Hello, Daniel, thank you for your attention to my problem.

I actually don't need accounting support, I just want to implement an authorization using radius.
But for testing purposes, I loaded the acc module and set "radius_extra" param. Nothing has changed.
 
Here is a part of my config:


...
modparam("acc", "radius_config", "/etc/radiusclient-ng/radiusclient.conf")
modparam("acc", "radius_extra", "User-Name=$Au")
...
modparam("auth_radius", "radius_config", "/etc/radiusclient-ng/radiusclient.conf")
modparam("auth_radius", "auth_extra",  "NAS-Identifier=$var(ident)")
...
route {
        #Definitions
        $var(ident) = "kamserv.example.com";
...
route(3); #Auth
...
}

...

route[3] {
        if (is_method("REGISTER"))
        {
                if (is_from_local()) {
                        if (!radius_www_authorize("$td"))
                        {
                                www_challenge("$sel(to.uri.host)", "1");
                                exit;
                        } else {
                                        avp_db_delete("$sel(to.uri)","$avp(s:ip)");
                                        avp_db_delete("$sel(to.uri)","$avp(s:dpid)");
                                        avp_db_delete("$sel(to.uri)","$avp(s:fr_timer)");
                                        avp_db_delete("$sel(to.uri)","$avp(s:calls_limit)");
                                        avp_db_store("$sel(to.uri)","$avp(s:ip)");
                                        avp_db_store("$sel(to.uri)","$avp(s:dpid)");
                                        avp_db_store("$sel(to.uri)","$avp(s:fr_timer)");
                                        avp_db_store("$sel(to.uri)","$avp(s:calls_limit)");

                               if ($au!=$sel(to.uri.user))||($au!=$sel(from.uri.user)) {
                                        sl_send_reply("403","Forbidden auth ID");
                                        exit;
                                } else {
                                        if ($avp(s:ip)!='any' && $sel(src.ip)!=$avp(s:ip)) {
                                                sl_send_reply("403","Forbidden");
                                                exit;
                                        }
                                }
                        }

                } else {
                                sl_send_reply("403","Forbidden");
                                exit;
                }
        } else {
                if ($sel(src.ip)=="192.168.0.2") {
                        return;
                } else if (is_from_local()) {
                        if (!radius_proxy_authorize("$sel(from.uri.host)","$sel(from.uri.user)")) {
                                proxy_challenge("$sel(from.uri.host)", "1");
                                exit;
                        }
                        if ($avp(s:ip)!='any' && $sel(src.ip)!=$avp(s:ip)) {
                                 sl_send_reply("403","Forbidden");
                                exit;
                        }

                        if (is_method("PUBLISH"))
                        {
                                if ($au!=$sel(to.uri.user)) {
                                        sl_send_reply("403","Forbidden auth ID");
                                        exit;
                                }
                        } else if ($au!=$sel(from.uri.user)) {
                                sl_send_reply("403","Forbidden auth ID");
                                exit;
                        }
                        consume_credentials();
                } else {
                        sl_send_reply("403","Forbidden");
                        exit;
                }
        }
}
...

And again a part of the freeradius log:

rad_recv: Access-Request packet from host 127.0.0.1 port 58933, id=135, length=298
    User-Name = "2219001@example.com"
    Digest-Attributes = 0x0a0932323139303031
    Digest-Attributes = 0x01106c696e6b2d726567696f6e2e7275
    Digest-Attributes = 0x0222545848676630317833314f7076767759512b6b73674c63554d51784f6c347634
    Digest-Attributes = 0x04147369703a6c696e6b2d726567696f6e2e7275
    Digest-Attributes = 0x030a5245474953544552
    Digest-Attributes = 0x050661757468
    Digest-Attributes = 0x090a3030303030303031
    Digest-Attributes = 0x080c39636238383130616531
    Digest-Response = "efdcf92b58f694b97928856614057436"
    Service-Type = Sip-Session
    Sip-Uri-User = "2219001"
    User-Name = "call-id=zomdnicqsndxrnh@koffe-work"
    NAS-Identifier = "kamserv.example.com"
    NAS-Port = 5060
    NAS-IP-Address = 127.0.0.1


Regards,
Fedor.



