Hi,
you cannot alter the content of the radius auth request only if you get into sources. Are you sure you need to do this? isn't it just a matter of configuration on your RADIUS server? what server are you using? and what is the logged error from server?
regards, bogdan
Arda Tekin wrote:
OK. I have found the problem:
First I made some modifiacations: in the radiusclient.conf auth_order radius authserver 192.168.1.3:1812 acctserver 192.168.1.3:1813 dictionary /usr/local/etc/radiusclient-ng/dictionary (this files is the modified. dictionary.radius+dictionary = dictionary)
in the openser.cfg if (!radius_www_authorize("")) { www_challenge("", "1"); exit; }; http://www.iptel.org/ser/doc/ser_radius/ser_radius.html --> good reference
But there is still the same problem. rc_auth fails. Because when I check radiusclient-ng.0.5.2 release notes, I see that "Change default bindaddr from localhost to *, this is better default choice; " When I replaced "bindaddr *" with "bindaddr localhost" then openser could send the radius authentication packet successfully.
But I have a new problem. I get access-reject from radius server. Because Radius server does not like the authentication packet parameters.
Radius Access-Request packet
Frame 4 (285 bytes on wire, 285 bytes captured) Ethernet II, Src: 00:0c:29:66:be:30, Dst: 00:0f:66:bf:e3:26 Internet Protocol, Src Addr: 192.168.1.5 (192.168.1.5), Dst Addr: 192.168.1.3 (192.168.1.3) User Datagram Protocol, Src Port: 33029 (33029), Dst Port: radius (1812) Radius Protocol Code: Access Request (1) Packet identifier: 0x82 (130) Length: 243 Authenticator: 0xD111DF9D4AB93482DDFE5494DA739935 Attribute value pairs t:User Name(1) l:21, Value:"openser@192.168.1.5" User-Name: openser@192.168.1.5 t:Unknown Type(207) l:11, Value:Unknown Value Type t:Unknown Type(207) l:15, Value:Unknown Value Type t:Unknown Type(207) l:44, Value:Unknown Value Type t:Unknown Type(207) l:19, Value:Unknown Value Type t:Unknown Type(207) l:12, Value:Unknown Value Type t:Unknown Type(207) l:8, Value:Unknown Value Type t:Unknown Type(207) l:12, Value:Unknown Value Type t:Unknown Type(207) l:20, Value:Unknown Value Type t:Unknown Type(206) l:34, Value:Unknown Value Type t:Service Type(6) l:6, Value:IAPP-Register(15) Service-Type: IAPP-Register (15) t:Unknown Type(208) l:9, Value:Unknown Value Type t:NAS Port(5) l:6, Value:5060 t:NAS IP Address(4) l:6, Value:192.168.1.5 Nas IP Address: 192.168.1.5 (192.168.1.5)
Radius Access-Reject packet
Frame 5 (62 bytes on wire, 62 bytes captured) Ethernet II, Src: 00:0f:66:bf:e3:26, Dst: 00:0c:29:66:be:30 Internet Protocol, Src Addr: 192.168.1.3 (192.168.1.3), Dst Addr: 192.168.1.5 (192.168.1.5) User Datagram Protocol, Src Port: radius (1812), Dst Port: 33029 (33029) Radius Protocol Code: Access Reject (3) Packet identifier: 0x82 (130) Length: 20 Authenticator: 0xD0427CE5ECB9E77369587E30B48D0B99
So I need to modify the outgoing packet params. Is it possible? And Can I also send additional "Vendor Specific Attribute" parameters?
Regards
Arda
----- Original Message ----- From: "Arda Tekin" arda@nicivr.com To: "Bogdan-Andrei Iancu" bogdan@voice-system.ro Cc: users@openser.org Sent: Saturday, November 26, 2005 2:40 PM Subject: Re: [Users] How can I send radius authentication packet with openser
I have also compiled "avp_radius" module and load it in openser.cfg. Nothing changed.
