7 Aug
2010
7 Aug
'10
3:31 a.m.
here you have my notes for Kamailio 1.4
Hope this help.
Regards
Luciano
Digest Autenticacion of users using Kamailio and freeRADIUS
=============================================
freeRADIUS
-----------------
- Add Kamailio host to freeRadius clients.conf
- Include dictionary with kamailio avps.
- Enable digest module in freeRadius
http://wiki.freeradius.org/Digest
- Add users to freeRadius users file
1001(a)lucio01.net Auth-Type := Digest, Cleartext-Password := "test123"
Reply-Message = "Authenticated",
Sip-Avp += "category:prepaid"
1002(a)lucio01.net Auth-Type := Digest, Cleartext-Password := "test123"
Reply-Message = "Authenticated",
Sip-Avp += "category:postpaid"
Kamailio (1.4)
---------------------
- Make sure radiusclient-ng is installed and configured in the machine
running Kamailio. See radiusclient-ng_install_notes
- How to configure for authentication using radius
loadmodule "auth_radius.so"
modparam("auth_radius", "radius_config",
"/usr/local/etc/radiusclient-ng/radiusclient.conf")
radius_www_authorize("lucio01.net")
radius_proxy_authorize("lucio01.net")
- How to get and use Sip-Avp
loadmodule "avp_radius.so"
loadmodule "avpops.so"
xlog("category = $avp(s:category)");
if (avp_check("$avp(s:category)", "eq/s:prepaid/ig"))
radiusclient-ng_install_notes
-----------------------------------------
- Install radiusclent-ng from source
~# tar xvfz radiusclient-ng-X.Y.Z.tar.gz
~# cd radiusclient-ng-X.Y.Z
~# ./configure
~# make
~# make install
- Configure authentication and accounting servers this client comunicates with.
Edit /usr/local/etc/radiusclient-ng/radiusclient.conf and set address
of authentication and accounting servers
authserver homero.lucio01.net
acctserver homero.lucio01.net
- Configure shared secret to be used with servers this client comunicates with.
Edit /usr/local/etc/radiusclient-ng/servers and add shared secret for
each server the client comunicates with.
homero.lucio01.net testing123
- Create dictionary to be used with kamailio and sippy b2bua
Create a dictionary file and add the following attributes and values
used in kamailio and sippy b2bua
VENDOR Cisco 9
ATTRIBUTE Cisco-AVPair 1 string Cisco
ATTRIBUTE h323-remote-address 23 string Cisco
ATTRIBUTE h323-conf-id 24 string Cisco
ATTRIBUTE h323-setup-time 25 string Cisco
ATTRIBUTE h323-call-origin 26 string Cisco
ATTRIBUTE h323-call-type 27 string Cisco
ATTRIBUTE h323-connect-time 28 string Cisco
ATTRIBUTE h323-disconnect-time 29 string Cisco
ATTRIBUTE h323-disconnect-cause 30 string Cisco
ATTRIBUTE h323-voice-quality 31 string Cisco
ATTRIBUTE h323-ivr-out 32 string Cisco
ATTRIBUTE h323-credit-time 102 string Cisco
ATTRIBUTE h323-return-code 103 string Cisco
ATTRIBUTE h323-redirect-number 106 string Cisco
ATTRIBUTE h323-preferred-lang 107 string Cisco
ATTRIBUTE h323-billing-model 109 string Cisco
ATTRIBUTE h323-currency 110 string Cisco
#
# Experiment SIP-specific attributes:
# These attributes are tied between client & server
#
ATTRIBUTE Sip-Method 101 integer