2011/3/5 Daniel-Constantin Mierla <miconda@gmail.com>
Hello,

what is the value of parameter radius_extra for acc module?

Cheers,
Daniel


On 3/4/11 1:06 PM, Kosilov Fedor wrote:
Hello List!

I'm trying to set up authorization with our billing proprietary radius server, using Freeradius as a proxy. Currently I'm experiencing the following problem:

The Access-Request packet, sent by Kamailio, contains two User-Name attribute records
Here is a log from the Freeradius server:

rad_recv: Access-Request packet from host 127.0.0.1 port 59294, id=112, length=298
    User-Name = "2219001@example.com"
    Digest-Attributes = 0x0a0932323139303031
    Digest-Attributes = 0x01106c696e6b2d726567696f6e2e7275
    Digest-Attributes = 0x022254584452634531773045524b7368796f30684a70544f4f6a69424d386b32534a
    Digest-Attributes = 0x04147369703a6c696e6b2d726567696f6e2e7275
    Digest-Attributes = 0x030a5245474953544552
    Digest-Attributes = 0x050661757468
    Digest-Attributes = 0x090a3030303030303031
    Digest-Attributes = 0x080c32383034636535373032
    Digest-Response = "e79b47955c02401fe52d05f7956609aa"
    Service-Type = Sip-Session
    Sip-Uri-User = "2219001"
    User-Name = "call-id=domcmqmnychbwlp@koffe-work"
    NAS-Identifier = "kamserv.example.com"
    NAS-Port = 5060
    NAS-IP-Address = 127.0.0.1
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[digest] Checking for correctly formatted Digest-Attributes
[digest] Digest-Attributes look OK.  Converting them to something more usful.
    Digest-User-Name = "2219001"
    Digest-Realm = "example.com"
    Digest-Nonce = "TXDRcE1w0ERKshyo0hJpTOOjiBM8k2SJ"
    Digest-URI = "sip:example.com"
    Digest-Method = "REGISTER"
    Digest-QOP = "auth"
    Digest-Nonce-Count = "00000001"
    Digest-CNonce = "2804ce5702"
[digest] Adding Auth-Type = DIGEST
++[digest] returns ok
[suffix] Looking up realm "example.com" for User-Name = "2219001@example.com"
[suffix] Found realm "example.com"
[suffix] Adding Realm = "example.com"
[suffix] Proxying request from user 2219001 to realm example.com
[suffix] Preparing to proxy authentication request to realm "example.com"
++[suffix] returns updated
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Sending Access-Request of id 250 to 127.0.0.1 port 1822
    User-Name = "2219001@example.com"
    Digest-Attributes = 0x0a0932323139303031
    Digest-Attributes = 0x01106c696e6b2d726567696f6e2e7275
    Digest-Attributes = 0x022254584452634531773045524b7368796f30684a70544f4f6a69424d386b32534a
    Digest-Attributes = 0x04147369703a6c696e6b2d726567696f6e2e7275
    Digest-Attributes = 0x030a5245474953544552
    Digest-Attributes = 0x050661757468
    Digest-Attributes = 0x090a3030303030303031
    Digest-Attributes = 0x080c32383034636535373032
    Digest-Response = "e79b47955c02401fe52d05f7956609aa"
    Service-Type = Sip-Session
    Sip-Uri-User = "2219001"
    User-Name = "call-id=domcmqmnychbwlp@koffe-work"
    NAS-Identifier = "kamserv.example.com"
    NAS-Port = 5060
    NAS-IP-Address = 127.0.0.1
    Proxy-State = 0x313132
Proxying request 1 to home server 127.0.0.1 port 1822

As I understand, this second User-Name attribute has to be a call-id attribute.










_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org


http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users

-- 
Daniel-Constantin Mierla
http://www.asipto.com