Sip Client IP: 192.168.1.2 OpenSER: 192.168.1.5 Radius Server: 192.168.1.3
Here is the openser debug log:
[root@localhost openser]# 6(2884) SIP Request: 6(2884) method: <REGISTER> 6(2884) uri: sip:192.168.1.5 6(2884) version: <SIP/2.0> 6(2884) parse_headers: flags=2 6(2884) DEBUG:parse_to:end of header reached, state=9 6(2884) DEBUG: get_hdr_field: <To> [36]; uri=[sip:arda@192.168.1.5] 6(2884) DEBUG: to body [arda_eyebeamsip:arda@192.168.1.5 ] 6(2884) Found param type 232, <branch> = <z9hG4bK-d87543-622802375-1--d87543->; state=6 6(2884) Found param type 235, <rport> = <n/a>; state=17 6(2884) end of header reached, state=5 6(2884) parse_headers: Via found, flags=2 6(2884) parse_headers: this is the first via 6(2884) After parse_msg... 6(2884) preparing to run routing scripts... 6(2884) parse_headers: flags=100 6(2884) get_hdr_field: cseq <CSeq>: <1> <REGISTER> 6(2884) DEBUG:maxfwd:is_maxfwd_present: value = 70 6(2884) parse_headers: flags=200 6(2884) DEBUG: get_hdr_body : content_length=0 6(2884) found end of header 6(2884) find_first_route: No Route headers found 6(2884) loose_route: There is no Route HF 6(2884) grep_sock_info - checking if host==us: 11==9 && [192.168.1.5] == [127.0.0.1] 6(2884) grep_sock_info - checking if port 5060 matches port 5060 6(2884) grep_sock_info - checking if host==us: 11==11 && [192.168.1.5] == [192.168.1.5] 6(2884) grep_sock_info - checking if port 5060 matches port 5060 6(2884) grep_sock_info - checking if host==us: 11==9 && [192.168.1.5] == [127.0.0.1] 6(2884) grep_sock_info - checking if port 5060 matches port 5060 6(2884) grep_sock_info - checking if host==us: 11==11 && [192.168.1.5] == [192.168.1.5] 6(2884) grep_sock_info - checking if port 5060 matches port 5060 6(2884) parse_headers: flags=2000 6(2884) pre_auth(): Credentials with given realm not found 6(2884) REGISTER: challenging user2 6(2884) build_auth_hf(): 'WWW-Authenticate: Digest realm="192.168.1.5", nonce="438222d8c7aac499351c46bad60c32a2c03eb751" ' 6(2884) parse_headers: flags=ffffffffffffffff 6(2884) check_via_address(192.168.1.2, 192.168.1.2, 0) 6(2884) DEBUG:destroy_avp_list: destroying list (nil) 6(2884) receive_msg: cleaning up 6(2884) SIP Request: 6(2884) method: <REGISTER> 6(2884) uri: sip:192.168.1.5 6(2884) version: <SIP/2.0> 6(2884) parse_headers: flags=2 6(2884) DEBUG:parse_to:end of header reached, state=9 6(2884) DEBUG: get_hdr_field: <To> [36]; uri=[sip:arda@192.168.1.5] 6(2884) DEBUG: to body [arda_eyebeamsip:arda@192.168.1.5 ] 6(2884) Found param type 232, <branch> = <z9hG4bK-d87543-907902613-1--d87543->; state=6 6(2884) Found param type 235, <rport> = <n/a>; state=17 6(2884) end of header reached, state=5 6(2884) parse_headers: Via found, flags=2 6(2884) parse_headers: this is the first via 6(2884) After parse_msg... 6(2884) preparing to run routing scripts... 6(2884) parse_headers: flags=100 6(2884) get_hdr_field: cseq <CSeq>: <2> <REGISTER> 6(2884) DEBUG:maxfwd:is_maxfwd_present: value = 70 6(2884) parse_headers: flags=200 6(2884) DEBUG: get_hdr_body : content_length=0 6(2884) found end of header 6(2884) find_first_route: No Route headers found 6(2884) loose_route: There is no Route HF 6(2884) grep_sock_info - checking if host==us: 11==9 && [192.168.1.5] == [127.0.0.1] 6(2884) grep_sock_info - checking if port 5060 matches port 5060 6(2884) grep_sock_info - checking if host==us: 11==11 && [192.168.1.5] == [192.168.1.5] 6(2884) grep_sock_info - checking if port 5060 matches port 5060 6(2884) grep_sock_info - checking if host==us: 11==9 && [192.168.1.5] == [127.0.0.1] 6(2884) grep_sock_info - checking if port 5060 matches port 5060 6(2884) grep_sock_info - checking if host==us: 11==11 && [192.168.1.5] == [192.168.1.5] 6(2884) grep_sock_info - checking if port 5060 matches port 5060 6(2884) check_nonce(): comparing [438222d8c7aac499351c46bad60c32a2c03eb751] and [438222d8c7aac499351c46bad60c32a2c03eb751] 6(2884) ERROR:auth_radius:radius_authorize_sterman: rc_auth failed 6(2884) REGISTER: challenging user2 6(2884) build_auth_hf(): 'WWW-Authenticate: Digest realm="192.168.1.5", nonce="438222d8c7aac499351c46bad60c32a2c03eb751" ' 6(2884) parse_headers: flags=ffffffffffffffff 6(2884) check_via_address(192.168.1.2, 192.168.1.2, 0) 6(2884) DEBUG:destroy_avp_list: destroying list (nil) 6(2884) receive_msg: cleaning up
As I see in the sterman.c source rc_auth fails:
/* Send request */ if ((i = rc_auth(rh, SIP_PORT, send, &received, msg)) == OK_RC) { DBG("DEBUG:auth_radius:radius_authorize_sterman: Success\n"); rc_avpair_free(send); send = 0;
generate_avps(received);
rc_avpair_free(received); return 1; } else { LOG(L_ERR,"ERROR:auth_radius:radius_authorize_sterman: " "rc_auth failed\n"); goto err; }
Any opinion?
Thanks in advance
Arda
----- Original Message ----- From: "Bogdan-Andrei Iancu" bogdan@voice-system.ro To: "Arda Tekin" arda@nicivr.com Cc: users@openser.org Sent: Friday, November 25, 2005 5:00 PM Subject: Re: [Users] How can I send radius authentication packet with openser
Hi Arda,
you need to use auth_radius for this purpose. See: http://www.openser.org/docs/modules/1.1.x/auth_radius.html
regards, bogdan
Arda Tekin wrote:
Hi, I have installed openser, mysql, radiusclient-ng-0.5.2 successfully on REL3.0. openser works well with mysql. I need to send a radius authentication packet to a radius server(according to RFC2865). Packet contains base params:
User-name (attr.1) $Username
Password (attr.2) $Password
NAS-Identifier (attr.4) (auto-generated)
NAS-Port (attr.5) $uref
State (attr.24) 0
Client-Port-DNIS (attr.30) NONE
Caller-Id (attr.31) $calling
I can not find a clear sample about radius. Which module is used for this purpose? Regards Arda
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users