On Sat, Mar 5, 2011 at 2:32 AM, Kosilov Fedor <
dangerkoffe@gmail.com> wrote:
> Again for testing, I pointed Kamailio directly to my billing radius,
> bypassing Freeradius. The situation is the same, so the problem is
> definitely not with the Freeradius server.
>
> 2011/3/5 Kosilov Fedor <
dangerkoffe@gmail.com>
>>
>> Hello, Daniel, thank you for your attention to my problem.
>>
>> I actually don't need accounting support, I just want to implement an
>> authorization using radius.
>> But for testing purposes, I loaded the acc module and set "radius_extra"
>> param. Nothing has changed.
>>
>> Here is a part of my config:
>>
>>
>> ...
>> modparam("acc", "radius_config", "/etc/radiusclient-ng/radiusclient.conf")
>> modparam("acc", "radius_extra", "User-Name=$Au")
>> ...
>> modparam("auth_radius", "radius_config",
>> "/etc/radiusclient-ng/radiusclient.conf")
>> modparam("auth_radius", "auth_extra", "NAS-Identifier=$var(ident)")
>> ...
>> route {
>> #Definitions
>> $var(ident) = "
kamserv.example.com";
>> ...
>> route(3); #Auth
>> ...
>> }
>>
>> ...
>>
>> route[3] {
>> if (is_method("REGISTER"))
>> {
>> if (is_from_local()) {
>> if (!radius_www_authorize("$td"))
>> {
>> www_challenge("$sel(to.uri.host)", "1");
>> exit;
>> } else {
>>
>> avp_db_delete("$sel(to.uri)","$avp(s:ip)");
>>
>> avp_db_delete("$sel(to.uri)","$avp(s:dpid)");
>>
>> avp_db_delete("$sel(to.uri)","$avp(s:fr_timer)");
>>
>> avp_db_delete("$sel(to.uri)","$avp(s:calls_limit)");
>>
>> avp_db_store("$sel(to.uri)","$avp(s:ip)");
>>
>> avp_db_store("$sel(to.uri)","$avp(s:dpid)");
>>
>> avp_db_store("$sel(to.uri)","$avp(s:fr_timer)");
>>
>> avp_db_store("$sel(to.uri)","$avp(s:calls_limit)");
>>
>> if
>> ($au!=$sel(to.uri.user))||($au!=$sel(from.uri.user)) {
>> sl_send_reply("403","Forbidden
>> auth ID");
>> exit;
>> } else {
>> if ($avp(s:ip)!='any' &&
>> $sel(src.ip)!=$avp(s:ip)) {
>>
>> sl_send_reply("403","Forbidden");
>> exit;
>> }
>> }
>> }
>>
>> } else {
>> sl_send_reply("403","Forbidden");
>> exit;
>> }
>> } else {
>> if ($sel(src.ip)=="192.168.0.2") {
>> return;
>> } else if (is_from_local()) {
>> if
>> (!radius_proxy_authorize("$sel(from.uri.host)","$sel(from.uri.user)")) {
>> proxy_challenge("$sel(from.uri.host)",
>> "1");
>> exit;
>> }
>> if ($avp(s:ip)!='any' && $sel(src.ip)!=$avp(s:ip))
>> {
>> sl_send_reply("403","Forbidden");
>> exit;
>> }
>>
>> if (is_method("PUBLISH"))
>> {
>> if ($au!=$sel(to.uri.user)) {
>> sl_send_reply("403","Forbidden
>> auth ID");
>> exit;
>> }
>> } else if ($au!=$sel(from.uri.user)) {
>> sl_send_reply("403","Forbidden auth ID");
>> exit;
>> }
>> consume_credentials();
>> } else {
>> sl_send_reply("403","Forbidden");
>> exit;
>> }
>> }
>> }
>> ...
>>
>> And again a part of the freeradius log:
>>
>> rad_recv: Access-Request packet from host 127.0.0.1 port 58933, id=135,
>> length=298
>> User-Name = "
2219001@example.com"
>> Digest-Attributes = 0x0a0932323139303031
>> Digest-Attributes = 0x01106c696e6b2d726567696f6e2e7275
>> Digest-Attributes =
>> 0x0222545848676630317833314f7076767759512b6b73674c63554d51784f6c347634
>> Digest-Attributes = 0x04147369703a6c696e6b2d726567696f6e2e7275
>> Digest-Attributes = 0x030a5245474953544552
>> Digest-Attributes = 0x050661757468
>> Digest-Attributes = 0x090a3030303030303031
>> Digest-Attributes = 0x080c39636238383130616531
>> Digest-Response = "efdcf92b58f694b97928856614057436"
>> Service-Type = Sip-Session
>> Sip-Uri-User = "2219001"
>> User-Name = "call-id=zomdnicqsndxrnh@koffe-work"
>> NAS-Identifier = "
kamserv.example.com"
>> NAS-Port = 5060
>> NAS-IP-Address = 127.0.0.1
>>
>>
>> Regards,
>> Fedor.
