Re: [Users] Problem with Radius authentication

Hello, I'm trying to set up OpenSER to use Radius authentication, but am having problems. I can't get the OpenSER server to actually send any Radius packets out over the network to my Radius server. I've been sniffing the network with Ethereal and no packets are sent out, even though I get messages in the syslog saying; Oct 10 16:59:24 ibwok-2mrt71j /usr/sbin/openser[9057]: rc_send_server: no reply from RADIUS server boxster:1812 Oct 10 16:59:24 ibwok-2mrt71j /usr/sbin/openser[9058]: rc_send_server: no reply from RADIUS server boxster:1812 Oct 10 16:59:25 ibwok-2mrt71j /usr/sbin/openser[9059]: rc_send_server: no reply from RADIUS server boxster:1812 and so on. My openser.cfg file (see below) is pretty much unchanged from the default config file, except adding Radius options as according to this HOWTO http://www.iptel.org/ser/doc/ser_radius/ser_radius.html I've seen this problem both with the pre-complied Debian packages on a Debian Sarge installation and also when compiled by hand on a Sun Solaris 9 server. I must be missing something from my configuration files, but I can't work out what it is. Does anyone have any ideas? Thanks in advance, Matt Williams ------------------------------------------------------------------ openser.cfg ------------------------------------------------------ # # $Id: openser.cfg,v 1.1.1.1 2005/06/13 16:47:30 bogdan_iancu Exp $ # # simple quick-start config script # # ----------- global configuration parameters ------------------------ #debug=3 # debug level (cmd line: -dddddddddd) #fork=yes #log_stderror=no # (cmd line: -E) /* Uncomment these lines to enter debugging mode fork=no log_stderror=yes */ check_via=no # (cmd. line: -v) dns=no # (cmd. line: -r) rev_dns=no # (cmd. line: -R) #port=5060 #children=4 fifo="/tmp/openser_fifo" alias=testdomain # ------------------ module loading ---------------------------------- # Uncomment this if you want to use SQL database #loadmodule "/usr/local/lib/ser/modules/mysql.so" loadmodule "/usr/lib/openser/modules/sl.so" loadmodule "/usr/lib/openser/modules/tm.so" loadmodule "/usr/lib/openser/modules/rr.so" loadmodule "/usr/lib/openser/modules/maxfwd.so" loadmodule "/usr/lib/openser/modules/usrloc.so" loadmodule "/usr/lib/openser/modules/registrar.so" loadmodule "/usr/lib/openser/modules/textops.so" # Uncomment this if you want digest authentication # mysql.so must be loaded ! loadmodule "/usr/lib/openser/modules/auth.so" #loadmodule "/usr/lib/openser/modules/auth_db.so" loadmodule "/usr/lib/openser/modules/auth_radius.so" # ----------------- setting module-specific parameters --------------- modparam("auth_radius", "radius_config", "/etc/radiusclient-ng/radiusclient.conf") # -- usrloc params -- modparam("usrloc", "db_mode", 0) # Uncomment this if you want to use SQL database # for persistent storage and comment the previous line #modparam("usrloc", "db_mode", 2) # -- auth params -- # Uncomment if you are using auth module # #modparam("auth_db", "calculate_ha1", yes) # # If you set "calculate_ha1" parameter to yes (which true in this config), # uncomment also the following parameter) # #modparam("auth_db", "password_column", "password") # -- rr params -- # add value to ;lr param to make some broken UAs happy modparam("rr", "enable_full_lr", 1) # ------------------------- request routing logic ------------------- # main routing logic route{ # initial sanity checks -- messages with # max_forwards==0, or excessively long requests if (!mf_process_maxfwd_header("10")) { sl_send_reply("483","Too Many Hops"); break; }; if (msg:len >= 2048 ) { sl_send_reply("513", "Message too big"); break; }; # we record-route all messages -- to make sure that # subsequent messages will go through our proxy; that's # particularly good if upstream and downstream entities # use different transport protocol if (!method=="REGISTER") record_route(); # subsequent messages withing a dialog should take the # path determined by record-routing if (loose_route()) { # mark routing logic in request append_hf("P-hint: rr-enforced\r\n"); route(1); break; }; if (!uri==myself) { # mark routing logic in request append_hf("P-hint: outbound\r\n"); route(1); break; }; # if the request is for other domain use UsrLoc # (in case, it does not work, use the following command # with proper names and addresses in it) if (uri==myself) { if (method=="REGISTER") { # Uncomment this if you want to use digest authentication if (!radius_www_authorize("testdomain")) { www_challenge("testdomain", "1"); break; }; save("location"); break; }; lookup("aliases"); if (!uri==myself) { append_hf("P-hint: outbound alias\r\n"); route(1); break; }; # native SIP destinations are handled using our USRLOC DB if (!lookup("location")) { sl_send_reply("404", "Not Found"); break; }; }; append_hf("P-hint: usrloc applied\r\n"); route(1); } route[1] { # send it out now; use stateful forwarding as it works reliably # even for UDP2TCP if (!t_relay()) { sl_reply_error(); }; } ------------------------------------------------------------------------ radiusclient.conf ------------------------------------------------------------------------ General settings # specify which authentication comes first respectively which # authentication is used. possible values are: "radius" and "local". # if you specify "radius,local" then the RADIUS server is asked # first then the local one. if only one keyword is specified only # this server is asked. auth_order radius # maximum login tries a user has login_tries 4 # timeout for all login tries # if this time is exceeded the user is kicked out login_timeout 60 # name of the nologin file which when it exists disables logins. # it may be extended by the ttyname which will result in # a terminal specific lock (e.g. /etc/nologin.ttyS2 will disable # logins on /dev/ttyS2) nologin /etc/nologin # name of the issue file. it's only display when no username is passed # on the radlogin command line issue /etc/radiusclient-ng/issue # RADIUS settings # RADIUS server to use for authentication requests. this config # item can appear more then one time. if multiple servers are # defined they are tried in a round robin fashion if one # server is not answering. # optionally you can specify a the port number on which is remote # RADIUS listens separated by a colon from the hostname. if # no port is specified /etc/services is consulted of the radius # service. if this fails also a compiled in default is used. authserver boxster # RADIUS server to use for accouting requests. All that I # said for authserver applies, too. # acctserver boxster # file holding shared secrets used for the communication # between the RADIUS client and server servers /etc/radiusclient-ng/servers # dictionary of allowed attributes and values # just like in the normal RADIUS distributions dictionary /etc/radiusclient-ng/dictionary # program to call for a RADIUS authenticated login login_radius /usr/sbin/login.radius # file which holds sequence number for communication with the # RADIUS server seqfile /var/run/radius.seq # file which specifies mapping between ttyname and NAS-Port attribute mapfile /etc/radiusclient-ng/port-id-map # default authentication realm to append to all usernames if no # realm was explicitly specified by the user # the radiusd directly form Livingston doesnt use any realms, so leave # it blank then default_realm # time to wait for a reply from the RADIUS server radius_timeout 10 # resend request this many times before trying the next server radius_retries 3 # local address from which radius packets have to be sent bindaddr localhost # LOCAL settings # program to execute for local login # it must support the -f flag for preauthenticated login login_local /bin/login This e-mail and any attachments are confidential and may also be legally privileged and/or copyright material of Intec Telecom Systems PLC (or its affiliated companies). If you are not an intended or authorised recipient of this e-mail or have received it in error, please delete it immediately and notify the sender by e-mail. In such a case, reading, reproducing, printing or further dissemination of this e-mail or its contents is strictly prohibited and may be unlawful. Intec Telecom Systems PLC does not represent or warrant that an attachment hereto is free from computer viruses or other defects. The opinions expressed in this e-mail and any attachments may be those of the author and are not necessarily those of Intec Telecom Systems PLC. _______________________________________________ Users mailing list Users(a)openser.org http://openser.org/cgi-bin/mailman/listinfo/users