Hi, Lists,happy new year! Probably a stupid question,but I can not solved it correctly.The ua can not register the openser normally.I think the 5 step runs well and the last is down.The debug shows two errors. The first error is " 0(5898) radius_is_user_in(): Failure" ;the other is " 0(5898) DEBUG:avpops:ops_check_avp: no src avp found".So please give me help and some suggestion. And the fellowing is my configure file and debug infomation.Thanks!! HTTP/SIP RADIUS
+-----+ (1) +-----+ +-----+ | |==========>| | | | | | (2) | | | | | |<==========| | | | | | (3) | | | | | |==========>| | | | | A | | B | (4) | C | | | | |---------->| | | | | | (5) | | | | | |<----------| | | | (6) | | | | | |<==========| | | | +-----+ +-----+ +-----+
====> HTTP/SIP ----> RADIUS
I setup the system by using the document(http://www.openser.org/docs/openser-radius-1.0.x.html) and my openser is openser-1.1.0-tls, the file openser.cfg is the same as the document.
# #$Id$ # # radius config script #
# ----------- global configuration parameters ------------------------
debug=7 # debug level (cmd line: -dddddddddd) fork=no log_stderror=yes # (cmd line: -E)
check_via=no # (cmd. line: -v) dns=no # (cmd. line: -r) rev_dns=no # (cmd. line: -R) port=5060 children=4 listen=udp:192.168.168.3 alias="swifton.org" alias="192.168.168.3" #fifo="/tmp/openser_fifo"
# ------------------ module loading ---------------------------------- [root@localhost openser]# cat openser.cfg # #$Id$ # # radius config script #
# ----------- global configuration parameters ------------------------
debug=7 # debug level (cmd line: -dddddddddd) fork=no log_stderror=yes # (cmd line: -E)
check_via=no # (cmd. line: -v) dns=no # (cmd. line: -r) rev_dns=no # (cmd. line: -R) port=5060 children=4 listen=udp:192.168.168.3 alias="swifton.org" alias="192.168.168.3" #fifo="/tmp/openser_fifo"
# ------------------ module loading ---------------------------------- mpath="/usr/local/lib/openser/modules"
loadmodule "mysql.so" loadmodule "sl.so" loadmodule "tm.so" loadmodule "rr.so" loadmodule "maxfwd.so" loadmodule "avpops.so" loadmodule "usrloc.so" loadmodule "registrar.so" loadmodule "textops.so" loadmodule "xlog.so" loadmodule "uri.so" loadmodule "acc.so" loadmodule "auth.so" loadmodule "auth_radius.so" loadmodule "group_radius.so" loadmodule "avp_radius.so"
# ----------------- setting module-specific parameters ---------------
# -- usrloc params -- #modparam("usrloc","db_url","mysql://openser:openserrw@localhost/openser") modparam("usrloc", "db_mode", 2)
# -- acc params -- modparam("acc", "radius_flag", 1) modparam("acc", "radius_missed_flag", 2) modparam("acc", "log_flag", 1) modparam("acc", "log_missed_flag", 1) modparam("acc", "service_type", 15) modparam("acc", "radius_extra", "Sip-Src-IP=$si;Sip-Src-Port=$sp") modparam("acc|auth_radius|group_radius|avp_radius", "radius_config", "/etc/radiusclient-ng/radiusclient.conf")
# -- group_radius params -- modparam("group_radius", "use_domain", 1)
# -- avpops params -- modparam("avpops", "avp_aliases", "day=i:101;time=i:102")
# -- rr params -- # add value to ;lr param to make some broken UAs happy modparam("rr", "enable_full_lr", 1)
# ------------------------- request routing logic -------------------
# main routing logic
route{