>>
>>
>>
>> 2011/3/5 Daniel-Constantin Mierla <
miconda@gmail.com>
>>>
>>> Hello,
>>>
>>> what is the value of parameter radius_extra for acc module?
>>>
>>> Cheers,
>>> Daniel
>>>
>>> On 3/4/11 1:06 PM, Kosilov Fedor wrote:
>>>
>>> Hello List!
>>>
>>> I'm trying to set up authorization with our billing proprietary radius
>>> server, using Freeradius as a proxy. Currently I'm experiencing the
>>> following problem:
>>>
>>> The Access-Request packet, sent by Kamailio, contains two User-Name
>>> attribute records
>>> Here is a log from the Freeradius server:
>>>
>>> rad_recv: Access-Request packet from host 127.0.0.1 port 59294, id=112,
>>> length=298
>>> User-Name = "
2219001@example.com"
>>> Digest-Attributes = 0x0a0932323139303031
>>> Digest-Attributes = 0x01106c696e6b2d726567696f6e2e7275
>>> Digest-Attributes =
>>> 0x022254584452634531773045524b7368796f30684a70544f4f6a69424d386b32534a
>>> Digest-Attributes = 0x04147369703a6c696e6b2d726567696f6e2e7275
>>> Digest-Attributes = 0x030a5245474953544552
>>> Digest-Attributes = 0x050661757468
>>> Digest-Attributes = 0x090a3030303030303031
>>> Digest-Attributes = 0x080c32383034636535373032
>>> Digest-Response = "e79b47955c02401fe52d05f7956609aa"
>>> Service-Type = Sip-Session
>>> Sip-Uri-User = "2219001"
>>> User-Name = "call-id=domcmqmnychbwlp@koffe-work"
>>> NAS-Identifier = "
kamserv.example.com"
>>> NAS-Port = 5060
>>> NAS-IP-Address = 127.0.0.1
>>> # Executing section authorize from file
>>> /etc/freeradius/sites-enabled/default
>>> +- entering group authorize {...}
>>> ++[preprocess] returns ok
>>> ++[chap] returns noop
>>> ++[mschap] returns noop
>>> [digest] Checking for correctly formatted Digest-Attributes
>>> [digest] Digest-Attributes look OK. Converting them to something more
>>> usful.
>>> Digest-User-Name = "2219001"
>>> Digest-Realm = "
example.com"
>>> Digest-Nonce = "TXDRcE1w0ERKshyo0hJpTOOjiBM8k2SJ"
>>> Digest-URI = "sip:
example.com"
>>> Digest-Method = "REGISTER"
>>> Digest-QOP = "auth"
>>> Digest-Nonce-Count = "00000001"
>>> Digest-CNonce = "2804ce5702"
>>> [digest] Adding Auth-Type = DIGEST
>>> ++[digest] returns ok
>>> [suffix] Looking up realm "
example.com" for User-Name =
>>> "
2219001@example.com"
>>> [suffix] Found realm "
example.com"
>>> [suffix] Adding Realm = "
example.com"
>>> [suffix] Proxying request from user 2219001 to realm
example.com
>>> [suffix] Preparing to proxy authentication request to realm "
example.com"
>>> ++[suffix] returns updated
>>> [eap] No EAP-Message, not doing EAP
>>> ++[eap] returns noop
>>> ++[files] returns noop
>>> ++[expiration] returns noop
>>> ++[logintime] returns noop
>>> ++[pap] returns noop
>>> Sending Access-Request of id 250 to 127.0.0.1 port 1822
>>> User-Name = "
2219001@example.com"
>>> Digest-Attributes = 0x0a0932323139303031
>>> Digest-Attributes = 0x01106c696e6b2d726567696f6e2e7275
>>> Digest-Attributes =
>>> 0x022254584452634531773045524b7368796f30684a70544f4f6a69424d386b32534a
>>> Digest-Attributes = 0x04147369703a6c696e6b2d726567696f6e2e7275
>>> Digest-Attributes = 0x030a5245474953544552
>>> Digest-Attributes = 0x050661757468
>>> Digest-Attributes = 0x090a3030303030303031
>>> Digest-Attributes = 0x080c32383034636535373032
>>> Digest-Response = "e79b47955c02401fe52d05f7956609aa"
>>> Service-Type = Sip-Session
>>> Sip-Uri-User = "2219001"
>>> User-Name = "call-id=domcmqmnychbwlp@koffe-work"
>>> NAS-Identifier = "
kamserv.example.com"
>>> NAS-Port = 5060
>>> NAS-IP-Address = 127.0.0.1
>>> Proxy-State = 0x313132
>>> Proxying request 1 to home server 127.0.0.1 port 1822
>>>
>>> As I understand, this second User-Name attribute has to be a call-id
>>> attribute.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>>>
sr-users@lists.sip-router.org
>>>
>>>
>>>
>>>
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>>
>>> --
>>> Daniel-Constantin Mierla
>>>
http://www.asipto.com
>
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>
sr-users@lists.sip-router.org
>
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>
>