Hi, I´ve configured freeradius and SER according to the Radius HOW TO document, Accounting works very well but now I am doing some tests trying to do user authentication however all the authentication requests coming to the freeradius fails and X-lite sipphone is receiving an Unauthorized message from SER, please some advice,
thanks rafael
PS: config files...
in /usr/local/etc/raddb/users : --------- test Auth-Type := Digest, User-Password == "test" Reply-Message = "Hello, test with digest"
6609876 Auth-Type := Digest User-Password := "9876", Digest-Response = "lalalalala", Reply-Message = "Hello, ibm1"
6604321 Auth-Type := Digest User-Password := "4321", Digest-Response = "lalalalala", Reply-Message = "Hello, ibm2"
--------- Some relevant data in ser.cfg: ... modparam("group_radius", "use_domain", 0) ....
if (uri==myself) {
if (method=="REGISTER") {
# Uncomment this if you want to use digest authentication if (!radius_www_authorize("")) { www_challenge("", "1"); break; };
if (!save("location")) { sl_reply_error(); }; break; };
lookup("aliases"); if (!uri==myself) { append_hf("P-hint: outbound alias\r\n"); route(1); break; };
# does the user wish redirection on no availability? (i.e., is he # in the voicemail group?) -- determine it now and store it in # flag 4, before we rewrite the flag using UsrLoc
if (radius_is_user_in("Request-URI", "voicemail")) { log(1, "requested user is in voicemail group"); setflag(4); };
# native SIP destinations are handled using our USRLOC DB if (!lookup("location")) { # sl_send_reply("404", "Not Found"); log(1,"unable to locate user"); route(4); break; };
}; # End of "if(uri==myself)" ....
------------------RADIUSD -X Output ---------------------------:
rad_recv: Access-Request packet from host 127.0.0.1:33187, id=79, length=311 User-Name = "6604321@10.0.1.22" Digest-Attributes = 0x0a0936363034333231 Digest-Attributes = 0x010b31302e302e312e3232 Digest-Attributes = 0x022a34323366333163373062336631643261643330383833633238303434316632663133643136613830 Digest-Attributes = 0x040f7369703a31302e302e312e3232 Digest-Attributes = 0x030a5245474953544552 Digest-Attributes = 0x050661757468 Digest-Attributes = 0x090a3030303030303162 Digest-Attributes = 0x08224433343132424232394131453131443939334232303035304241373836433642 Digest-Response = "a6a7812ac0331324f977453c228da2ed" Service-Type = IAPP-Register Sip-URI-User = "6604321" Cisco-AVPair = "call-id=D3412ADB9A1E11D993B20050BA786C6B@10.0.1.22" NAS-IP-Address = 127.0.0.1 NAS-Port = 5060 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 modcall[authorize]: module "preprocess" returns ok for request 8 modcall[authorize]: module "chap" returns noop for request 8 modcall[authorize]: module "mschap" returns noop for request 8 rlm_digest: Converting Digest-Attributes to something sane... Digest-User-Name = "6604321" Digest-Realm = "10.0.1.22" Digest-Nonce = "423f31c70b3f1d2ad30883c280441f2f13d16a80" Digest-URI = "sip:10.0.1.22" Digest-Method = "REGISTER" Digest-QOP = "auth" Digest-Nonce-Count = "0000001b" Digest-CNonce = "D3412BB29A1E11D993B20050BA786C6B" rlm_digest: Adding Auth-Type = DIGEST modcall[authorize]: module "digest" returns ok for request 8 rlm_realm: Looking up realm "10.0.1.22" for User-Name = "6604321@10.0.1.22" rlm_realm: No such realm "10.0.1.22" modcall[authorize]: module "suffix" returns noop for request 8 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 8 users: Matched DEFAULT at 152 modcall[authorize]: module "files" returns ok for request 8 modcall: group authorize returns ok for request 8 rad_check_password: Found Auth-Type DIGEST auth: type "digest" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_digest: Configuration item "User-Password" is required for authentication. modcall[authenticate]: module "digest" returns invalid for request 8 modcall: group authenticate returns invalid for request 8 auth: Failed to validate the user. Delaying request 8 for 1 seconds Finished request 8 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Request packet from host 127.0.0.1:33188, id=80, length=311 User-Name = "6609876@10.0.1.22" Digest-Attributes = 0x0a0936363039383736 Digest-Attributes = 0x010b31302e302e312e3232 Digest-Attributes = 0x022a34323366333163373062336631643261643330383833633238303434316632663133643136613830 Digest-Attributes = 0x040f7369703a31302e302e312e3232 Digest-Attributes = 0x030a5245474953544552 Digest-Attributes = 0x050661757468 Digest-Attributes = 0x090a3030303030303163 Digest-Attributes = 0x08224433343132424235394131453131443939334232303035304241373836433642 Digest-Response = "50fa695654b20e2eec54a1003fe15d9f" Service-Type = IAPP-Register Sip-URI-User = "6609876" Cisco-AVPair = "call-id=D3412ADE9A1E11D993B20050BA786C6B@10.0.1.22" NAS-IP-Address = 127.0.0.1 NAS-Port = 5060 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 9 modcall[authorize]: module "preprocess" returns ok for request 9 modcall[authorize]: module "chap" returns noop for request 9 modcall[authorize]: module "mschap" returns noop for request 9 rlm_digest: Converting Digest-Attributes to something sane... Digest-User-Name = "6609876" Digest-Realm = "10.0.1.22" Digest-Nonce = "423f31c70b3f1d2ad30883c280441f2f13d16a80" Digest-URI = "sip:10.0.1.22" Digest-Method = "REGISTER" Digest-QOP = "auth" Digest-Nonce-Count = "0000001c" Digest-CNonce = "D3412BB59A1E11D993B20050BA786C6B" rlm_digest: Adding Auth-Type = DIGEST modcall[authorize]: module "digest" returns ok for request 9 rlm_realm: Looking up realm "10.0.1.22" for User-Name = "6609876@10.0.1.22" rlm_realm: No such realm "10.0.1.22" modcall[authorize]: module "suffix" returns noop for request 9 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 9 users: Matched DEFAULT at 152 modcall[authorize]: module "files" returns ok for request 9 modcall: group authorize returns ok for request 9 rad_check_password: Found Auth-Type DIGEST auth: type "digest" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 9 rlm_digest: Configuration item "User-Password" is required for authentication. modcall[authenticate]: module "digest" returns invalid for request 9 modcall: group authenticate returns invalid for request 9 auth: Failed to validate the user. Delaying request 9 for 1 seconds Finished request 9 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 79 to 127.0.0.1:33187 Waking up in 1 seconds... rad_recv: Access-Request packet from host 127.0.0.1:33189, id=81, length=311 User-Name = "6609876@10.0.1.22" Digest-Attributes = 0x0a0936363039383736 Digest-Attributes = 0x010b31302e302e312e3232 Digest-Attributes = 0x022a34323366333163373062336631643261643330383833633238303434316632663133643136613830 Digest-Attributes = 0x040f7369703a31302e302e312e3232 Digest-Attributes = 0x030a5245474953544552 Digest-Attributes = 0x050661757468 Digest-Attributes = 0x090a3030303030303163 Digest-Attributes = 0x08224433343132424236394131453131443939334232303035304241373836433642 Digest-Response = "e4f68760f2b3eed0ad45942b32542c92" Service-Type = IAPP-Register Sip-URI-User = "6609876" Cisco-AVPair = "call-id=D3412ADE9A1E11D993B20050BA786C6B@10.0.1.22" NAS-IP-Address = 127.0.0.1 NAS-Port = 5060 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 10 modcall[authorize]: module "preprocess" returns ok for request 10 modcall[authorize]: module "chap" returns noop for request 10 modcall[authorize]: module "mschap" returns noop for request 10 rlm_digest: Converting Digest-Attributes to something sane... Digest-User-Name = "6609876" Digest-Realm = "10.0.1.22" Digest-Nonce = "423f31c70b3f1d2ad30883c280441f2f13d16a80" Digest-URI = "sip:10.0.1.22" Digest-Method = "REGISTER" Digest-QOP = "auth" Digest-Nonce-Count = "0000001c" Digest-CNonce = "D3412BB69A1E11D993B20050BA786C6B" rlm_digest: Adding Auth-Type = DIGEST modcall[authorize]: module "digest" returns ok for request 10 rlm_realm: Looking up realm "10.0.1.22" for User-Name = "6609876@10.0.1.22" rlm_realm: No such realm "10.0.1.22" modcall[authorize]: module "suffix" returns noop for request 10 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 10 users: Matched DEFAULT at 152 modcall[authorize]: module "files" returns ok for request 10 modcall: group authorize returns ok for request 10 rad_check_password: Found Auth-Type DIGEST auth: type "digest" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 10 rlm_digest: Configuration item "User-Password" is required for authentication. modcall[authenticate]: module "digest" returns invalid for request 10 modcall: group authenticate returns invalid for request 10 auth: Failed to validate the user. Delaying request 10 for 1 seconds Finished request 10 Going to the next request Sending Access-Reject of id 80 to 127.0.0.1:33188 Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 81 to 127.0.0.1:33189 Waking up in 2 seconds... --- Walking the entire request list --- Cleaning up request 8 ID 79 with timestamp 423f309b Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 9 ID 80 with timestamp 423f309c Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 10 ID 81 with timestamp 423f309d Nothing to do. Sleeping until we see a request.