ATTRIBUTE Sip-Response-Code 102 integer
ATTRIBUTE Sip-CSeq 103 string
ATTRIBUTE Sip-To-Tag 104 string
ATTRIBUTE Sip-From-Tag 105 string
ATTRIBUTE Sip-Branch-ID 106 string
ATTRIBUTE Sip-Translated-Request-URI 107 string
ATTRIBUTE Sip-Source-IP-Address 108 ipaddr
ATTRIBUTE Sip-Source-Port 109 integer
ATTRIBUTE Sip-User-ID 110 string
ATTRIBUTE Sip-User-Realm 111 string
ATTRIBUTE Sip-User-Nonce 112 string
ATTRIBUTE Sip-User-Method 113 string
ATTRIBUTE Sip-User-Digest-URI 114 string
ATTRIBUTE Sip-User-Nonce-Count 115 string
ATTRIBUTE Sip-User-QOP 116 string
ATTRIBUTE Sip-User-Opaque 117 string
ATTRIBUTE Sip-User-Response 118 string
ATTRIBUTE Sip-User-CNonce 119 string
ATTRIBUTE Sip-URI-User 208 string
ATTRIBUTE Sip-Group 211 string
ATTRIBUTE Sip-RPId 213 string
#### Kamailio ####
ATTRIBUTE SIP-AVP 225 string # Proprietary,
avp_radius
ATTRIBUTE Digest-Response 206 string
ATTRIBUTE Digest-Attributes 207 string
ATTRIBUTE Digest-Realm 1063 string
ATTRIBUTE Digest-Nonce 1064 string
ATTRIBUTE Digest-Method 1065 string
ATTRIBUTE Digest-URI 1066 string
ATTRIBUTE Digest-QOP 1067 string
ATTRIBUTE Digest-Algorithm 1068 string
ATTRIBUTE Digest-Body-Digest 1069 string
ATTRIBUTE Digest-CNonce 1070 string
ATTRIBUTE Digest-Nonce-Count 1071 string
ATTRIBUTE Digest-User-Name 1072 string
ATTRIBUTE Digest-User-Password 1073 string
#
# Integer Translations
#
# SIP types
VALUE Sip-Method Other 0
VALUE Sip-Method Invite 1
VALUE Sip-Method Cancel 2
VALUE Sip-Method Ack 3
VALUE Sip-Method Bye 4
VALUE Sip-Response-Code Other 0
VALUE Sip-Response-Code Invite 1
VALUE Sip-Response-Code Cancel 2
VALUE Sip-Response-Code Ack 3
VALUE Sip-Response-Code Bye 4
# User Types
VALUE Service-Type Authenticate-Only 8
VALUE Service-Type Call-Check 10
VALUE Service-Type Group-Check 12
VALUE Service-Type Sip-Session 15
VALUE Service-Type Authorize-Only 17
VALUE Service-Type SIP-Caller-AVPs 30 # Proprietary, avp_radius
VALUE Service-Type SIP-Callee-AVPs 31 # Proprietary, avp_radius
# Status Types
VALUE Acct-Status-Type Failed 15
- Include dictionary defined in previous step to be used by radiusclient-ng
Add to the end of radiusclient-ng dictionary file
(/usr/local/etc/radiusclient-ng/dictionary) an include directive for
the file created in the previous step
$INCLUDE dictionary.luciano
On Fri, Aug 6, 2010 at 7:06 AM, Daniel-Constantin Mierla
<miconda(a)gmail.com> wrote:
Hello,
the radius client library has a file where you configure the servers, have
you configure it?
http://www.kamailio.org/docs/openser-radius-1.0.x.html#radiusclient_ng_serv…
Cheers,
Daniel
On 8/3/10 10:13 AM, Pratik Shrestha wrote:
Dear Daniel,
Yeah right. I totally forgot, its a reverse dns.
Now I checked the radius server in debug mode and I cannot see any request
from openser trying to connect to radius server. So, the request from
openser is not reaching the radius server.
Then I installed wireshark and checked the ip address 128.185.38.162 (radius
server ip add) in the server where openser was installed. There also I did
not find any entry related to 128.185.38.16.
