Yeah right. I totally forgot, its a reverse dns.
Now I checked the radius server in debug mode and I cannot see
any request from openser trying to connect to radius server. So, the
request from openser is not reaching the radius server.
So, it seems my configuration is wrong. I am sending you the
configuration of openser.cfg and radiusclient.conf.
SSH Secure Shell 3.2.3 (Build 279)
This copy of SSH Secure Shell is a non-commercial version.
This version does not include PKI and PKCS #11 functionality.
Linux isoftel-desktop 2.6.32-21-generic #32-Ubuntu SMP Fri Apr
16 08:10:02 UTC 2010 i686 GNU/Linux
Ubuntu 10.04 LTS
Welcome to Ubuntu!
Last login: Tue Aug 3 10:35:05 2010 from 192.168.0.148
isoftel@isoftel-desktop:~$ cd /usr/local/etc/openser/
isoftel@isoftel-desktop:/usr/local/etc/openser$ cat openser.cfg
#
# $Id$
#
# radius config script
#
# ----------- global configuration parameters
------------------------
debug=6 # debug level (cmd line: -dddddddddd)
log_stderror=yes # (cmd line: -E)
check_via=no # (cmd. line: -v)
dns=no # (cmd. line: -r)
rev_dns=no # (cmd. line: -R)
port=5060
children=4
#listen=udp:localhost
fifo="/tmp/openser_fifo"
# ------------------ module loading
----------------------------------
mpath="/usr/local/lib/openser/modules"
loadmodule "mysql.so"
loadmodule "sl.so"
loadmodule "tm.so"
loadmodule "rr.so"
loadmodule "maxfwd.so"
loadmodule "avpops.so"
loadmodule "usrloc.so"
loadmodule "registrar.so"
loadmodule "textops.so"
loadmodule "xlog.so"
loadmodule "uri.so"
loadmodule "acc.so"
loadmodule "auth.so"
loadmodule "auth_radius.so"
loadmodule "group_radius.so"
loadmodule "avp_radius.so"
# ----------------- setting module-specific parameters
---------------
# -- usrloc params --
#modparam("usrloc","db_url","mysql://openser:openserrw@localhost/openser")
modparam("usrloc", "db_mode", 2)
# -- acc params --
modparam("acc", "radius_flag", 1)
modparam("acc", "radius_missed_flag", 2)
modparam("acc", "log_flag", 1)
modparam("acc", "log_missed_flag", 1)
modparam("acc", "service_type", 15)
modparam("acc", "radius_extra",
"Sip-Src-IP=$si;Sip-Src-Port=$sp")
modparam("acc|auth_radius|group_radius|avp_radius",
"radius_config", "/etc/radiusclient-ng/radiusclient.conf")
# -- group_radius params --
modparam("group_radius", "use_domain", 1)
# -- avpops params --
modparam("avpops", "avp_aliases", "day=i:101;time=i:102")
# -- rr params --
# add value to ;lr param to make some broken UAs happy
modparam("rr", "enable_full_lr", 1)
# ------------------------- request routing logic
-------------------
# main routing logic
route{
# initial sanity checks -- messages with
# max_forwards==0, or excessively long requests
if (!mf_process_maxfwd_header("10")) {
sl_send_reply("483","Too Many Hops");
exit;
};
if (msg:len >= 2048 ) {
sl_send_reply("513", "Message too big");
exit;
};
# check if user is suspended
if(is_method("REGISTER|INVITE|MESSAGE|OPTIONS|SUBSCRIBE"))
{
if (radius_is_user_in("From", "suspended")) {
sl_send_reply("403", "Forbidden - suspended");
exit;
};
};
# we record-route all messages -- to make sure that
# subsequent messages will go through our proxy; that's
# particularly good if upstream and downstream entities
# use different transport protocol
if (!method=="REGISTER")
record_route();
# subsequent messages withing a dialog should take the
# path determined by record-routing
if (loose_route()) {
# mark routing logic in request
append_hf("P-hint: rr-enforced\r\n");
if(is_method("BYE"))
{ # log it all the time
acc_rad_request("200 ok");
acc_log_request("200 ok");
}
route(1);
};
if(is_method("INVITE") && !has_totag())
{ # set the acc flags
setflag(1);
setflag(2);
};
if (!uri==myself) {
# check if user is allowed to do voip calls to other
domains
if(is_method("INVITE|MESSAGE")) {
if (!radius_is_user_in("From", "voip")) {
sl_send_reply("403", "Forbidden VoIP");
exit;
};
};
# mark routing logic in request
append_hf("P-hint: outbound\r\n");
route(1);
};
# if the request is for other domain use UsrLoc
# (in case, it does not work, use the following command
# with proper names and addresses in it)
if (uri==myself) {
# authenticate registers
if (method=="REGISTER") {
if (!radius_www_authorize("")) {
www_challenge("", "1");
exit;
};
# check the src ip address
if(!avp_check("i:2", "eq/$src_ip/ig"))
{
sl_send_reply("403", "Forbidden IP");
exit;
};
save("location");
exit;
};
# calls to pstn
if(is_method("INVITE") && !has_totag()) {
if (!radius_is_user_in("From", "pstn")) {
sl_send_reply("403", "Forbidden PSTN");
exit;
};
};
# set gateway address
rewritehostport("localhost:5090");
route(1);
};
# load callee's avps
if(avp_load_radius("callee"))
{
# check if user has time filter enabled
if(avp_check("i:3", "eq/i:1"))
{
# print time in an avp
avp_printf("i:100", "$Tf");