Try to change your users file according to the radius howto:
joe@iptel.org Auth-Type := Digest, User-Password == "heslo" Reply-Message = "Authenticated", Sip-Rpid = "1234"
Jan.
On 21-03 16:15, Rafael J. Risco G.V. wrote:
Hi, I´ve configured freeradius and SER according to the Radius HOW TO document, Accounting works very well but now I am doing some tests trying to do user authentication however all the authentication requests coming to the freeradius fails and X-lite sipphone is receiving an Unauthorized message from SER, please some advice,
thanks rafael
PS: config files...
in /usr/local/etc/raddb/users :
test Auth-Type := Digest, User-Password == "test" Reply-Message = "Hello, test with digest"
6609876 Auth-Type := Digest User-Password := "9876", Digest-Response = "lalalalala", Reply-Message = "Hello, ibm1"
6604321 Auth-Type := Digest User-Password := "4321", Digest-Response = "lalalalala", Reply-Message = "Hello, ibm2"
Some relevant data in ser.cfg: ... modparam("group_radius", "use_domain", 0) ....
if (uri==myself) { if (method=="REGISTER") {# Uncomment this if you want to use digest authentication if (!radius_www_authorize("")) { www_challenge("", "1"); break; };
if (!save("location")) { sl_reply_error(); }; break; }; lookup("aliases"); if (!uri==myself) { append_hf("P-hint: outbound alias\r\n"); route(1); break; }; # does the user wish redirection on no availability?(i.e., is he # in the voicemail group?) -- determine it now and store it in # flag 4, before we rewrite the flag using UsrLoc
if (radius_is_user_in("Request-URI", "voicemail")) { log(1, "requested user is in voicemail group"); setflag(4); }; # native SIP destinations are handled using our USRLOC DB if (!lookup("location")) { # sl_send_reply("404", "Not Found"); log(1,"unable to locate user"); route(4); break; }; }; # End of "if(uri==myself)"....
------------------RADIUSD -X Output ---------------------------:
rad_recv: Access-Request packet from host 127.0.0.1:33187, id=79, length=311 User-Name = "6604321@10.0.1.22" Digest-Attributes = 0x0a0936363034333231 Digest-Attributes = 0x010b31302e302e312e3232 Digest-Attributes = 0x022a34323366333163373062336631643261643330383833633238303434316632663133643136613830 Digest-Attributes = 0x040f7369703a31302e302e312e3232 Digest-Attributes = 0x030a5245474953544552 Digest-Attributes = 0x050661757468 Digest-Attributes = 0x090a3030303030303162 Digest-Attributes = 0x08224433343132424232394131453131443939334232303035304241373836433642 Digest-Response = "a6a7812ac0331324f977453c228da2ed" Service-Type = IAPP-Register Sip-URI-User = "6604321" Cisco-AVPair = "call-id=D3412ADB9A1E11D993B20050BA786C6B@10.0.1.22" NAS-IP-Address = 127.0.0.1 NAS-Port = 5060 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 modcall[authorize]: module "preprocess" returns ok for request 8 modcall[authorize]: module "chap" returns noop for request 8 modcall[authorize]: module "mschap" returns noop for request 8 rlm_digest: Converting Digest-Attributes to something sane... Digest-User-Name = "6604321" Digest-Realm = "10.0.1.22" Digest-Nonce = "423f31c70b3f1d2ad30883c280441f2f13d16a80" Digest-URI = "sip:10.0.1.22" Digest-Method = "REGISTER" Digest-QOP = "auth" Digest-Nonce-Count = "0000001b" Digest-CNonce = "D3412BB29A1E11D993B20050BA786C6B" rlm_digest: Adding Auth-Type = DIGEST modcall[authorize]: module "digest" returns ok for request 8 rlm_realm: Looking up realm "10.0.1.22" for User-Name = "6604321@10.0.1.22" rlm_realm: No such realm "10.0.1.22" modcall[authorize]: module "suffix" returns noop for request 8 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 8 users: Matched DEFAULT at 152 modcall[authorize]: module "files" returns ok for request 8 modcall: group authorize returns ok for request 8 rad_check_password: Found Auth-Type DIGEST auth: type "digest" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_digest: Configuration item "User-Password" is required for authentication. modcall[authenticate]: module "digest" returns invalid for request 8 modcall: group authenticate returns invalid for request 8 auth: Failed to validate the user. Delaying request 8 for 1 seconds Finished request 8 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Request packet from host 127.0.0.1:33188, id=80, length=311 User-Name = "6609876@10.0.1.22" Digest-Attributes = 0x0a0936363039383736 Digest-Attributes = 0x010b31302e302e312e3232 Digest-Attributes = 0x022a34323366333163373062336631643261643330383833633238303434316632663133643136613830 Digest-Attributes = 0x040f7369703a31302e302e312e3232 Digest-Attributes = 0x030a5245474953544552 Digest-Attributes = 0x050661757468 Digest-Attributes = 0x090a3030303030303163 Digest-Attributes = 0x08224433343132424235394131453131443939334232303035304241373836433642 Digest-Response = "50fa695654b20e2eec54a1003fe15d9f" Service-Type = IAPP-Register Sip-URI-User = "6609876" Cisco-AVPair = "call-id=D3412ADE9A1E11D993B20050BA786C6B@10.0.1.22" NAS-IP-Address = 127.0.0.1 NAS-Port = 5060 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 9 modcall[authorize]: module "preprocess" returns ok for request 9 modcall[authorize]: module "chap" returns noop for request 9 modcall[authorize]: module "mschap" returns noop for request 9 rlm_digest: Converting Digest-Attributes to something sane... Digest-User-Name = "6609876" Digest-Realm = "10.0.1.22" Digest-Nonce = "423f31c70b3f1d2ad30883c280441f2f13d16a80" Digest-URI = "sip:10.0.1.22" Digest-Method = "REGISTER" Digest-QOP = "auth" Digest-Nonce-Count = "0000001c" Digest-CNonce = "D3412BB59A1E11D993B20050BA786C6B" rlm_digest: Adding Auth-Type = DIGEST modcall[authorize]: module "digest" returns ok for request 9 rlm_realm: Looking up realm "10.0.1.22" for User-Name = "6609876@10.0.1.22" rlm_realm: No such realm "10.0.1.22" modcall[authorize]: module "suffix" returns noop for request 9 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 9 users: Matched DEFAULT at 152 modcall[authorize]: module "files" returns ok for request 9 modcall: group authorize returns ok for request 9 rad_check_password: Found Auth-Type DIGEST auth: type "digest" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 9 rlm_digest: Configuration item "User-Password" is required for authentication. modcall[authenticate]: module "digest" returns invalid for request 9 modcall: group authenticate returns invalid for request 9 auth: Failed to validate the user. Delaying request 9 for 1 seconds Finished request 9 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 79 to 127.0.0.1:33187 Waking up in 1 seconds... rad_recv: Access-Request packet from host 127.0.0.1:33189, id=81, length=311 User-Name = "6609876@10.0.1.22" Digest-Attributes = 0x0a0936363039383736 Digest-Attributes = 0x010b31302e302e312e3232 Digest-Attributes = 0x022a34323366333163373062336631643261643330383833633238303434316632663133643136613830 Digest-Attributes = 0x040f7369703a31302e302e312e3232 Digest-Attributes = 0x030a5245474953544552 Digest-Attributes = 0x050661757468 Digest-Attributes = 0x090a3030303030303163 Digest-Attributes = 0x08224433343132424236394131453131443939334232303035304241373836433642 Digest-Response = "e4f68760f2b3eed0ad45942b32542c92" Service-Type = IAPP-Register Sip-URI-User = "6609876" Cisco-AVPair = "call-id=D3412ADE9A1E11D993B20050BA786C6B@10.0.1.22" NAS-IP-Address = 127.0.0.1 NAS-Port = 5060 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 10 modcall[authorize]: module "preprocess" returns ok for request 10 modcall[authorize]: module "chap" returns noop for request 10 modcall[authorize]: module "mschap" returns noop for request 10 rlm_digest: Converting Digest-Attributes to something sane... Digest-User-Name = "6609876" Digest-Realm = "10.0.1.22" Digest-Nonce = "423f31c70b3f1d2ad30883c280441f2f13d16a80" Digest-URI = "sip:10.0.1.22" Digest-Method = "REGISTER" Digest-QOP = "auth" Digest-Nonce-Count = "0000001c" Digest-CNonce = "D3412BB69A1E11D993B20050BA786C6B" rlm_digest: Adding Auth-Type = DIGEST modcall[authorize]: module "digest" returns ok for request 10 rlm_realm: Looking up realm "10.0.1.22" for User-Name = "6609876@10.0.1.22" rlm_realm: No such realm "10.0.1.22" modcall[authorize]: module "suffix" returns noop for request 10 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 10 users: Matched DEFAULT at 152 modcall[authorize]: module "files" returns ok for request 10 modcall: group authorize returns ok for request 10 rad_check_password: Found Auth-Type DIGEST auth: type "digest" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 10 rlm_digest: Configuration item "User-Password" is required for authentication. modcall[authenticate]: module "digest" returns invalid for request 10 modcall: group authenticate returns invalid for request 10 auth: Failed to validate the user. Delaying request 10 for 1 seconds Finished request 10 Going to the next request Sending Access-Reject of id 80 to 127.0.0.1:33188 Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 81 to 127.0.0.1:33189 Waking up in 2 seconds... --- Walking the entire request list --- Cleaning up request 8 ID 79 with timestamp 423f309b Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 9 ID 80 with timestamp 423f309c Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 10 ID 81 with timestamp 423f309d Nothing to do. Sleeping until we see a request.
--
rrgv
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Hi 2 problems:
1.- Finally I have been able to register users and authenticate INVITEs using radius_www_authorize and proxy_www_authorize functions, but I can´t use "radius_is_user_in" (from group_radius module) for group checking before calling, does someone have done this before? I need this for "Request-URI" to verify if it belongs to a group "deactivated" in Register process or verify if user is in "voicemail" group, same for checking "from" or "credentials" (I can do it using group.so module) please see my ser.cfg and radiusd-X debug below.
2.- There is no "check_to" or "check_from" functions in uri_radius module... Is there any other way to do this using radius?
regards Rafael
PS: freeradius user file:
6604321@10.0.1.22 Auth-Type := Digest, User-Password == "4321" Auth-Type := Accept, Sip-Group = "mobile"
SER.cfg:
if (method == "REGISTER") { log(1, "ANALYZING REGISTER REQUEST\n"); # to use digest authentication if (is_user_in("Request-URI", "deactivated")) { sl_send_reply("403","deactivated"); break; };
if (!www_authorize("mydomain.com.pe", "subscriber")) { www_challenge("mydomain.com.pe", "0"); break; };
# only registered users are allowed #if (!check_to()) { # log(1, "LOG: Hijack attempt\n"); # sl_send_reply("403", "Only registered users.."); # break; #}; log(1," Registered!!! \n"); if (!save("location")) { sl_reply_error(); }; break; };
if (method == "INVITE" || method== "CANCEL" ) { log(1, "ANALYZING INVITE||CANCEL REQUESTs\n"); if (!proxy_authorize("mydomain.com.pe", "subscriber")) { proxy_challenge("mydomain.com.pe", "1"); break; }; #} else { #if (method == "INVITE" && !check_from()) { # sl_send_reply("403", "Only registered users..."); # break; #}; #};
/* ******** Dial out to Local and PSTN logic ****** */
# Forward n digit requests to gateway AS5350 (Celulares) if(uri=~"^sip:9" ){ log(1," digit expression match - Celulares\n"); if (!is_user_in("from", "mobile")) { sl_send_reply("403", "forbidden..."); break; }; rewritehostport("GW_IP:5060"); route(1); ## to nathelper... break; }; };
Radiusd -X log when trying radius_is_user_in:
rad_recv: Access-Request packet from host 127.0.0.1:36944, id=200, length=323 User-Name = "6604321@10.0.1.22" Digest-Attributes = 0x0a0936363034333231 Digest-Attributes = 0x010b31302e302e312e3232 Digest-Attributes = 0x022a34323438363231313832363734333330343564643863363961336530393638353034363533356538 Digest-Attributes = 0x04187369703a39393130393939304031302e302e312e3232 Digest-Attributes = 0x0308494e56495445 Digest-Attributes = 0x050661757468 Digest-Attributes = 0x090a3030303030353233 Digest-Attributes = 0x08223341394535413233394144323131443939334232303035304241373836433642 Digest-Response = "8c6af680ab513e39c16d38bc14c41fbc" Service-Type = IAPP-Register Sip-URI-User = "6604321" Cisco-AVPair = "call-id=3A9E5A1E-9AD2-11D9-93B2-0050BA786C6B@10.0.1.105" NAS-IP-Address = 127.0.0.1 NAS-Port = 5060 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 18 modcall[authorize]: module "preprocess" returns ok for request 18 modcall[authorize]: module "chap" returns noop for request 18 modcall[authorize]: module "mschap" returns noop for request 18 rlm_digest: Converting Digest-Attributes to something sane... Digest-User-Name = "6604321" Digest-Realm = "10.0.1.22" Digest-Nonce = "424862118267433045dd8c69a3e09685046535e8" Digest-URI = "sip:99109990@10.0.1.22" Digest-Method = "INVITE" Digest-QOP = "auth" Digest-Nonce-Count = "00000523" Digest-CNonce = "3A9E5A239AD211D993B20050BA786C6B" rlm_digest: Adding Auth-Type = DIGEST modcall[authorize]: module "digest" returns ok for request 18 rlm_realm: Looking up realm "10.0.1.22" for User-Name = "6604321@10.0.1.22" rlm_realm: No such realm "10.0.1.22" modcall[authorize]: module "suffix" returns noop for request 18 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 18 users: Matched DEFAULT at 152 users: Matched 6604321@10.0.1.22 at 222 modcall[authorize]: module "files" returns ok for request 18 modcall: group authorize returns ok for request 18 rad_check_password: Found Auth-Type Digest auth: type "digest" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 18 A1 = 6604321:10.0.1.22:4321 A2 = INVITE:sip:99109990@10.0.1.22 H(A1) = 65f1515ce902a1b9dc7886ddc77c96bf H(A2) = 087a284409aebfedefbc657a6a55fc29 KD = 65f1515ce902a1b9dc7886ddc77c96bf:424862118267433045dd8c69a3e09685046535e8:00000523:3A9E5A239AD211D993B20050BA786C6B:auth:087a284409aebfedefbc657a6a55fc29 EXPECTED 8c6af680ab513e39c16d38bc14c41fbc RECEIVED 8c6af680ab513e39c16d38bc14c41fbc modcall[authenticate]: module "digest" returns ok for request 18 modcall: group authenticate returns ok for request 18 Sending Access-Accept of id 200 to 127.0.0.1:36944 Sip-Group = "mobile" Finished request 18
Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 127.0.0.1:36944, id=201, length=65 User-Name = "6604321@10.0.1.22" Sip-Group = "mobile" Service-Type = Voice NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 19 modcall[authorize]: module "preprocess" returns ok for request 19 modcall[authorize]: module "chap" returns noop for request 19 modcall[authorize]: module "mschap" returns noop for request 19 modcall[authorize]: module "digest" returns noop for request 19 rlm_realm: Looking up realm "10.0.1.22" for User-Name = "6604321@10.0.1.22" rlm_realm: No such realm "10.0.1.22" modcall[authorize]: module "suffix" returns noop for request 19 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 19 users: Matched DEFAULT at 152 users: Matched 6604321@10.0.1.22 at 222 modcall[authorize]: module "files" returns ok for request 19 modcall: group authorize returns ok for request 19 rad_check_password: Found Auth-Type Digest auth: type "digest" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 19 ERROR: No Digest-Nonce: Cannot perform Digest authentication modcall[authenticate]: module "digest" returns invalid for request 19 modcall: group authenticate returns invalid for request 19 auth: Failed to validate the user. Delaying request 19 for 1 seconds Finished request 19 Going to the next request Waking up in 6 seconds...