So, it seems my configuration is wrong. I am sending you the configuration
of openser.cfg and radiusclient.conf.
openser.cfg
SSH Secure Shell 3.2.3 (Build 279)
Copyright (c) 2000-2003 SSH Communications Security Corp -
http://www.ssh.com/
This copy of SSH Secure Shell is a non-commercial version.
This version does not include PKI and PKCS #11 functionality.
Linux isoftel-desktop 2.6.32-21-generic #32-Ubuntu SMP Fri Apr 16 08:10:02
UTC 2010 i686 GNU/Linux
Ubuntu 10.04 LTS
Welcome to Ubuntu!
* Documentation: https://help.ubuntu.com/
Last login: Tue Aug 3 10:35:05 2010 from 192.168.0.148
isoftel@isoftel-desktop:~$ cd /usr/local/etc/openser/
isoftel@isoftel-desktop:/usr/local/etc/openser$ cat openser.cfg
#
# $Id$
#
# radius config script
#
# ----------- global configuration parameters ------------------------
debug=6 # debug level (cmd line: -dddddddddd)
log_stderror=yes # (cmd line: -E)
check_via=no # (cmd. line: -v)
dns=no # (cmd. line: -r)
rev_dns=no # (cmd. line: -R)
port=5060
children=4
#listen=udp:localhost
#alias="kamailio.org"
fifo="/tmp/openser_fifo"
# ------------------ module loading ----------------------------------
mpath="/usr/local/lib/openser/modules"
loadmodule "mysql.so"
loadmodule "sl.so"
loadmodule "tm.so"
loadmodule "rr.so"
loadmodule "maxfwd.so"
loadmodule "avpops.so"
loadmodule "usrloc.so"
loadmodule "registrar.so"
loadmodule "textops.so"
loadmodule "xlog.so"
loadmodule "uri.so"
loadmodule "acc.so"
loadmodule "auth.so"
loadmodule "auth_radius.so"
loadmodule "group_radius.so"
loadmodule "avp_radius.so"
# ----------------- setting module-specific parameters ---------------
# -- usrloc params --
#modparam("usrloc","db_url","mysql://openser:openserrw@localhost/openser")
modparam("usrloc", "db_mode", 2)
# -- acc params --
modparam("acc", "radius_flag", 1)
modparam("acc", "radius_missed_flag", 2)
modparam("acc", "log_flag", 1)
modparam("acc", "log_missed_flag", 1)
modparam("acc", "service_type", 15)
modparam("acc", "radius_extra",
"Sip-Src-IP=$si;Sip-Src-Port=$sp")
modparam("acc|auth_radius|group_radius|avp_radius", "radius_config",
"/etc/radiusclient-ng/radiusclient.conf")
# -- group_radius params --
modparam("group_radius", "use_domain", 1)
# -- avpops params --
modparam("avpops", "avp_aliases", "day=i:101;time=i:102")
# -- rr params --
# add value to ;lr param to make some broken UAs happy
modparam("rr", "enable_full_lr", 1)
# ------------------------- request routing logic -------------------
# main routing logic
route{
# initial sanity checks -- messages with
# max_forwards==0, or excessively long requests
if (!mf_process_maxfwd_header("10")) {
sl_send_reply("483","Too Many Hops");
exit;
};
if (msg:len >= 2048 ) {
sl_send_reply("513", "Message too big");
exit;
};
