The thing is that I'm not seeing the Password Attribute at the radius output ...
Lucas, Your RADIUS server needs to implement the Digest algorithm. Attributes are non-standard and are NOT sent as vendor-encapsulated, but wrapped in the Digest-Attributes avpair. The RADIUS server thus needs to be able to read the digest-attributes, convert them to individual attributes (as below) and then implement the DIGEST authentication mechanism. Translated: There is no password attribute. g-)
ATTRIBUTE Digest-Response 206 string ATTRIBUTE Digest-Attributes 207 string ATTRIBUTE Digest-Realm 1063 string ATTRIBUTE Digest-Nonce 1064 string ATTRIBUTE Digest-Method 1065 string ATTRIBUTE Digest-URI 1066 string ATTRIBUTE Digest-QOP 1067 string ATTRIBUTE Digest-Algorithm 1068 string ATTRIBUTE Digest-Body-Digest 1069 string ATTRIBUTE Digest-CNonce 1070 string ATTRIBUTE Digest-Nonce-Count 1071 string ATTRIBUTE Digest-User-Name 1072 string
Ok, thanx for the answer. Anyways, I think I'll need a little help with this. I already loaded those attributes into my dictionary, both dictionary.ser and dictionary.sip. Now, If I have no password assigned to my user, Users can authenticate with no problems at all. Now, if I assign password, I see the following ...
RADIUS OUTPUT:
radrecv: Access Request from host c0a801fd code=1, id=158, length=271 User-Name = "1991006@192.168.1.253" Digest-Attributes = "\012\0111991006" Digest-Attributes = "\001\017192.168.1.253" Digest-Attributes = "\002*425bde0ae10d15c59c4e3a5c45288ed4175a8a2a" Digest-Attributes = "\004\023sip:192.168.1.253" Digest-Attributes = "\003\012REGISTER" Digest-Response = "a341b3fdbacc4747b82e0718b31e627c" Service-Type = Sip-Session Sip-URI-User = "1991006" Unknown-Attr-327681 = "call-id=EAED054A3CA3478184AA441574592609@192.168.1.253" NAS-IP-Address = 192.168.1.253 NAS-Port-Id = 5060 SQL: Attempting to reserve socket SQL: Reserved socket 0 Username is now 1991006 Calling station Id is now 1991006 Calling station Id is now (null) Sending Access Reject of id 158 to c0a801fd (nas linux) Se envio Auth Reject SQL: Socket 0 used for 0.61 seconds SQL: Released socket 0
SER OUTPUT:
0(17666) get_hdr_field: cseq <CSeq>: <27392> <REGISTER> 0(17666) DEBUG: is_maxfwd_present: value = 70 0(17666) end of header reached, state=9 0(17666) parse_headers: flags=256 0(17666) DEBUG: get_hdr_body : content_length=0 0(17666) found end of header 0(17666) find_first_route(): No Route headers found 0(17666) loose_route(): There is no Route HF 0(17666) check_self - checking if host==us: 13==13 && [192.168.1.253] == [192.168.1.253] 0(17666) check_self - checking if port 5060 matches port 5060 0(17666) check_nonce(): comparing [425bde0ae10d15c59c4e3a5c45288ed4175a8a2a] and [425bde0ae10d15c59c4e3a5c45288ed4175a8a2a] 0(17666) res: -2 0(17666) radius_authorize_sterman(): Failure 0(17666) build_auth_hf(): 'WWW-Authenticate: Digest realm="192.168.1.253", nonce="425bde0ae10d15c59c4e3a5c45288ed4175a8a2a"' 0(17666) parse_headers: flags=-1 0(17666) check_via_address(192.168.1.178, 192.168.1.178, 0) 0(17666) DEBUG:destroy_avp_list: destroing list (nil) 0(17666) receive_msg: cleaning up
Now, these are the questions:
1) What my radius is receiving, looks fine ? 2) What must my radius be capable of doing to authenticate users with password ? I know you said it must resolve digest attributes, but, what does it mean ? ( or please give me some place where to read something ). 3) I know my radius supports CHAP-MD5. Isn't it enough ?
The thing is I've using this radius for some time now, and have modified it to help my needs. I know it's a bit old already (2002). Its ic-radius and, according to its web page it does support digest. I think ...
Please, help me out with this one. Thanx very much
Regards,
Lucas