rad_recv: Access-Request packet from host 127.0.0.1:36945, id=202, length=323 User-Name = "6604321@10.0.1.22" Digest-Attributes = 0x0a0936363034333231 Digest-Attributes = 0x010b31302e302e312e3232 Digest-Attributes = 0x022a34323438363231313832363734333330343564643863363961336530393638353034363533356538 Digest-Attributes = 0x04187369703a39393130393939304031302e302e312e3232 Digest-Attributes = 0x0308494e56495445 Digest-Attributes = 0x050661757468 Digest-Attributes = 0x090a3030303030353233 Digest-Attributes = 0x08223341394535413234394144323131443939334232303035304241373836433642 Digest-Response = "f8421d39192c34c441a52f0a5f7c9939" Service-Type = IAPP-Register Sip-URI-User = "6604321" Cisco-AVPair = "call-id=3A9E5A1E-9AD2-11D9-93B2-0050BA786C6B@10.0.1.105" NAS-IP-Address = 127.0.0.1 NAS-Port = 5060 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 20 modcall[authorize]: module "preprocess" returns ok for request 20 modcall[authorize]: module "chap" returns noop for request 20 modcall[authorize]: module "mschap" returns noop for request 20 rlm_digest: Converting Digest-Attributes to something sane... Digest-User-Name = "6604321" Digest-Realm = "10.0.1.22" Digest-Nonce = "424862118267433045dd8c69a3e09685046535e8" Digest-URI = "sip:99109990@10.0.1.22" Digest-Method = "INVITE" Digest-QOP = "auth" Digest-Nonce-Count = "00000523" Digest-CNonce = "3A9E5A249AD211D993B20050BA786C6B" rlm_digest: Adding Auth-Type = DIGEST modcall[authorize]: module "digest" returns ok for request 20 rlm_realm: Looking up realm "10.0.1.22" for User-Name = "6604321@10.0.1.22" rlm_realm: No such realm "10.0.1.22" modcall[authorize]: module "suffix" returns noop for request 20 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 20 users: Matched DEFAULT at 152 users: Matched 6604321@10.0.1.22 at 222 modcall[authorize]: module "files" returns ok for request 20 modcall: group authorize returns ok for request 20 rad_check_password: Found Auth-Type Digest auth: type "digest" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 20 A1 = 6604321:10.0.1.22:4321 A2 = INVITE:sip:99109990@10.0.1.22 H(A1) = 65f1515ce902a1b9dc7886ddc77c96bf H(A2) = 087a284409aebfedefbc657a6a55fc29 KD = 65f1515ce902a1b9dc7886ddc77c96bf:424862118267433045dd8c69a3e09685046535e8:00000523:3A9E5A249AD211D993B20050BA786C6B:auth:087a284409aebfedefbc657a6a55fc29 EXPECTED f8421d39192c34c441a52f0a5f7c9939 RECEIVED f8421d39192c34c441a52f0a5f7c9939 modcall[authenticate]: module "digest" returns ok for request 20 modcall: group authenticate returns ok for request 20 Sending Access-Accept of id 202 to 127.0.0.1:36945 Sip-Group = "mobile" Finished request 20 Going to the next request
--- Walking the entire request list --- Sending Access-Reject of id 201 to 127.0.0.1:36944 Waking up in 4 seconds... rad_recv: Access-Request packet from host 127.0.0.1:36945, id=203, length=65 User-Name = "6604321@10.0.1.22" Sip-Group = "mobile" Service-Type = Voice NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 21 modcall[authorize]: module "preprocess" returns ok for request 21 modcall[authorize]: module "chap" returns noop for request 21 modcall[authorize]: module "mschap" returns noop for request 21 modcall[authorize]: module "digest" returns noop for request 21 rlm_realm: Looking up realm "10.0.1.22" for User-Name = "6604321@10.0.1.22" rlm_realm: No such realm "10.0.1.22" modcall[authorize]: module "suffix" returns noop for request 21 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 21 users: Matched DEFAULT at 152 users: Matched 6604321@10.0.1.22 at 222 modcall[authorize]: module "files" returns ok for request 21 modcall: group authorize returns ok for request 21 rad_check_password: Found Auth-Type Digest auth: type "digest" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 21 ERROR: No Digest-Nonce: Cannot perform Digest authentication modcall[authenticate]: module "digest" returns invalid for request 21 modcall: group authenticate returns invalid for request 21 auth: Failed to validate the user. Delaying request 21 for 1 seconds Finished request 21 Going to the next request Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 18 ID 200 with timestamp 424860e5 Cleaning up request 19 ID 201 with timestamp 424860e5 Sending Access-Reject of id 203 to 127.0.0.1:36945 Waking up in 2 seconds...
Hi ser.cfg I sent in my last email not include changes for radius auth , I am testing with prefix radius for is_user_in and www_authorize, anyway this is the error I get when ser trying to check group:
ERROR: No Digest-Nonce: Cannot perform Digest authentication modcall[authenticate]: module "digest" returns invalid for request 13 modcall: group authenticate returns invalid for request 13 auth: Failed to validate the user.
any idea?
rafael
On Mon, 28 Mar 2005 15:11:03 -0500, Rafael J. Risco G.V. rafael.risco@gmail.com wrote:
Hi 2 problems:
1.- Finally I have been able to register users and authenticate INVITEs using radius_www_authorize and proxy_www_authorize functions, but I can´t use "radius_is_user_in" (from group_radius module) for group checking before calling, does someone have done this before? I need this for "Request-URI" to verify if it belongs to a group "deactivated" in Register process or verify if user is in "voicemail" group, same for checking "from" or "credentials" (I can do it using group.so module) please see my ser.cfg and radiusd-X debug below.