# check if user is suspended
if(is_method("REGISTER|INVITE|MESSAGE|OPTIONS|SUBSCRIBE"))
{
if (radius_is_user_in("From", "suspended")) {
sl_send_reply("403", "Forbidden - suspended");
exit;
};
};
# we record-route all messages -- to make sure that
# subsequent messages will go through our proxy; that's
# particularly good if upstream and downstream entities
# use different transport protocol
if (!method=="REGISTER")
record_route();
# subsequent messages withing a dialog should take the
# path determined by record-routing
if (loose_route()) {
# mark routing logic in request
append_hf("P-hint: rr-enforced\r\n");
if(is_method("BYE"))
{ # log it all the time
acc_rad_request("200 ok");
acc_log_request("200 ok");
}
route(1);
};
if(is_method("INVITE") && !has_totag())
{ # set the acc flags
setflag(1);
setflag(2);
};
if (!uri==myself) {
# check if user is allowed to do voip calls to other domains
if(is_method("INVITE|MESSAGE")) {
if (!radius_is_user_in("From", "voip")) {
sl_send_reply("403", "Forbidden VoIP");
exit;
};
};
# mark routing logic in request
append_hf("P-hint: outbound\r\n");
route(1);
};
# if the request is for other domain use UsrLoc
# (in case, it does not work, use the following command
# with proper names and addresses in it)
if (uri==myself) {
# authenticate registers
if (method=="REGISTER") {
if (!radius_www_authorize("")) {
www_challenge("", "1");
exit;
};
# check the src ip address
if(!avp_check("i:2", "eq/$src_ip/ig"))
{
sl_send_reply("403", "Forbidden IP");
exit;
};
save("location");
exit;
};
# calls to pstn
if(uri=~"sip:00[1-9][0-9]+@") {
if(is_method("INVITE") && !has_totag()) {
if (!radius_is_user_in("From", "pstn")) {
sl_send_reply("403", "Forbidden PSTN");
exit;
};
};
# set gateway address
rewritehostport("localhost:5090");
route(1);
};
# load callee's avps
if(avp_load_radius("callee"))
{
# check if user has time filter enabled
if(avp_check("i:3", "eq/i:1"))
{
# print time in an avp
avp_printf("i:100", "$Tf");
# extract day
avp_subst("i:100/i:101", "/(.{3}) .+/*\1*/");
if(!avp_check("i:6", "fm/$day")) {
sl_send_reply("403", "Forbidden - day");
exit;
};
# extract 'hours:minutes'
avp_subst("i:100/i:102", "/(.{10}) (.{5}):.+/\2/");
if((is_avp_set("i:4") && avp_check("i:4",
"gt/$time"))
|| (is_avp_set("i:5") && avp_check("i:5",
"lt/$time"))) {
sl_send_reply("403", "Forbidden - time");
exit;
};
};
};
# native SIP destinations are handled using our USRLOC DB
if (!lookup("location")) {
# log to acc as missed call
acc_rad_request("404 Not Found");
acc_log_request("404 Not Found");
sl_send_reply("404", "Not Found");
exit;
};
append_hf("P-hint: usrloc applied\r\n");
};
route(1);
}
# generic forward
route[1] {
# send it out now; use stateful forwarding as it works reliably
# even for UDP2TCP
if (!t_relay()) {
sl_reply_error();
};
exit;
