5 May
2014
5 May
'14
6 a.m.
[first post to list]
Greetings,
I'm in the process of getting a Kamailio 3.3.2 installation authenticating
its SIP accounts against a RADIUS database. There are -- at the moment --
no plans to do any fancy accounting nor any authorisation beyond simple
authentication.
I've set up and tested a FreeRadius 2.2.3_1 server on a dedicated server.
After a fairly steep learning curve involving RADIUS dictionaries I've
come so far that kamailio sends out a RADIUS Access-Request message
that is received by FreeRadius, processed, and returned to Kamailio
which promptly ignores it and continues to send 401 to the client;
the SIP message exchange with the client being:
(some identifing info has been redacted)
REGISTER sip:my.domain SIP/2.0
< SIP/2.0 401
Unauthorized
Via: SIP/2.0/UDP
10.25.191.24:41688;branch=z9hG4bK-d8754z-eac09e6c626d4c4d-1---d8754z-;rport=41688
REGISTER sip:my.domain SIP/2.0
Via:
SIP/2.0/UDP 10.25.191.24:41688;branch=z9hG4bK-d8754z-4f25c643f4b93465-1---d8754z-;rport
< SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP
10.25.191.24:41688;branch=z9hG4bK-d8754z-4f25c643f4b93465-1---d8754z-;rport=41688
The RADIUS exchange:
10:07:10.861063 IP (tos 0x0, ttl 64, id 14964, offset 0, flags [none], proto UDP (17),
length 270)
10.24.194.198.63712 > 10.24.194.196.1812: [udp sum ok] RADIUS, length: 242
Access Request (1), id: 0x05, Authenticator: 4215e95809551826eda76972be4106c4
Username Attribute (1), length: 18, Value: mtu-06(a)my.domain
0x0000: 6d74 752d 3036 4069 706b 2e73 722e 7365
Unknown Attribute (207), length: 10, Value:
0x0000: 0a08 6d74 752d 3036
Unknown Attribute (207), length: 13, Value:
0x0000: 010b 6970 6b2e 7372 2e73 65
Unknown Attribute (207), length: 36, Value:
0x0000: 0222 5532 6448 326c 4e6e 5271 3677 4353
0x0010: 6463 6775 5056 3050 516e 3936 324d 5635
0x0020: 6d34
Unknown Attribute (207), length: 17, Value:
0x0000: 040f 7369 703a 6970 6b2e 7372 2e73 65
Unknown Attribute (207), length: 12, Value:
0x0000: 030a 5245 4749 5354 4552
Unknown Attribute (207), length: 8, Value:
0x0000: 0506 6175 7468
Unknown Attribute (207), length: 12, Value:
0x0000: 090a 3030 3030 3030 3031
Unknown Attribute (207), length: 36, Value:
0x0000: 0822 3933 3832 3333 3333 3530 3162 3238
0x0010: 6439 3236 3739 3863 3964 3038 6539 3134
0x0020: 3733
Unknown Attribute (206), length: 34, Value:
0x0000: 3538 3665 3336 3763 3230 3163 3137 6438
0x0010: 6261 3265 3830 3533 3763 6433 3562 3761
Service Type Attribute (6), length: 6, Value: #15
0x0000: 0000 000f
Unknown Attribute (208), length: 8, Value:
0x0000: 6d74 752d 3036
NAS Port Attribute (5), length: 6, Value: 5060
0x0000: 0000 13c4
NAS IP Address Attribute (4), length: 6, Value: 10.24.194.198
0x0000: c079 c2c6
10:07:10.863964 IP (tos 0x0, ttl 64, id 28916, offset 0, flags [none], proto UDP (17),
length 48)
10.24.194.196.1812 > 10.24.194.198.63712: [bad udp cksum 0x06ac -> 0x44c0!]
