runo
Lucas
--- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.786 / Virus Database: 532 - Release Date: 29/10/2004