# initial sanity checks -- messages with # max_forwards==0, or excessively long requests if (!mf_process_maxfwd_header("10")) { sl_send_reply("483","Too Many Hops"); exit; };
if (msg:len >= 2048 ) { sl_send_reply("513", "Message too big"); exit; };
# check if user is suspended if(is_method("REGISTER|INVITE|MESSAGE|OPTIONS|SUBSCRIBE")) { if (radius_is_user_in("From", "suspended")) { sl_send_reply("403", "Forbidden - suspended"); exit; }; };
# we record-route all messages -- to make sure that # subsequent messages will go through our proxy; that's # particularly good if upstream and downstream entities # use different transport protocol if (!method=="REGISTER") record_route();
# subsequent messages withing a dialog should take the # path determined by record-routing if (loose_route()) { # mark routing logic in request append_hf("P-hint: rr-enforced\r\n"); if(is_method("BYE")) { # log it all the time acc_rad_request("200 ok"); acc_log_request("200 ok"); } route(1); };
if(is_method("INVITE") && !has_totag()) { # set the acc flags setflag(1); setflag(2); };
if (!uri==myself) { # check if user is allowed to do voip calls to other domains if(is_method("INVITE|MESSAGE")) { if (!radius_is_user_in("From", "voip")) { sl_send_reply("403", "Forbidden VoIP"); exit; }; }; # mark routing logic in request append_hf("P-hint: outbound\r\n"); route(1); };
# if the request is for other domain use UsrLoc # (in case, it does not work, use the following command # with proper names and addresses in it) if (uri==myself) { # authenticate registers if (method=="REGISTER") { if (!radius_www_authorize("swifton.org")) { www_challenge("swifton.org", "0"); exit; };
# check the src ip address if(!avp_check("$avp(i:2)", "eq/$src_ip/ig")) { sl_send_reply("403", "Forbidden IP"); exit; };
save("location"); exit; };
# calls to pstn if(uri=~"sip:00[1-9][0-9]+@") { if(is_method("INVITE") && !has_totag()) { if (!radius_is_user_in("From", "pstn")) { sl_send_reply("403", "Forbidden PSTN"); exit; }; }; # set gateway address rewritehostport("10.10.10.10:5090"); route(1); };
# load callee's avps if(avp_load_radius("callee")) { # check if user has time filter enabled if(avp_check("$avp(i:3)", "eq/i:1")) { # print time in an avp avp_printf("$avp(i:100)", "$Tf"); # extract day avp_subst("$avp(i:100)/$avp(i:101)", "/(.{3}) .+/*\1*/"); if(!avp_check("$avp(i:6)", "fm/$day")) { sl_send_reply("403", "Forbidden - day"); exit; }; # extract 'hours:minutes' avp_subst("$avp(i:100)/$avp(i:102)", "/(.{10}) (.{5}):.+/\2/"); if((is_avp_set("$avp(i:4)") && avp_check("$avp(i:4)", "gt/$time")) || (is_avp_set("$avp(i:5)") && avp_check("$avp(i:5)", "lt/$time"))) { sl_send_reply("403", "Forbidden - time"); exit; }; }; }; ......