RADIUS, length: 20
Access Accept (2), id: 0x05, Authenticator: 8f07de871a066aacfbe822e20a9b96c1
The RADIUS part of the Kamailio config is:
if (is_method("REGISTER") || from_uri==myself)
#if (is_method("REGISTER") )
{
# authenticate requests
xlog("L_INFO", "authenticate [$fd]\n");
### RADIUS ###
if (!radius_www_authorize("my.domain")) {
$var(ret) = $rc;
xlog("L_INFO", "response code: [$var(ret)]\n");
switch ($var(ret)) {
case -7:
send_reply("500", "Server Internal Error");
exit;
case -1:
send_reply("400", "Bad Request");
exit;
default:
};
if (defined($avp(digest_challenge)) &&
($avp(digest_challenge) != "")) {
append_to_reply("$avp(digest_challenge)");
};
send_reply("401", "Unauthorized");
exit;
};
# user authenticated - remove auth header
if(!is_method("REGISTER|PUBLISH"))
consume_credentials();
}
Any clues? What is missing from my narrative?
--
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
Actually, what I'd like is a little toy spaceship!!
5 May
5 May
6:09 a.m.
Hello,
you should just use www_challenge() to send back the 401 response.
Here is a old tutorial, from the time when the project was named
openser, but could be a good reading anyhow:
- http://www.kamailio.org/docs/openser-radius-1.0.x.html
The authentication part is pretty much the same.
Cheers,
Daniel
On 05/05/14 12:00, Måns Nilsson wrote:
[first post to list]
Greetings,
I'm in the process of getting a Kamailio 3.3.2 installation authenticating
its SIP accounts against a RADIUS database. There are -- at the moment --
no plans to do any fancy accounting nor any authorisation beyond simple
authentication.
I've set up and tested a FreeRadius 2.2.3_1 server on a dedicated server.
After a fairly steep learning curve involving RADIUS dictionaries I've
come so far that kamailio sends out a RADIUS Access-Request message
that is received by FreeRadius, processed, and returned to Kamailio
which promptly ignores it and continues to send 401 to the client;
the SIP message exchange with the client being:
(some identifing info has been redacted)
--
Daniel-Constantin Mierla - http://www.asipto.com
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
REGISTER sip:my.domain SIP/2.0
< SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP
10.25.191.24:41688;branch=z9hG4bK-d8754z-eac09e6c626d4c4d-1---d8754z-;rport=41688
REGISTER sip:my.domain SIP/2.0
Via:
SIP/2.0/UDP 10.25.191.24:41688;branch=z9hG4bK-d8754z-4f25c643f4b93465-1---d8754z-;rport
< SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP
10.25.191.24:41688;branch=z9hG4bK-d8754z-4f25c643f4b93465-1---d8754z-;rport=41688
The RADIUS exchange:
10:07:10.861063 IP (tos 0x0, ttl 64, id 14964, offset 0, flags [none], proto UDP (17),
length 270)
10.24.194.198.63712 > 10.24.194.196.1812: [udp sum ok] RADIUS, length: 242
Access Request (1), id: 0x05, Authenticator: 4215e95809551826eda76972be4106c4
Username Attribute (1), length: 18, Value: mtu-06(a)my.domain
0x0000: 6d74 752d 3036 4069 706b 2e73 722e 7365
Unknown Attribute (207), length: 10, Value:
0x0000: 0a08 6d74 752d 3036
Unknown Attribute (207), length: 13, Value:
0x0000: 010b 6970 6b2e 7372 2e73 65
Unknown Attribute (207), length: 36, Value:
0x0000: 0222 5532 6448 326c 4e6e 5271 3677 4353
0x0010: 6463 6775 5056 3050 516e 3936 324d 5635
0x0020: 6d34
Unknown Attribute (207), length: 17, Value:
0x0000: 040f 7369 703a 6970 6b2e 7372 2e73 65
Unknown Attribute (207), length: 12, Value:
0x0000: 030a 5245 4749 5354 4552
Unknown Attribute (207), length: 8, Value:
0x0000: 0506 6175 7468
Unknown Attribute (207), length: 12, Value:
0x0000: 090a 3030 3030 3030 3031
Unknown Attribute (207), length: 36, Value:
0x0000: 0822 3933 3832 3333 3333 3530 3162 3238
0x0010: 6439 3236 3739 3863 3964 3038 6539 3134
0x0020: 3733
Unknown Attribute (206), length: 34, Value:
0x0000: 3538 3665 3336 3763 3230 3163 3137 6438
0x0010: 6261 3265 3830 3533 3763 6433 3562 3761
Service Type Attribute (6), length: 6, Value: #15
0x0000: 0000 000f
Unknown Attribute (208), length: 8, Value:
0x0000: 6d74 752d 3036
NAS Port Attribute (5), length: 6, Value: 5060
0x0000: 0000 13c4
NAS IP Address Attribute (4), length: 6, Value: 10.24.194.198
0x0000: c079 c2c6
10:07:10.863964 IP (tos 0x0, ttl 64, id 28916, offset 0, flags [none], proto UDP (17),
length 48)
10.24.194.196.1812 > 10.24.194.198.63712: [bad udp cksum 0x06ac -> 0x44c0!]