}
radiusclient-ng.conf
# General settings
# specify which authentication comes first respectively which
# authentication is used. possible values are: "radius" and "local".
# if you specify "radius,local" then the RADIUS server is asked
# first then the local one. if only one keyword is specified only
# this server is asked.
auth_order radius
#add 'local' with comma
# maximum login tries a user has
login_tries 4
# timeout for all login tries
# if this time is exceeded the user is kicked out
login_timeout 60
# name of the nologin file which when it exists disables logins.
# it may be extended by the ttyname which will result in
# a terminal specific lock (e.g. /etc/nologin.ttyS2 will disable
# logins on /dev/ttyS2)
nologin /etc/nologin
# name of the issue file. it's only display when no username is passed
# on the radlogin command line
issue /etc/radiusclient-ng/issue
# RADIUS settings
# RADIUS server to use for authentication requests. this config
# item can appear more then one time. if multiple servers are
# defined they are tried in a round robin fashion if one
# server is not answering.
# optionally you can specify a the port number on which is remote
# RADIUS listens separated by a colon from the hostname. if
# no port is specified /etc/services is consulted of the radius
# service. if this fails also a compiled in default is used.
authserver 128.185.38.162
# RADIUS server to use for accouting requests. All that I
# said for authserver applies, too.
#
acctserver 128.185.38.162
# file holding shared secrets used for the communication
# between the RADIUS client and server
servers /etc/radiusclient-ng/servers
# dictionary of allowed attributes and values
# just like in the normal RADIUS distributions
dictionary /etc/radiusclient-ng/dictionary
# program to call for a RADIUS authenticated login
login_radius /usr/sbin/login.radius
# file which holds sequence number for communication with the
# RADIUS server
seqfile /var/run/radius.seq
# file which specifies mapping between ttyname and NAS-Port attribute
mapfile /etc/radiusclient-ng/port-id-map
# default authentication realm to append to all usernames if no
# realm was explicitly specified by the user
# the radiusd directly form Livingston doesnt use any realms, so leave
# it blank then
default_realm
# time to wait for a reply from the RADIUS server
radius_timeout 10
# resend request this many times before trying the next server
radius_retries 3
# local address from which radius packets have to be sent
bindaddr localhost
#change with 'localhost'
# LOCAL settings
# program to execute for local login
# it must support the -f flag for preauthenticated login
login_local /bin/login
I have edited servers file also with the servername and secret.
Thank you very much.
Regards,
Pratik
On Mon, Aug 2, 2010 at 11:26 PM, Daniel-Constantin Mierla
<miconda(a)gmail.com> wrote:
Hello,
On 8/2/10 12:36 PM, Pratik Shrestha wrote:
Dear Daniel,
Now the new issue. Seems now openser is trying to talk with radius server.
But still I am getting the one error in syslog which is as follows.
rc_send_server: no reply from RADIUS server 128-185-38-162.totisp.net:1812
Actually I have written only 128.185.38.162 in auth_server in
radiusclient.conf. I don't know how this totisp.net is added. I haven't
mentioned it anywhere.
probably reverse dns is done in the library, it is not relevant anyhow.
Can you start radius server in debug mode and see if it got some request?
You can also do a ngrep/wireshark on port 1812 of your radius server to
watch for network packets coming from kamailio.
Cheers,
Daniel
Please help me.
Thanks.
Regards,
Pratik
On Mon, Aug 2, 2010 at 11:44 AM, Pratik Shrestha <pratikdbl(a)gmail.com>
wrote:
--
Daniel-Constantin Mierla
http://www.asipto.com/
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Dear Daniel,
Before I work for the new version, I am first trying to configure old
version of openser and radius. I am using openser version 1.0.1 and radius
client version 0.5.1 and I am following the tutorial given in
http://kamailio.net/docs/openser-radius-1.0.x.html.
My freeradius server is in another machine and when I use radclient to
check the user I made, I get the "Authenticated" message.
But when I use X-lite and connect to openser, it seems openser is not
talking with freeradius servers. I am sure the "secret" I am using is right
as I have already tested from radclient. The log which I am getting in
openser is as shown below
9(1986) SIP Request:
9(1986) method: <REGISTER>
9(1986) uri: <sip:192.168.0.56>
9(1986) version: <SIP/2.0>
9(1986) parse_headers: flags=2
9(1986) Found param type 232, <branch> =
<z9hG4bK-d8754z-c33212005635f16c-1---d8754z->; state=6
9(1986) Found param type 235, <rport> = <n/a>; state=17
9(1986) end of header reached, state=5
9(1986) parse_headers: Via found, flags=2
9(1986) parse_headers: this is the first via
9(1986) After parse_msg...
9(1986) preparing to run routing scripts...