# extract day
avp_subst("i:100/i:101", "/(.{3}) .+/*\1*/");
if(!avp_check("i:6", "fm/$day")) {
sl_send_reply("403", "Forbidden - day");
exit;
};
# extract 'hours:minutes'
avp_subst("i:100/i:102", "/(.{10})
(.{5}):.+/\2/");
if((is_avp_set("i:4") &&
avp_check("i:4", "gt/$time"))
|| (is_avp_set("i:5") &&
avp_check("i:5", "lt/$time"))) {
sl_send_reply("403", "Forbidden - time");
exit;
};
};
};
# native SIP destinations are handled using our USRLOC DB
if (!lookup("location")) {
# log to acc as missed call
acc_rad_request("404 Not Found");
acc_log_request("404 Not Found");
sl_send_reply("404", "Not Found");
exit;
};
append_hf("P-hint: usrloc applied\r\n");
};
route(1);
}
# generic forward
route[1] {
# send it out now; use stateful forwarding as it works
reliably
# even for UDP2TCP
if (!t_relay()) {
sl_reply_error();
};
exit;
}
# General settings
# specify which authentication comes first respectively which
# authentication is used. possible values are: "radius" and
"local".
# if you specify "radius,local" then the RADIUS server is asked
# first then the local one. if only one keyword is specified only
# this server is asked.
auth_order radius
#add 'local' with comma
# maximum login tries a user has
login_tries 4
# timeout for all login tries
# if this time is exceeded the user is kicked out
login_timeout 60
# name of the nologin file which when it exists disables logins.
# it may be extended by the ttyname which will result in
# a terminal specific lock (e.g. /etc/nologin.ttyS2 will disable
# logins on /dev/ttyS2)
nologin /etc/nologin
# name of the issue file. it's only display when no username is
passed
# on the radlogin command line
issue /etc/radiusclient-ng/issue
# RADIUS settings
# RADIUS server to use for authentication requests. this config
# item can appear more then one time. if multiple servers are
# defined they are tried in a round robin fashion if one
# server is not answering.
# optionally you can specify a the port number on which is remote
# RADIUS listens separated by a colon from the hostname. if
# no port is specified /etc/services is consulted of the radius
# service. if this fails also a compiled in default is used.
authserver 128.185.38.162
# RADIUS server to use for accouting requests. All that I
# said for authserver applies, too.
#
acctserver 128.185.38.162
# file holding shared secrets used for the communication
# between the RADIUS client and server
servers /etc/radiusclient-ng/servers
# dictionary of allowed attributes and values
# just like in the normal RADIUS distributions
dictionary /etc/radiusclient-ng/dictionary
# program to call for a RADIUS authenticated login
login_radius /usr/sbin/login.radius
# file which holds sequence number for communication with the
# RADIUS server
seqfile /var/run/radius.seq
# file which specifies mapping between ttyname and NAS-Port
attribute
mapfile /etc/radiusclient-ng/port-id-map
# default authentication realm to append to all usernames if no
# realm was explicitly specified by the user
# the radiusd directly form Livingston doesnt use any realms, so
leave
# it blank then
default_realm
# time to wait for a reply from the RADIUS server
radius_timeout 10
# resend request this many times before trying the next server
radius_retries 3
# local address from which radius packets have to be sent
bindaddr localhost
#change with 'localhost'
# LOCAL settings
# program to execute for local login
# it must support the -f flag for preauthenticated login
login_local /bin/login
I have edited servers file also with the servername and secret.
Thank you very much.
Regards,
Pratik
On Mon, Aug 2, 2010 at 11:26 PM,
Daniel-Constantin Mierla
<miconda@gmail.com> wrote:
Hello,
On 8/2/10 12:36 PM, Pratik Shrestha wrote:
Dear Daniel,
Now the new issue. Seems now openser is trying to talk with radius
server. But still I am getting the one error in syslog which is as
follows.
rc_send_server: no reply from RADIUS server 128-185-38-162.totisp.net:1812
Actually I have written only 128.185.38.162 in auth_server in
radiusclient.conf. I don't know how this totisp.net is added. I
haven't mentioned
it anywhere.
probably reverse dns is done in the library, it is not relevant anyhow.
Can you start radius server in debug mode and see if it got some
request? You can also do a ngrep/wireshark on port 1812 of your radius
server to watch for network packets coming from kamailio.
Cheers,
Daniel
Please help me.
Thanks.
Regards,
Pratik
On Mon, Aug 2, 2010 at 11:44 AM, Pratik
Shrestha
<pratikdbl@gmail.com>
wrote:
Dear
Daniel,
Before I work for the new version, I am first trying to configure old
version of openser and radius. I am using openser version 1.0.1 and
radius client version 0.5.1 and I am following the tutorial given in http://kamailio.net/docs/openser-radius-1.0.x.html.