route(1); }
...... exit; } #
and the openser start as follows: 898) SIP Request: 898) method: <REGISTER> 898) uri: sip:swifton.org 898) version: <SIP/2.0> 898) parse_headers: flags=2 898) end of header reached, state=5 898) parse_headers: Via found, flags=2 898) parse_headers: this is the first via 898) After parse_msg... 898) preparing to run routing scripts... 898) parse_headers: flags=100 898) DEBUG:maxfwd:is_maxfwd_present: value = 70 898) parse_headers: flags=10 898) DEBUG: add_param: tag=f59c388b5de348778e76ebda993c2d8e 898) DEBUG: add_param: epid=b6757bf3fc 898) DEBUG:parse_to:end of header reached, state=29 898) DBUG:parse_to: display={}, ruri={sip:zhaoy@swifton.org} 898) radius_is_user_in(): Failure 898) parse_headers: flags=200 898) DEBUG:parse_to:end of header reached, state=10 ...... 0(5898) grep_sock_info - checking if host==us: 11==13 && [swifton.org] == [192.168.168.3] 0(5898) grep_sock_info - checking if port 5060 matches port 5060 0(5898) grep_sock_info - checking if host==us: 11==13 && [swifton.org] == [192.168.168.3] 0(5898) grep_sock_info - checking if port 5060 matches port 5060 0(5898) check_nonce(): comparing [459bb612ad569015987d4849d1ae603515f32e6b] and [459bb612ad569015987d4849d1ae603515f32e6b] 0(5898) DEBUG:auth_radius:radius_authorize_sterman: Success 0(5898) DEBUG:auth_radius:generate_avps: getting SIP AVPs from avpair 225 0(5898) DEBUG:auth_radius:extract_avp: string is Sip-Group:voip 0(5898) DEBUG:auth_radius:extract_avp: AVP name is <Sip-Group> 0(5898) DEBUG:auth_radius:extract_avp: AVP val is <voip> 0(5898) DEBUG:auth_radius:generate_avps: AVP 'Sip-Group'/0='voip'/0 has been added 0(5898) DEBUG:avpops:ops_check_avp: no src avp found 0(5898) parse_headers: flags=ffffffffffffffff 0(5898) check_via_address(192.168.168.30, 192.168.168.30, 0) 0(5898) DEBUG:destroy_avp_list: destroying list 0x422bc440 0(5898) receive_msg: cleaning up
the freeradius debug infomation as follows:
er-Name = "zhaoy@swifton.org" Digest-Attributes = 0x0a077a68616f79 Digest-Attributes = 0x010d73776966746f6e2e6f7267 Digest-Attributes = 0x022a34353962623631326164353639303135393837643438343964316165363033353135663332653662 Digest-Attributes = 0x04117369703a73776966746f6e2e6f7267 Digest-Attributes = 0x030a5245474953544552 Digest-Response = "2ead4f5b9d78013a35f2eb7a792971a5" Service-Type = Sip-Session Sip-Uri-User = "zhaoy" NAS-Port = 5060 NAS-IP-Address = 192.168.168.3 Processing the authorize section of radiusd.confmodcall: entering group authorize for request 167 modcall[authorize]: module "preprocess" returns ok for request 167 modcall[authorize]: module "chap" returns noop for request 167 modcall[authorize]: module "mschap" returns noop for request 167 rlm_digest: Converting Digest-Attributes to something sane... Digest-User-Name = "zhaoy" Digest-Realm = "swifton.org" Digest-Nonce = "459bb612ad569015987d4849d1ae603515f32e6b" Digest-URI = "sip:swifton.org" Digest-Method = "REGISTER"rlm_digest: Adding Auth-Type = DIGEST modcall[authorize]: module "digest" returns ok for request 167 ....... Processing the authenticate section of radiusd.confmodcall: entering group authenticate for request 167A1 = zhaoy:swifton.org:zhaoyA2 = REGISTER:sip:swifton.orgH(A1) = eff77a9105c5c0973492694f59c944f2H(A2) = d3add39dad2709bea55016ba79eb675aKD = eff77a9105c5c0973492694f59c944f2:459bb612ad569015987d4849d1ae603515f32e6b:d3add39dad2709bea55016ba79eb675aEXPECTED 2ead4f5b9d78013a35f2eb7a792971a5RECEIVED 2ead4f5b9d78013a35f2eb7a792971a5 modcall[authenticate]: module "digest" returns ok for request 167modcall: group authenticate returns ok for request 167radius_xlat: 'Authenticated'Login OK: [zhaoy@swifton.org] (from client openser port 5060)Sending Access-Accept of id 13 to 192.168.168.3:33101 SIP-AVP = "Sip-Group:voip" Reply-Message = "Authenticated" Sip-Group = "voip"Finished request 167 and my MSN:buptzhaoyuan@sina.com .I am nice to communicate with you!
------------------------------------------------------------------- 惠普商用台式机dc5750,高性能,低功耗!( http://ad4.sina.com.cn/sina/limeng3/mail_zhuiyu/2006/mail_zhuiyu_20061225.ht... )
=================================================================== 注册新浪2G免费邮箱( http://mail.sina.com.cn/chooseMode.html )