2.- There is no "check_to" or "check_from" functions in uri_radius module... Is there any other way to do this using radius?
regards Rafael
PS: freeradius user file:
6604321@10.0.1.22 Auth-Type := Digest, User-Password == "4321" Auth-Type := Accept, Sip-Group = "mobile"
SER.cfg:
if (method == "REGISTER") { log(1, "ANALYZING REGISTER REQUEST\n"); # to use digest authentication if (is_user_in("Request-URI", "deactivated")) { sl_send_reply("403","deactivated"); break; }; if (!www_authorize("mydomain.com.pe", "subscriber")) { www_challenge("mydomain.com.pe", "0"); break; }; # only registered users are allowed #if (!check_to()) { # log(1, "LOG: Hijack attempt\n"); # sl_send_reply("403", "Only registered users.."); # break; #}; log(1," Registered!!! \n"); if (!save("location")) { sl_reply_error(); }; break; }; if (method == "INVITE" || method== "CANCEL" ) { log(1, "ANALYZING INVITE||CANCEL REQUESTs\n"); if (!proxy_authorize("mydomain.com.pe", "subscriber")) { proxy_challenge("mydomain.com.pe", "1"); break; }; #} else { #if (method == "INVITE" && !check_from()) { # sl_send_reply("403", "Only registeredusers..."); # break; #}; #};
/* ******** Dial out to Local and PSTN logic ****** */ # Forward n digit requests to gateway AS5350 (Celulares) if(uri=~"^sip:9" ){ log(1," digit expression match - Celulares\n"); if (!is_user_in("from", "mobile")) { sl_send_reply("403", "forbidden..."); break; }; rewritehostport("GW_IP:5060"); route(1); ## to nathelper... break; }; };Radiusd -X log when trying radius_is_user_in:
rad_recv: Access-Request packet from host 127.0.0.1:36944, id=200, length=323 User-Name = "6604321@10.0.1.22" Digest-Attributes = 0x0a0936363034333231 Digest-Attributes = 0x010b31302e302e312e3232 Digest-Attributes = 0x022a34323438363231313832363734333330343564643863363961336530393638353034363533356538 Digest-Attributes = 0x04187369703a39393130393939304031302e302e312e3232 Digest-Attributes = 0x0308494e56495445 Digest-Attributes = 0x050661757468 Digest-Attributes = 0x090a3030303030353233 Digest-Attributes = 0x08223341394535413233394144323131443939334232303035304241373836433642 Digest-Response = "8c6af680ab513e39c16d38bc14c41fbc" Service-Type = IAPP-Register Sip-URI-User = "6604321" Cisco-AVPair = "call-id=3A9E5A1E-9AD2-11D9-93B2-0050BA786C6B@10.0.1.105" NAS-IP-Address = 127.0.0.1 NAS-Port = 5060 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 18 modcall[authorize]: module "preprocess" returns ok for request 18 modcall[authorize]: module "chap" returns noop for request 18 modcall[authorize]: module "mschap" returns noop for request 18 rlm_digest: Converting Digest-Attributes to something sane... Digest-User-Name = "6604321" Digest-Realm = "10.0.1.22" Digest-Nonce = "424862118267433045dd8c69a3e09685046535e8" Digest-URI = "sip:99109990@10.0.1.22" Digest-Method = "INVITE" Digest-QOP = "auth" Digest-Nonce-Count = "00000523" Digest-CNonce = "3A9E5A239AD211D993B20050BA786C6B" rlm_digest: Adding Auth-Type = DIGEST modcall[authorize]: module "digest" returns ok for request 18 rlm_realm: Looking up realm "10.0.1.22" for User-Name = "6604321@10.0.1.22" rlm_realm: No such realm "10.0.1.22" modcall[authorize]: module "suffix" returns noop for request 18 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 18 users: Matched DEFAULT at 152 users: Matched 6604321@10.0.1.22 at 222 modcall[authorize]: module "files" returns ok for request 18 modcall: group authorize returns ok for request 18 rad_check_password: Found Auth-Type Digest auth: type "digest" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 18 A1 = 6604321:10.0.1.22:4321 A2 = INVITE:sip:99109990@10.0.1.22 H(A1) = 65f1515ce902a1b9dc7886ddc77c96bf H(A2) = 087a284409aebfedefbc657a6a55fc29 KD = 65f1515ce902a1b9dc7886ddc77c96bf:424862118267433045dd8c69a3e09685046535e8:00000523:3A9E5A239AD211D993B20050BA786C6B:auth:087a284409aebfedefbc657a6a55fc29 EXPECTED 8c6af680ab513e39c16d38bc14c41fbc RECEIVED 8c6af680ab513e39c16d38bc14c41fbc modcall[authenticate]: module "digest" returns ok for request 18 modcall: group authenticate returns ok for request 18 Sending Access-Accept of id 200 to 127.0.0.1:36944 Sip-Group = "mobile" Finished request 18
Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 127.0.0.1:36944, id=201, length=65 User-Name = "6604321@10.0.1.22" Sip-Group = "mobile" Service-Type = Voice NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 19 modcall[authorize]: module "preprocess" returns ok for request 19 modcall[authorize]: module "chap" returns noop for request 19 modcall[authorize]: module "mschap" returns noop for request 19 modcall[authorize]: module "digest" returns noop for request 19 rlm_realm: Looking up realm "10.0.1.22" for User-Name = "6604321@10.0.1.22" rlm_realm: No such realm "10.0.1.22" modcall[authorize]: module "suffix" returns noop for request 19 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 19 users: Matched DEFAULT at 152 users: Matched 6604321@10.0.1.22 at 222 modcall[authorize]: module "files" returns ok for request 19 modcall: group authorize returns ok for request 19 rad_check_password: Found Auth-Type Digest auth: type "digest" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 19 ERROR: No Digest-Nonce: Cannot perform Digest authentication modcall[authenticate]: module "digest" returns invalid for request 19 modcall: group authenticate returns invalid for request 19 auth: Failed to validate the user. Delaying request 19 for 1 seconds Finished request 19 Going to the next request Waking up in 6 seconds...
