Hello list,
I've been trying my hardest today to get group_radius to work, and its
function radius_is_user_in().
I'm running ser0.9.4 and freeradius 1.0.4 with the mysql backend and digest
authentication.
Radius authentication works fine.
The problem is that when radius_is_user_in() function gets called, it sends
a radius message but without the User-Password field and freeradius
complains that it requires it since we are using Digest.
I've seen a couple of posts here, but they were never answered:
http://lists.iptel.org/pipermail/serusers/2005-March/017342.html
http://lists.iptel.org/pipermail/serusers/2005-March/017075.html
-----
I have a small test in my ser.cfg file:
if (!radius_www_authorize("")) {
xlog("L_I","%ci - %fu - User not authenticated, Radius
Authenticating...\n");
www_challenge("","0");
break;
} else {
xlog("L_I","%ci - %fu - User authenticated...\n");
};
if (radius_is_user_in("From", "Dialin")){
xlog("L_I","From: User is in Radius Group
Dialin!!!!\n");
} else {
xlog("L_I","From: User *IS NOT* Group
Dialin!!!!!\n");
};
if (radius_is_user_in("Credentials", "Dialin2")){
xlog("L_I","From: User is in Radius Group
Dialin2!!!!\n");
} else {
xlog("L_I","From: User *IS NOT* Group
Dialin2!!!!!\n");
};
-----
In /etc/raddb/users file I have the following at line 152:
DEFAULT Auth-Type = System
Fall-Through = 1
DEFAULT Service-Type == Group-Check, Auth-Type := None
DEFAULT Service-Type == SIP-Callee-AVPs, Auth-Type := None
-----
These are mysql tables:
+----+----------+-----------+----+----------+
| id | UserName | Attribute | op | Value |
+----+----------+-----------+----+----------+
| 1 | Jhassell | Password | == | changeme |
| 2 | Rneis | Password | == | changeme |
| 3 | 1000 | Password | == | 1000 |
| 4 | 2000 | Password | == | 2000 |
| 5 | 3000 | Password | == | 3000 |
| 8 | 1000 | Auth-Type | := | Digest |
+----+----------+-----------+----+----------+
+----+-----------+-----------+----+--------+
| id | GroupName | Attribute | op | Value |
+----+-----------+-----------+----+--------+
| 6 | Dialin | Auth-Type | := | Accept |
+----+-----------+-----------+----+--------+
+----+-----------+---------------+----+----------------------------------+--
----+
| id | GroupName | Attribute | op | Value |
prio |
+----+-----------+---------------+----+----------------------------------+--
----+
| 1 | Dialin | Reply-Message | = | "Authenticated by group Dialin" |
0 |
| 2 | Dialin2 | Reply-Message | = | "Authenticated by group Dialin2" |
0 |
+----+-----------+---------------+----+----------------------------------+--
----+
+----+----------+---------------+----+------------------+
| id | UserName | Attribute | op | Value |
+----+----------+---------------+----+------------------+
| 1 | 1000 | Reply-Message | = | "Authenticated" |
| 2 | 1000 | Sip-Group | = | Dialin |
| 3 | 1000 | SIP-AVP | = | Sip-Group:Dialin |
+----+----------+---------------+----+------------------+
+----+----------+------------+
| id | UserName | GroupName |
+----+----------+------------+
| 1 | Jhassell | Dialin |
| 2 | Rneis | Staticdial |
| 3 | 1000 | Dialin |
| 4 | 2000 | Dialin |
| 5 | 3000 | Dialin |
| 6 | 3000 | Dialin2 |
+----+----------+------------+
------
This is the debug I get from freeradius for the group check:
rad_recv: Access-Request packet from host xx.xx.xx.xx:33025, id=15,
length=67
User-Name = "1000(a)xx.xx.xx.xx"
Sip-Group = "Dialin2"
Service-Type = Group-Check
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 74
modcall[authorize]: module "preprocess" returns ok for request 74
modcall[authorize]: module "chap" returns noop for request 74
modcall[authorize]: module "mschap" returns noop for request 74
modcall[authorize]: module "digest" returns noop for request 74
rlm_realm: Looking up realm "xx.xx.xx.xx" for User-Name =
"1000(a)xx.xx.xx.xx"
rlm_realm: Found realm "xx.xx.xx.xx"
rlm_realm: Adding Stripped-User-Name = "1000"
rlm_realm: Proxying request from user 1000 to realm xx.xx.xx.xx
rlm_realm: Adding Realm = "xx.xx.xx.xx"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 74
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 74
users: Matched entry DEFAULT at line 152
users: Matched entry DEFAULT at line 158
modcall[authorize]: module "files" returns ok for request 74
radius_xlat: '1000'
rlm_sql (sql): sql_set_user escaped user --> '1000'
rlm_sql (sql): Released sql socket id: 0
modcall[authorize]: module "sql" returns ok for request 74
modcall: group authorize returns ok for request 74
rad_check_password: Found Auth-Type Digest
auth: type "digest"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 74
ERROR: No Digest-Nonce: Cannot perform Digest authentication
modcall[authenticate]: module "digest" returns invalid for request 74
modcall: group authenticate returns invalid for request 74
auth: Failed to validate the user.
Delaying request 74 for 1 seconds
Finished request 74
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 15 to xx.xx.xx.xx:33025
Reply-Message = "Authenticated"
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 74 ID 15 with timestamp 434f1121
Nothing to do. Sleeping until we see a request.
Any help in this matter would be deeply appreciated,
Lenir