9(1986) parse_headers: flags=100
9(1986) DEBUG:maxfwd:is_maxfwd_present: value = 70
9(1986) parse_headers: flags=10
9(1986) DEBUG:parse_to:end of header reached, state=9
9(1986) DEBUG: get_hdr_field: <To> [44];
uri=[sip:101%40kamailio.org@192.168.0.56]
9(1986) DEBUG: to body ["101"<sip:101%40kamailio.org@192.168.0.56>
]
9(1986) DEBUG: add_param: tag=cc6e4259
9(1986) DEBUG:parse_to:end of header reached, state=29
9(1986) radius_is_user_in(): Failure
9(1986) parse_headers: flags=200
9(1986) get_hdr_field: cseq <CSeq>: <2> <REGISTER>
9(1986) DEBUG: get_hdr_body : content_length=0
9(1986) found end of header
9(1986) find_first_route: No Route headers found
9(1986) loose_route: There is no Route HF
9(1986) grep_sock_info - checking if host==us: 12==9 && [192.168.0.56]
== [127.0.0.1]
9(1986) grep_sock_info - checking if port 5060 matches port 5060
9(1986) grep_sock_info - checking if host==us: 12==12 && [192.168.0.56]
== [192.168.0.56]
9(1986) grep_sock_info - checking if port 5060 matches port 5060
9(1986) grep_sock_info - checking if host==us: 12==9 && [192.168.0.56]
== [127.0.0.1]
9(1986) grep_sock_info - checking if port 5060 matches port 5060
9(1986) grep_sock_info - checking if host==us: 12==12 && [192.168.0.56]
== [192.168.0.56]
9(1986) grep_sock_info - checking if port 5060 matches port 5060
9(1986) check_nonce(): comparing
[4c5649b2d78b205e6a5ca1c6dcdc54b84445dd9c] and
[4c5649b2d78b205e6a5ca1c6dcdc54b84445dd9c]
9(1986) ERROR:auth_radius:radius_authorize_sterman: rc_auth failed
9(1986) build_auth_hf(): 'WWW-Authenticate: Digest realm="192.168.0.56",
nonce="4c5649b2d78b205e6a5ca1c6dcdc54b84445dd9c"
'
9(1986) parse_headers: flags=ffffffffffffffff
9(1986) check_via_address(192.168.0.148, 192.168.182.3, 0)
9(1986) DEBUG:destroy_avp_list: destroying list (nil)
9(1986) receive_msg: cleaning up
At freeradius also, no request goes from openser.
Please advise me how to get rid of this problem.
Best Regards,
Pratik
On Wed, Jul 28, 2010 at 5:56 PM, Pratik Shrestha <pratikdbl(a)gmail.com>
wrote:
--
Daniel-Constantin Mierla
http://www.asipto.com/
Thanks a lot. I will give it a try
Pratik
On Wed, Jul 28, 2010 at 3:48 PM, Daniel-Constantin Mierla
<miconda(a)gmail.com> wrote:
>
> Hello,
>
> On 7/22/10 6:06 AM, Pratik Shrestha wrote:
>>
>> Dear All,
>>
>> I am very new to OpenSer. I want to use latest version of OpenSer with
>> Radius. I need the documentation/tutorial on how to do this. Googling, Ionly
>> found for the old version. Please help me.
>
> indeed, there is a rather old version:
>
> http://www.kamailio.org/docs/openser-radius-1.0.x.html
>
> What I can say now is that you can skip the part of installing kamailio
> and use next link instead:
>
> http://www.kamailio.org/dokuwiki/doku.php/install:kamailio-3.0.x-from-git
>
> Radius client library is now in most of common Linux distributions, so
> you can install it with the package manager (you need the devel headers as
> well, the -dev package).
>
> FreeRadius configuration should be more or less the same.
>
> The config of kamailio has changed quite a lot. Use the default one
> from kamailio, follow the WITH_AUTH define conditions and replace auth_db
> with auth_radius modules and functions. Also, the rest of radius modules
> were merged into misc_radius. For enabling radius acc, you need to recompile
> acc module after editing the Makefile in module directory.
>
> Hope it helps to start, ask here if you get stuck.
>
> Cheers,
> Daniel
>
> --
> Daniel-Constantin Mierla
> http://www.asipto.com/
>