rad_recv: Access-Request packet from host 127.0.0.1:36945, id=202, length=323 User-Name = "6604321@10.0.1.22" Digest-Attributes = 0x0a0936363034333231 Digest-Attributes = 0x010b31302e302e312e3232 Digest-Attributes = 0x022a34323438363231313832363734333330343564643863363961336530393638353034363533356538 Digest-Attributes = 0x04187369703a39393130393939304031302e302e312e3232 Digest-Attributes = 0x0308494e56495445 Digest-Attributes = 0x050661757468 Digest-Attributes = 0x090a3030303030353233 Digest-Attributes = 0x08223341394535413234394144323131443939334232303035304241373836433642 Digest-Response = "f8421d39192c34c441a52f0a5f7c9939" Service-Type = IAPP-Register Sip-URI-User = "6604321" Cisco-AVPair = "call-id=3A9E5A1E-9AD2-11D9-93B2-0050BA786C6B@10.0.1.105" NAS-IP-Address = 127.0.0.1 NAS-Port = 5060 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 20 modcall[authorize]: module "preprocess" returns ok for request 20 modcall[authorize]: module "chap" returns noop for request 20 modcall[authorize]: module "mschap" returns noop for request 20 rlm_digest: Converting Digest-Attributes to something sane... Digest-User-Name = "6604321" Digest-Realm = "10.0.1.22" Digest-Nonce = "424862118267433045dd8c69a3e09685046535e8" Digest-URI = "sip:99109990@10.0.1.22" Digest-Method = "INVITE" Digest-QOP = "auth" Digest-Nonce-Count = "00000523" Digest-CNonce = "3A9E5A249AD211D993B20050BA786C6B" rlm_digest: Adding Auth-Type = DIGEST modcall[authorize]: module "digest" returns ok for request 20 rlm_realm: Looking up realm "10.0.1.22" for User-Name = "6604321@10.0.1.22" rlm_realm: No such realm "10.0.1.22" modcall[authorize]: module "suffix" returns noop for request 20 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 20 users: Matched DEFAULT at 152 users: Matched 6604321@10.0.1.22 at 222 modcall[authorize]: module "files" returns ok for request 20 modcall: group authorize returns ok for request 20 rad_check_password: Found Auth-Type Digest auth: type "digest" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 20 A1 = 6604321:10.0.1.22:4321 A2 = INVITE:sip:99109990@10.0.1.22 H(A1) = 65f1515ce902a1b9dc7886ddc77c96bf H(A2) = 087a284409aebfedefbc657a6a55fc29 KD = 65f1515ce902a1b9dc7886ddc77c96bf:424862118267433045dd8c69a3e09685046535e8:00000523:3A9E5A249AD211D993B20050BA786C6B:auth:087a284409aebfedefbc657a6a55fc29 EXPECTED f8421d39192c34c441a52f0a5f7c9939 RECEIVED f8421d39192c34c441a52f0a5f7c9939 modcall[authenticate]: module "digest" returns ok for request 20 modcall: group authenticate returns ok for request 20 Sending Access-Accept of id 202 to 127.0.0.1:36945 Sip-Group = "mobile" Finished request 20 Going to the next request
--- Walking the entire request list --- Sending Access-Reject of id 201 to 127.0.0.1:36944 Waking up in 4 seconds... rad_recv: Access-Request packet from host 127.0.0.1:36945, id=203, length=65 User-Name = "6604321@10.0.1.22" Sip-Group = "mobile" Service-Type = Voice NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 21 modcall[authorize]: module "preprocess" returns ok for request 21 modcall[authorize]: module "chap" returns noop for request 21 modcall[authorize]: module "mschap" returns noop for request 21 modcall[authorize]: module "digest" returns noop for request 21 rlm_realm: Looking up realm "10.0.1.22" for User-Name = "6604321@10.0.1.22" rlm_realm: No such realm "10.0.1.22" modcall[authorize]: module "suffix" returns noop for request 21 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 21 users: Matched DEFAULT at 152 users: Matched 6604321@10.0.1.22 at 222 modcall[authorize]: module "files" returns ok for request 21 modcall: group authorize returns ok for request 21 rad_check_password: Found Auth-Type Digest auth: type "digest" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 21 ERROR: No Digest-Nonce: Cannot perform Digest authentication modcall[authenticate]: module "digest" returns invalid for request 21 modcall: group authenticate returns invalid for request 21 auth: Failed to validate the user. Delaying request 21 for 1 seconds Finished request 21 Going to the next request Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 18 ID 200 with timestamp 424860e5 Cleaning up request 19 ID 201 with timestamp 424860e5 Sending Access-Reject of id 203 to 127.0.0.1:36945 Waking up in 2 seconds...
Hi How can I check if a user is registered if I'm using radius authentication and persistent storage without adding users at the usrloc DB? The following section only works if you have added the users at the usrloc DB
if (!lookup("location")) { # sl_send_reply("404", "Not Found"); log(1,"unable to locate user"); route(4); break; };
But If I have my users in the Radius Server DB I'm going to receive the message that "Not Found" when I try to place a call.
Regards
Alberto Cruz
Jan Janak wrote:
Try to change your users file according to the radius howto:
joe@iptel.org Auth-Type := Digest, User-Password == "heslo" Reply-Message = "Authenticated", Sip-Rpid = "1234"
Jan.On 21-03 16:15, Rafael J. Risco G.V. wrote:
Hi, I´ve configured freeradius and SER according to the Radius HOW TO document, Accounting works very well but now I am doing some tests trying to do user authentication however all the authentication requests coming to the freeradius fails and X-lite sipphone is receiving an Unauthorized message from SER, please some advice,
thanks rafael
PS: config files...
in /usr/local/etc/raddb/users :
test Auth-Type := Digest, User-Password == "test" Reply-Message = "Hello, test with digest"
6609876 Auth-Type := Digest User-Password := "9876", Digest-Response = "lalalalala", Reply-Message = "Hello, ibm1"
6604321 Auth-Type := Digest User-Password := "4321", Digest-Response = "lalalalala", Reply-Message = "Hello, ibm2"
Some relevant data in ser.cfg: ... modparam("group_radius", "use_domain", 0) ....
if (uri==myself) { if (method=="REGISTER") {# Uncomment this if you want to use digest authentication if (!radius_www_authorize("")) { www_challenge("", "1"); break; };
if (!save("location")) { sl_reply_error(); }; break; }; lookup("aliases"); if (!uri==myself) { append_hf("P-hint: outbound alias\r\n"); route(1); break; }; # does the user wish redirection on no availability?(i.e., is he # in the voicemail group?) -- determine it now and store it in # flag 4, before we rewrite the flag using UsrLoc
if (radius_is_user_in("Request-URI", "voicemail")) { log(1, "requested user is in voicemail group"); setflag(4); }; # native SIP destinations are handled using our USRLOC DB if (!lookup("location")) { # sl_send_reply("404", "Not Found"); log(1,"unable to locate user"); route(4); break; }; }; # End of "if(uri==myself)"....
------------------RADIUSD -X Output ---------------------------:
rad_recv: Access-Request packet from host 127.0.0.1:33187, id=79, length=311 User-Name = "6604321@10.0.1.22" Digest-Attributes = 0x0a0936363034333231 Digest-Attributes = 0x010b31302e302e312e3232 Digest-Attributes = 0x022a34323366333163373062336631643261643330383833633238303434316632663133643136613830 Digest-Attributes = 0x040f7369703a31302e302e312e3232 Digest-Attributes = 0x030a5245474953544552 Digest-Attributes = 0x050661757468 Digest-Attributes = 0x090a3030303030303162 Digest-Attributes = 0x08224433343132424232394131453131443939334232303035304241373836433642 Digest-Response = "a6a7812ac0331324f977453c228da2ed" Service-Type = IAPP-Register Sip-URI-User = "6604321" Cisco-AVPair = "call-id=D3412ADB9A1E11D993B20050BA786C6B@10.0.1.22" NAS-IP-Address = 127.0.0.1 NAS-Port = 5060 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 modcall[authorize]: module "preprocess" returns ok for request 8 modcall[authorize]: module "chap" returns noop for request 8 modcall[authorize]: module "mschap" returns noop for request 8 rlm_digest: Converting Digest-Attributes to something sane... Digest-User-Name = "6604321" Digest-Realm = "10.0.1.22" Digest-Nonce = "423f31c70b3f1d2ad30883c280441f2f13d16a80" Digest-URI = "sip:10.0.1.22" Digest-Method = "REGISTER" Digest-QOP = "auth" Digest-Nonce-Count = "0000001b" Digest-CNonce = "D3412BB29A1E11D993B20050BA786C6B" rlm_digest: Adding Auth-Type = DIGEST modcall[authorize]: module "digest" returns ok for request 8 rlm_realm: Looking up realm "10.0.1.22" for User-Name = "6604321@10.0.1.22" rlm_realm: No such realm "10.0.1.22" modcall[authorize]: module "suffix" returns noop for request 8 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 8 users: Matched DEFAULT at 152 modcall[authorize]: module "files" returns ok for request 8 modcall: group authorize returns ok for request 8 rad_check_password: Found Auth-Type DIGEST auth: type "digest" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_digest: Configuration item "User-Password" is required for authentication. modcall[authenticate]: module "digest" returns invalid for request 8 modcall: group authenticate returns invalid for request 8 auth: Failed to validate the user. Delaying request 8 for 1 seconds Finished request 8 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Request packet from host 127.0.0.1:33188, id=80, length=311 User-Name = "6609876@10.0.1.22" Digest-Attributes = 0x0a0936363039383736 Digest-Attributes = 0x010b31302e302e312e3232 Digest-Attributes = 0x022a34323366333163373062336631643261643330383833633238303434316632663133643136613830 Digest-Attributes = 0x040f7369703a31302e302e312e3232 Digest-Attributes = 0x030a5245474953544552 Digest-Attributes = 0x050661757468 Digest-Attributes = 0x090a3030303030303163 Digest-Attributes = 0x08224433343132424235394131453131443939334232303035304241373836433642 Digest-Response = "50fa695654b20e2eec54a1003fe15d9f" Service-Type = IAPP-Register Sip-URI-User = "6609876" Cisco-AVPair = "call-id=D3412ADE9A1E11D993B20050BA786C6B@10.0.1.22" NAS-IP-Address = 127.0.0.1 NAS-Port = 5060 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 9 modcall[authorize]: module "preprocess" returns ok for request 9 modcall[authorize]: module "chap" returns noop for request 9 modcall[authorize]: module "mschap" returns noop for request 9 rlm_digest: Converting Digest-Attributes to something sane... Digest-User-Name = "6609876" Digest-Realm = "10.0.1.22" Digest-Nonce = "423f31c70b3f1d2ad30883c280441f2f13d16a80" Digest-URI = "sip:10.0.1.22" Digest-Method = "REGISTER" Digest-QOP = "auth" Digest-Nonce-Count = "0000001c" Digest-CNonce = "D3412BB59A1E11D993B20050BA786C6B" rlm_digest: Adding Auth-Type = DIGEST modcall[authorize]: module "digest" returns ok for request 9 rlm_realm: Looking up realm "10.0.1.22" for User-Name = "6609876@10.0.1.22" rlm_realm: No such realm "10.0.1.22" modcall[authorize]: module "suffix" returns noop for request 9 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 9 users: Matched DEFAULT at 152 modcall[authorize]: module "files" returns ok for request 9 modcall: group authorize returns ok for request 9 rad_check_password: Found Auth-Type DIGEST auth: type "digest" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 9 rlm_digest: Configuration item "User-Password" is required for authentication. modcall[authenticate]: module "digest" returns invalid for request 9 modcall: group authenticate returns invalid for request 9 auth: Failed to validate the user. Delaying request 9 for 1 seconds Finished request 9 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 79 to 127.0.0.1:33187 Waking up in 1 seconds... rad_recv: Access-Request packet from host 127.0.0.1:33189, id=81, length=311 User-Name = "6609876@10.0.1.22" Digest-Attributes = 0x0a0936363039383736 Digest-Attributes = 0x010b31302e302e312e3232 Digest-Attributes = 0x022a34323366333163373062336631643261643330383833633238303434316632663133643136613830 Digest-Attributes = 0x040f7369703a31302e302e312e3232 Digest-Attributes = 0x030a5245474953544552 Digest-Attributes = 0x050661757468 Digest-Attributes = 0x090a3030303030303163 Digest-Attributes = 0x08224433343132424236394131453131443939334232303035304241373836433642 Digest-Response = "e4f68760f2b3eed0ad45942b32542c92" Service-Type = IAPP-Register Sip-URI-User = "6609876" Cisco-AVPair = "call-id=D3412ADE9A1E11D993B20050BA786C6B@10.0.1.22" NAS-IP-Address = 127.0.0.1 NAS-Port = 5060 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 10 modcall[authorize]: module "preprocess" returns ok for request 10 modcall[authorize]: module "chap" returns noop for request 10 modcall[authorize]: module "mschap" returns noop for request 10 rlm_digest: Converting Digest-Attributes to something sane... Digest-User-Name = "6609876" Digest-Realm = "10.0.1.22" Digest-Nonce = "423f31c70b3f1d2ad30883c280441f2f13d16a80" Digest-URI = "sip:10.0.1.22" Digest-Method = "REGISTER" Digest-QOP = "auth" Digest-Nonce-Count = "0000001c" Digest-CNonce = "D3412BB69A1E11D993B20050BA786C6B" rlm_digest: Adding Auth-Type = DIGEST modcall[authorize]: module "digest" returns ok for request 10 rlm_realm: Looking up realm "10.0.1.22" for User-Name = "6609876@10.0.1.22" rlm_realm: No such realm "10.0.1.22" modcall[authorize]: module "suffix" returns noop for request 10 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 10 users: Matched DEFAULT at 152 modcall[authorize]: module "files" returns ok for request 10 modcall: group authorize returns ok for request 10 rad_check_password: Found Auth-Type DIGEST auth: type "digest" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 10 rlm_digest: Configuration item "User-Password" is required for authentication. modcall[authenticate]: module "digest" returns invalid for request 10 modcall: group authenticate returns invalid for request 10 auth: Failed to validate the user. Delaying request 10 for 1 seconds Finished request 10 Going to the next request Sending Access-Reject of id 80 to 127.0.0.1:33188 Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 81 to 127.0.0.1:33189 Waking up in 2 seconds... --- Walking the entire request list --- Cleaning up request 8 ID 79 with timestamp 423f309b Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 9 ID 80 with timestamp 423f309c Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 10 ID 81 with timestamp 423f309d Nothing to do. Sleeping until we see a request.
--
rrgv
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
How can I check if a user is registered if I'm using radius authentication and persistent storage without adding users at the usrloc DB?
What is "radius authentication and persistent storage"? You don't want to use the DB? Then set it the db_mode to no DB and use save("location") as you would normally. You can also use save_memory(), but in that mode I assume they will basically do the same.
If you mean that you are saving location to RADIUS, I'm curios to know how? usrloc contains flags, expires etc necessary for SER to function properly. If you have an external location database, then the clients haven't registered with SER, right?
g-)
The following section only works if you have added the users at the usrloc DB
if (!lookup("location")) { # sl_send_reply("404", "Not Found"); log(1,"unable to locate user"); route(4); break; }; But If I have my users in the Radius Server DB I'm going to receive the message that "Not Found" when I try to place a call.
Regards
Alberto Cruz
Jan Janak wrote:
Try to change your users file according to the radius howto:
joe@iptel.org Auth-Type := Digest, User-Password == "heslo" Reply-Message = "Authenticated", Sip-Rpid = "1234"
Jan.On 21-03 16:15, Rafael J. Risco G.V. wrote:
Hi, I´ve configured freeradius and SER according to the Radius HOW TO document, Accounting works very well but now I am doing some tests trying to do user authentication however all the authentication requests coming to the freeradius fails and X-lite sipphone is receiving an Unauthorized message from SER, please some advice,
thanks rafael
PS: config files...
in /usr/local/etc/raddb/users :
test Auth-Type := Digest, User-Password == "test" Reply-Message = "Hello, test with digest"
6609876 Auth-Type := Digest User-Password := "9876", Digest-Response = "lalalalala", Reply-Message = "Hello, ibm1"
6604321 Auth-Type := Digest User-Password := "4321", Digest-Response = "lalalalala", Reply-Message = "Hello, ibm2"
Some relevant data in ser.cfg: ... modparam("group_radius", "use_domain", 0) ....
if (uri==myself) { if (method=="REGISTER") {# Uncomment this if you want to use digest authentication if (!radius_www_authorize("")) { www_challenge("", "1"); break; };
if (!save("location")) { sl_reply_error(); }; break; }; lookup("aliases"); if (!uri==myself) { append_hf("P-hint: outbound alias\r\n"); route(1); break; }; # does the user wish redirection on no availability?(i.e., is he # in the voicemail group?) -- determine it now and store it in # flag 4, before we rewrite the flag using UsrLoc
if (radius_is_user_in("Request-URI", "voicemail")) { log(1, "requested user is in voicemailgroup"); setflag(4); };
# native SIP destinations are handled using ourUSRLOC DB if (!lookup("location")) { # sl_send_reply("404", "Not Found"); log(1,"unable to locate user"); route(4); break; };
}; # End of "if(uri==myself)"....