RADIUS, length: 20
Access Accept (2), id: 0x05, Authenticator: 8f07de871a066aacfbe822e20a9b96c1
The RADIUS part of the Kamailio config is:
if (is_method("REGISTER") || from_uri==myself)
#if (is_method("REGISTER") )
{
# authenticate requests
xlog("L_INFO", "authenticate [$fd]\n");
### RADIUS ###
if (!radius_www_authorize("my.domain")) {
$var(ret) = $rc;
xlog("L_INFO", "response code: [$var(ret)]\n");
switch ($var(ret)) {
case -7:
send_reply("500", "Server Internal Error");
exit;
case -1:
send_reply("400", "Bad Request");
exit;
default:
};
if (defined($avp(digest_challenge)) &&
($avp(digest_challenge) != "")) {
append_to_reply("$avp(digest_challenge)");
};
send_reply("401", "Unauthorized");
exit;
};
# user authenticated - remove auth header
if(!is_method("REGISTER|PUBLISH"))
consume_credentials();
}
Any clues? What is missing from my narrative?
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
9:33 a.m.
Subject: Re: [SR-Users] n00b question -- RADIUS authentication. Date: Mon, May 05, 2014 at
12:09:54PM +0200 Quoting Daniel-Constantin Mierla (miconda(a)gmail.com):
Hello,
you should just use www_challenge() to send back the 401 response.
Here is a old tutorial, from the time when the project was named
openser, but could be a good reading anyhow:
- http://www.kamailio.org/docs/openser-radius-1.0.x.html
The authentication part is pretty much the same.
And the error too -- exactly the same symptoms are produced.
I also tried with another setup;
if (is_method("REGISTER") )
{
# authenticate requests
xlog("L_INFO", "authenticate [$fd]\n");
### RADIUS ###
if(!radius_proxy_authorize("$fd"))
{
proxy_challenge("$fd", "1");
}
# user authenticated - remove auth header
if(!is_method("REGISTER|PUBLISH"))
consume_credentials();
}
This produces a 407 error; but other than that, things are identical.
The core question is why the positive reply from the RADIUS server isn't
accepted as such. (could this be a problem with the dictionary?)
Stumblingly grateful,
--
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
My LESLIE GORE record is BROKEN ...
8 May
8 May
10:34 a.m.
Subject: Re: [SR-Users] n00b question -- RADIUS authentication. Date: Mon, May 05, 2014 at
03:33:22PM +0200 Quoting Måns Nilsson (mansaxel(a)besserwisser.org):
The core question is why the positive reply from the
RADIUS server isn't
accepted as such. (could this be a problem with the dictionary?)
That was indeed spot on. The shared secret between RADIUS client and
server was too long. ~ 80 chars of random text is too long.
I've not thought out exactly where this occurs, and who is to blame,
but at first sight it looks like it is FreeRadius with its limit of 31
chars is the culprit:
"FreeRADIUS is limited to 31 characters for the shared secret."
http://wiki.freeradius.org/guide/faq#Incoming-Authentication-Request-passwo…
Thanks all for your attention and especially to Olle who stopped by in
person and helped me think. I think he has a patch too; this was hard to
find, since auth_radius module hides the response from radiusclient-ng;
one small adjustment brings the fault code to attention.
--
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
I am a jelly donut. I am a jelly donut.
3902
days inactive
3905
days old
3 comments
2 participants
participants (2)
-
Daniel-Constantin Mierla -
Måns Nilsson