My freeradius server is in another machine and when I use radclient to
check the user I made, I get the "Authenticated" message.
But when I use X-lite and connect to openser, it seems openser is not
talking with freeradius servers. I am sure the "secret" I am using is
right as I have already tested from radclient. The log which I am
getting in openser is as shown below
9(1986) SIP Request:
9(1986) method: <REGISTER>
9(1986) uri: <sip:192.168.0.56>
9(1986) version: <SIP/2.0>
9(1986) parse_headers: flags=2
9(1986) Found param type 232, <branch> =
<z9hG4bK-d8754z-c33212005635f16c-1---d8754z->; state=6
9(1986) Found param type 235, <rport> = <n/a>; state=17
9(1986) end of header reached, state=5
9(1986) parse_headers: Via found, flags=2
9(1986) parse_headers: this is the first via
9(1986) After parse_msg...
9(1986) preparing to run routing scripts...
9(1986) parse_headers: flags=100
9(1986) DEBUG:maxfwd:is_maxfwd_present: value = 70
9(1986) parse_headers: flags=10
9(1986) DEBUG:parse_to:end of header reached, state=9
9(1986) DEBUG: get_hdr_field: <To> [44]; uri=[sip:101%40kamailio.org@192.168.0.56]
9(1986) DEBUG: to body ["101"<sip:101%40kamailio.org@192.168.0.56>
]
9(1986) DEBUG: add_param: tag=cc6e4259
9(1986) DEBUG:parse_to:end of header reached, state=29
9(1986) radius_is_user_in():
Failure
9(1986) parse_headers: flags=200
9(1986) get_hdr_field: cseq <CSeq>: <2> <REGISTER>
9(1986) DEBUG: get_hdr_body : content_length=0
9(1986) found end of header
9(1986) find_first_route: No Route headers found
9(1986) loose_route: There is no Route HF
9(1986) grep_sock_info - checking if host==us: 12==9 &&
[192.168.0.56] == [127.0.0.1]
9(1986) grep_sock_info - checking if port 5060 matches port 5060
9(1986) grep_sock_info - checking if host==us: 12==12 &&
[192.168.0.56] == [192.168.0.56]
9(1986) grep_sock_info - checking if port 5060 matches port 5060
9(1986) grep_sock_info - checking if host==us: 12==9 &&
[192.168.0.56] == [127.0.0.1]
9(1986) grep_sock_info - checking if port 5060 matches port 5060
9(1986) grep_sock_info - checking if host==us: 12==12 &&
[192.168.0.56] == [192.168.0.56]
9(1986) grep_sock_info - checking if port 5060 matches port 5060
9(1986) check_nonce(): comparing
[4c5649b2d78b205e6a5ca1c6dcdc54b84445dd9c] and
[4c5649b2d78b205e6a5ca1c6dcdc54b84445dd9c]
9(1986) ERROR:auth_radius:radius_authorize_sterman:
rc_auth
failed
9(1986) build_auth_hf(): 'WWW-Authenticate: Digest
realm="192.168.0.56", nonce="4c5649b2d78b205e6a5ca1c6dcdc54b84445dd9c"
'
9(1986) parse_headers: flags=ffffffffffffffff
9(1986) check_via_address(192.168.0.148, 192.168.182.3, 0)
9(1986) DEBUG:destroy_avp_list: destroying list (nil)
9(1986) receive_msg: cleaning up
At freeradius also, no request goes from openser.
Please advise me how to get rid of this problem.
Best Regards,
Pratik
On Wed, Jul 28, 2010 at 5:56 PM,
Pratik
Shrestha
<pratikdbl@gmail.com>
wrote:
Thanks
a
lot. I will give it a try
Pratik
On Wed, Jul 28, 2010 at 3:48 PM,
Daniel-Constantin Mierla
<miconda@gmail.com>
wrote:
Hello,
On 7/22/10 6:06 AM, Pratik Shrestha wrote:
Dear
All,
I am very new to OpenSer. I want to use latest version of OpenSer with
Radius. I need the documentation/tutorial on how to do this. Googling,
Ionly found for the old version. Please help me.
indeed, there is a rather old version:
http://www.kamailio.org/docs/openser-radius-1.0.x.html
What I can say now is that you can skip the part of installing kamailio
and use next link instead:
http://www.kamailio.org/dokuwiki/doku.php/install:kamailio-3.0.x-from-git
Radius client library is now in most of common Linux distributions, so
you can install it with the package manager (you need the devel headers
as well, the -dev package).
FreeRadius configuration should be more or less the same.
The config of kamailio has changed quite a lot. Use the default one
from kamailio, follow the WITH_AUTH define conditions and replace
auth_db with auth_radius modules and functions. Also, the rest of
radius modules were merged into misc_radius. For enabling radius acc,
you need to recompile acc module after editing the Makefile in module
directory.
Hope it helps to start, ask here if you get stuck.
--
Daniel-Constantin Mierla
http://www.asipto.com/