------------------RADIUSD -X Output ---------------------------:
rad_recv: Access-Request packet from host 127.0.0.1:33187, id=79, length=311 User-Name = "6604321@10.0.1.22" Digest-Attributes = 0x0a0936363034333231 Digest-Attributes = 0x010b31302e302e312e3232 Digest-Attributes = 0x022a34323366333163373062336631643261643330383833633238303434316632663133643136613830 Digest-Attributes = 0x040f7369703a31302e302e312e3232 Digest-Attributes = 0x030a5245474953544552 Digest-Attributes = 0x050661757468 Digest-Attributes = 0x090a3030303030303162 Digest-Attributes = 0x08224433343132424232394131453131443939334232303035304241373836433642 Digest-Response = "a6a7812ac0331324f977453c228da2ed" Service-Type = IAPP-Register Sip-URI-User = "6604321" Cisco-AVPair = "call-id=D3412ADB9A1E11D993B20050BA786C6B@10.0.1.22" NAS-IP-Address = 127.0.0.1 NAS-Port = 5060 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 modcall[authorize]: module "preprocess" returns ok for request 8 modcall[authorize]: module "chap" returns noop for request 8 modcall[authorize]: module "mschap" returns noop for request 8 rlm_digest: Converting Digest-Attributes to something sane... Digest-User-Name = "6604321" Digest-Realm = "10.0.1.22" Digest-Nonce = "423f31c70b3f1d2ad30883c280441f2f13d16a80" Digest-URI = "sip:10.0.1.22" Digest-Method = "REGISTER" Digest-QOP = "auth" Digest-Nonce-Count = "0000001b" Digest-CNonce = "D3412BB29A1E11D993B20050BA786C6B" rlm_digest: Adding Auth-Type = DIGEST modcall[authorize]: module "digest" returns ok for request 8 rlm_realm: Looking up realm "10.0.1.22" for User-Name = "6604321@10.0.1.22" rlm_realm: No such realm "10.0.1.22" modcall[authorize]: module "suffix" returns noop for request 8 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 8 users: Matched DEFAULT at 152 modcall[authorize]: module "files" returns ok for request 8 modcall: group authorize returns ok for request 8 rad_check_password: Found Auth-Type DIGEST auth: type "digest" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_digest: Configuration item "User-Password" is required for authentication. modcall[authenticate]: module "digest" returns invalid for request 8 modcall: group authenticate returns invalid for request 8 auth: Failed to validate the user. Delaying request 8 for 1 seconds Finished request 8 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Request packet from host 127.0.0.1:33188, id=80, length=311 User-Name = "6609876@10.0.1.22" Digest-Attributes = 0x0a0936363039383736 Digest-Attributes = 0x010b31302e302e312e3232 Digest-Attributes = 0x022a34323366333163373062336631643261643330383833633238303434316632663133643136613830 Digest-Attributes = 0x040f7369703a31302e302e312e3232 Digest-Attributes = 0x030a5245474953544552 Digest-Attributes = 0x050661757468 Digest-Attributes = 0x090a3030303030303163 Digest-Attributes = 0x08224433343132424235394131453131443939334232303035304241373836433642 Digest-Response = "50fa695654b20e2eec54a1003fe15d9f" Service-Type = IAPP-Register Sip-URI-User = "6609876" Cisco-AVPair = "call-id=D3412ADE9A1E11D993B20050BA786C6B@10.0.1.22" NAS-IP-Address = 127.0.0.1 NAS-Port = 5060 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 9 modcall[authorize]: module "preprocess" returns ok for request 9 modcall[authorize]: module "chap" returns noop for request 9 modcall[authorize]: module "mschap" returns noop for request 9 rlm_digest: Converting Digest-Attributes to something sane... Digest-User-Name = "6609876" Digest-Realm = "10.0.1.22" Digest-Nonce = "423f31c70b3f1d2ad30883c280441f2f13d16a80" Digest-URI = "sip:10.0.1.22" Digest-Method = "REGISTER" Digest-QOP = "auth" Digest-Nonce-Count = "0000001c" Digest-CNonce = "D3412BB59A1E11D993B20050BA786C6B" rlm_digest: Adding Auth-Type = DIGEST modcall[authorize]: module "digest" returns ok for request 9 rlm_realm: Looking up realm "10.0.1.22" for User-Name = "6609876@10.0.1.22" rlm_realm: No such realm "10.0.1.22" modcall[authorize]: module "suffix" returns noop for request 9 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 9 users: Matched DEFAULT at 152 modcall[authorize]: module "files" returns ok for request 9 modcall: group authorize returns ok for request 9 rad_check_password: Found Auth-Type DIGEST auth: type "digest" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 9 rlm_digest: Configuration item "User-Password" is required for authentication. modcall[authenticate]: module "digest" returns invalid for request 9 modcall: group authenticate returns invalid for request 9 auth: Failed to validate the user. Delaying request 9 for 1 seconds Finished request 9 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 79 to 127.0.0.1:33187 Waking up in 1 seconds... rad_recv: Access-Request packet from host 127.0.0.1:33189, id=81, length=311 User-Name = "6609876@10.0.1.22" Digest-Attributes = 0x0a0936363039383736 Digest-Attributes = 0x010b31302e302e312e3232 Digest-Attributes = 0x022a34323366333163373062336631643261643330383833633238303434316632663133643136613830 Digest-Attributes = 0x040f7369703a31302e302e312e3232 Digest-Attributes = 0x030a5245474953544552 Digest-Attributes = 0x050661757468 Digest-Attributes = 0x090a3030303030303163 Digest-Attributes = 0x08224433343132424236394131453131443939334232303035304241373836433642 Digest-Response = "e4f68760f2b3eed0ad45942b32542c92" Service-Type = IAPP-Register Sip-URI-User = "6609876" Cisco-AVPair = "call-id=D3412ADE9A1E11D993B20050BA786C6B@10.0.1.22" NAS-IP-Address = 127.0.0.1 NAS-Port = 5060 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 10 modcall[authorize]: module "preprocess" returns ok for request 10 modcall[authorize]: module "chap" returns noop for request 10 modcall[authorize]: module "mschap" returns noop for request 10 rlm_digest: Converting Digest-Attributes to something sane... Digest-User-Name = "6609876" Digest-Realm = "10.0.1.22" Digest-Nonce = "423f31c70b3f1d2ad30883c280441f2f13d16a80" Digest-URI = "sip:10.0.1.22" Digest-Method = "REGISTER" Digest-QOP = "auth" Digest-Nonce-Count = "0000001c" Digest-CNonce = "D3412BB69A1E11D993B20050BA786C6B" rlm_digest: Adding Auth-Type = DIGEST modcall[authorize]: module "digest" returns ok for request 10 rlm_realm: Looking up realm "10.0.1.22" for User-Name = "6609876@10.0.1.22" rlm_realm: No such realm "10.0.1.22" modcall[authorize]: module "suffix" returns noop for request 10 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 10 users: Matched DEFAULT at 152 modcall[authorize]: module "files" returns ok for request 10 modcall: group authorize returns ok for request 10 rad_check_password: Found Auth-Type DIGEST auth: type "digest" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 10 rlm_digest: Configuration item "User-Password" is required for authentication. modcall[authenticate]: module "digest" returns invalid for request 10 modcall: group authenticate returns invalid for request 10 auth: Failed to validate the user. Delaying request 10 for 1 seconds Finished request 10 Going to the next request Sending Access-Reject of id 80 to 127.0.0.1:33188 Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 81 to 127.0.0.1:33189 Waking up in 2 seconds... --- Walking the entire request list --- Cleaning up request 8 ID 79 with timestamp 423f309b Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 9 ID 80 with timestamp 423f309c Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 10 ID 81 with timestamp 423f309d Nothing to do. Sleeping until we see a request.
-
Alberto Cruz -
Greger V. Teigre -
Jan Janak -
Rafael J. Risco G.V.