Hello, Daniel, thank you for your attention to my problem.
I actually don't need accounting support, I just want to implement an authorization using radius. But for testing purposes, I loaded the acc module and set "radius_extra" param. Nothing has changed.
Here is a part of my config:
... modparam("acc", "radius_config", "/etc/radiusclient-ng/radiusclient.conf") modparam("acc", "radius_extra", "User-Name=$Au") ... modparam("auth_radius", "radius_config", "/etc/radiusclient-ng/radiusclient.conf") modparam("auth_radius", "auth_extra", "NAS-Identifier=$var(ident)") ... route { #Definitions $var(ident) = "kamserv.example.com"; ... route(3); #Auth ... }
...
route[3] { if (is_method("REGISTER")) { if (is_from_local()) { if (!radius_www_authorize("$td")) { www_challenge("$sel(to.uri.host)", "1"); exit; } else {
avp_db_delete("$sel(to.uri)","$avp(s:ip)");
avp_db_delete("$sel(to.uri)","$avp(s:dpid)");
avp_db_delete("$sel(to.uri)","$avp(s:fr_timer)");
avp_db_delete("$sel(to.uri)","$avp(s:calls_limit)");
avp_db_store("$sel(to.uri)","$avp(s:ip)");
avp_db_store("$sel(to.uri)","$avp(s:dpid)");
avp_db_store("$sel(to.uri)","$avp(s:fr_timer)");
avp_db_store("$sel(to.uri)","$avp(s:calls_limit)");
if ($au!=$sel(to.uri.user))||($au!=$sel(from.uri.user)) { sl_send_reply("403","Forbidden auth ID"); exit; } else { if ($avp(s:ip)!='any' && $sel(src.ip)!=$avp(s:ip)) {
sl_send_reply("403","Forbidden"); exit; } } }
} else { sl_send_reply("403","Forbidden"); exit; } } else { if ($sel(src.ip)=="192.168.0.2") { return; } else if (is_from_local()) { if (!radius_proxy_authorize("$sel(from.uri.host)","$sel(from.uri.user)")) { proxy_challenge("$sel(from.uri.host)", "1");
exit; } if ($avp(s:ip)!='any' && $sel(src.ip)!=$avp(s:ip)) { sl_send_reply("403","Forbidden"); exit; }
if (is_method("PUBLISH")) { if ($au!=$sel(to.uri.user)) { sl_send_reply("403","Forbidden auth ID"); exit; } } else if ($au!=$sel(from.uri.user)) { sl_send_reply("403","Forbidden auth ID"); exit; } consume_credentials(); } else { sl_send_reply("403","Forbidden"); exit; } } } ...
And again a part of the freeradius log:
rad_recv: Access-Request packet from host 127.0.0.1 port 58933, id=135, length=298 *User-Name = "2219001@example.com"* Digest-Attributes = 0x0a0932323139303031 Digest-Attributes = 0x01106c696e6b2d726567696f6e2e7275 Digest-Attributes = 0x0222545848676630317833314f7076767759512b6b73674c63554d51784f6c347634 Digest-Attributes = 0x04147369703a6c696e6b2d726567696f6e2e7275 Digest-Attributes = 0x030a5245474953544552 Digest-Attributes = 0x050661757468 Digest-Attributes = 0x090a3030303030303031 Digest-Attributes = 0x080c39636238383130616531 Digest-Response = "efdcf92b58f694b97928856614057436" Service-Type = Sip-Session Sip-Uri-User = "2219001" *User-Name = "call-id=zomdnicqsndxrnh@koffe-work"* NAS-Identifier = "kamserv.example.com" NAS-Port = 5060 NAS-IP-Address = 127.0.0.1
Regards, Fedor.
2011/3/5 Daniel-Constantin Mierla miconda@gmail.com
Hello,
what is the value of parameter radius_extra for acc module?
Cheers, Daniel
On 3/4/11 1:06 PM, Kosilov Fedor wrote:
Hello List!
I'm trying to set up authorization with our billing proprietary radius server, using Freeradius as a proxy. Currently I'm experiencing the following problem:
The Access-Request packet, sent by Kamailio, contains two User-Name attribute records Here is a log from the Freeradius server:
rad_recv: Access-Request packet from host 127.0.0.1 port 59294, id=112, length=298 User-Name = "2219001@example.com" Digest-Attributes = 0x0a0932323139303031 Digest-Attributes = 0x01106c696e6b2d726567696f6e2e7275 Digest-Attributes = 0x022254584452634531773045524b7368796f30684a70544f4f6a69424d386b32534a Digest-Attributes = 0x04147369703a6c696e6b2d726567696f6e2e7275 Digest-Attributes = 0x030a5245474953544552 Digest-Attributes = 0x050661757468 Digest-Attributes = 0x090a3030303030303031 Digest-Attributes = 0x080c32383034636535373032 Digest-Response = "e79b47955c02401fe52d05f7956609aa" Service-Type = Sip-Session Sip-Uri-User = "2219001"
- User-Name = "call-id=domcmqmnychbwlp@koffe-work"* NAS-Identifier = "kamserv.example.com" NAS-Port = 5060 NAS-IP-Address = 127.0.0.1
# Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [digest] Checking for correctly formatted Digest-Attributes [digest] Digest-Attributes look OK. Converting them to something more usful. Digest-User-Name = "2219001" Digest-Realm = "example.com" Digest-Nonce = "TXDRcE1w0ERKshyo0hJpTOOjiBM8k2SJ" Digest-URI = "sip:example.com" Digest-Method = "REGISTER" Digest-QOP = "auth" Digest-Nonce-Count = "00000001" Digest-CNonce = "2804ce5702" [digest] Adding Auth-Type = DIGEST ++[digest] returns ok [suffix] Looking up realm "example.com" for User-Name = " 2219001@example.com" [suffix] Found realm "example.com" [suffix] Adding Realm = "example.com" [suffix] Proxying request from user 2219001 to realm example.com [suffix] Preparing to proxy authentication request to realm "example.com" ++[suffix] returns updated [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Sending Access-Request of id 250 to 127.0.0.1 port 1822 User-Name = "2219001@example.com" Digest-Attributes = 0x0a0932323139303031 Digest-Attributes = 0x01106c696e6b2d726567696f6e2e7275 Digest-Attributes = 0x022254584452634531773045524b7368796f30684a70544f4f6a69424d386b32534a Digest-Attributes = 0x04147369703a6c696e6b2d726567696f6e2e7275 Digest-Attributes = 0x030a5245474953544552 Digest-Attributes = 0x050661757468 Digest-Attributes = 0x090a3030303030303031 Digest-Attributes = 0x080c32383034636535373032 Digest-Response = "e79b47955c02401fe52d05f7956609aa" Service-Type = Sip-Session Sip-Uri-User = "2219001"
- User-Name = "call-id=domcmqmnychbwlp@koffe-work"* NAS-Identifier = "kamserv.example.com" NAS-Port = 5060 NAS-IP-Address = 127.0.0.1 Proxy-State = 0x313132
Proxying request 1 to home server 127.0.0.1 port 1822
As I understand, this second User-Name attribute has to be a call-id attribute.
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-- Daniel-Constantin Mierla http://www.asipto.com