Hi,
Can I use my existing radius server as my login authentication for ser? The existing radius uses the system to read the user accounts, but explained on the radius howto i must create the user accounts on users file of the freeradius. Please help.
Thanks,
Ryan, Only if it supports the http digest authentication mechanism. g-)
Ryan Pagquil wrote:
Hi,
Can I use my existing radius server as my login authentication for ser? The existing radius uses the system to read the user accounts, but explained on the radius howto i must create the user accounts on users file of the freeradius. Please help.
Thanks,
Greger V. Teigre wrote:
Ryan, Only if it supports the http digest authentication mechanism. g-)
This means, you need the user passwords in clear text.
regards, klaus
Ryan Pagquil wrote:
Hi,
Can I use my existing radius server as my login authentication for ser? The existing radius uses the system to read the user accounts, but explained on the radius howto i must create the user accounts on users file of the freeradius. Please help.
Thanks,
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
So it means that the System authentication that we are using now for radius will be ignored? Every users must exists in the users file of the freeradius?
Thanks,
Klaus Darilion wrote:
Greger V. Teigre wrote:
Ryan, Only if it supports the http digest authentication mechanism. g-)
This means, you need the user passwords in clear text.
regards, klaus
Ryan Pagquil wrote:
Hi,
Can I use my existing radius server as my login authentication for ser? The existing radius uses the system to read the user accounts, but explained on the radius howto i must create the user accounts on users file of the freeradius. Please help.
Thanks,
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
The users need not to be in the users file. You can store your users anywhere (file, database, ...). The imporating thing however is: the radius server has to support digest authentication. Thus, the passwords must be stored in cleartext.
regards klaus
Ryan Pagquil wrote:
So it means that the System authentication that we are using now for radius will be ignored? Every users must exists in the users file of the freeradius?
Thanks,
Klaus Darilion wrote:
Greger V. Teigre wrote:
Ryan, Only if it supports the http digest authentication mechanism. g-)
This means, you need the user passwords in clear text.
regards, klaus
Ryan Pagquil wrote:
Hi,
Can I use my existing radius server as my login authentication for ser? The existing radius uses the system to read the user accounts, but explained on the radius howto i must create the user accounts on users file of the freeradius. Please help.
Thanks,
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Ah ok. BTW I'm testing radius authentication now, and i can't get authenticated. I use ser-0.9.3 and freeradius. Here are the information about my test and setup:
On Users file of freeradius i have these:
rpagquil@server4all Auth-Type := Digest, User-Password == "test123" Reply-Message = "Authenticated"
rpagquil@server4all Auth-Type := Accept Reply-Message = "Authorized"
On ser.cfg i have these:
modparam("auth_radius", "radius_config", "/usr/local/etc/radiusclient/radiusclient.conf") modparam("auth_radius", "service_type", 15)
if (!radius_www_authorize("server4all")){ www_challenge("", "1"); break; };
save("location"); break;
and this is my radius log with radiusd -X:
rad_recv: Access-Request packet from host 127.0.0.1:1733, id=95, length=318 User-Name = "rpagquil@server4all" Digest-Attributes = "\n\nrpagquil" Digest-Attributes = "\001\014server4all" Digest-Attributes = "\002*42ee018773f7ef0ca37028652e16deef71bdc6e9" Digest-Attributes = "\004\020sip:server4all" Digest-Attributes = "\003\nREGISTER" Digest-Attributes = "\005\006auth" Digest-Attributes = "\t\n00000002" Digest-Attributes = "\010"D845A10802BC11DABFB500E04CAB4AB4" Digest-Response = "67c537d0fb13d95416e2bb973b3caa4a" Service-Type = Sip-Session Sip-URI-User = "rpagquil" Cisco-AVPair = "call-id=D845A10302BC11DABFB500E04CAB4AB4@server4all" NAS-IP-Address = 127.0.0.1 NAS-Port = 5060 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 Invalid operator for item Suffix: reverting to '==' Invalid operator for item Suffix: reverting to '==' Invalid operator for item Suffix: reverting to '==' modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 rlm_realm: Looking up realm "server4all" for User-Name = "rpagquil@server4all" rlm_realm: Found realm "DEFAULT" rlm_realm: Adding Stripped-User-Name = "rpagquil" rlm_realm: Proxying request from user rpagquil to realm DEFAULT rlm_realm: Adding Realm = "DEFAULT" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 0 users: Matched DEFAULT at 162 modcall[authorize]: module "files" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_unix: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "unix" returns invalid for request 0 modcall: group authenticate returns invalid for request 0 auth: Failed to validate the user. Login incorrect: [rpagquil@server4all] (from client server port 5060) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Request packet from host 127.0.0.1:1734, id=96, length=318 User-Name = "rpagquil@server4all" Digest-Attributes = "\n\nrpagquil" Digest-Attributes = "\001\014server4all" Digest-Attributes = "\002*42ee018773f7ef0ca37028652e16deef71bdc6e9" Digest-Attributes = "\004\020sip:server4all" Digest-Attributes = "\003\nREGISTER" Digest-Attributes = "\005\006auth" Digest-Attributes = "\t\n00000002" Digest-Attributes = "\010"D845A10902BC11DABFB500E04CAB4AB4" Digest-Response = "4c7a54f5710a95dc6c7620ac04271c28" Service-Type = Sip-Session Sip-URI-User = "rpagquil" Cisco-AVPair = "call-id=D845A10302BC11DABFB500E04CAB4AB4@server4all" NAS-IP-Address = 127.0.0.1 NAS-Port = 5060 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 Invalid operator for item Suffix: reverting to '==' Invalid operator for item Suffix: reverting to '==' Invalid operator for item Suffix: reverting to '==' modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 1 rlm_realm: Looking up realm "server4all" for User-Name = "rpagquil@server4all" rlm_realm: Found realm "DEFAULT" rlm_realm: Adding Stripped-User-Name = "rpagquil" rlm_realm: Proxying request from user rpagquil to realm DEFAULT rlm_realm: Adding Realm = "DEFAULT" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 1 users: Matched DEFAULT at 162 modcall[authorize]: module "files" returns ok for request 1 modcall[authorize]: module "mschap" returns noop for request 1 modcall: group authorize returns ok for request 1 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_unix: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "unix" returns invalid for request 1 modcall: group authenticate returns invalid for request 1 auth: Failed to validate the user. Login incorrect: [rpagquil@server4all] (from client server port 5060) Delaying request 1 for 1 seconds Finished request 1 Going to the next request Sending Access-Reject of id 95 to 127.0.0.1:1733 Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 96 to 127.0.0.1:1734 Waking up in 3 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 95 with timestamp 42ee005c Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 96 with timestamp 42ee005d Nothing to do. Sleeping until we see a request.
Please help.
Thanks,
Klaus Darilion wrote:
The users need not to be in the users file. You can store your users anywhere (file, database, ...). The imporating thing however is: the radius server has to support digest authentication. Thus, the passwords must be stored in cleartext.
regards klaus
Ryan Pagquil wrote:
So it means that the System authentication that we are using now for radius will be ignored? Every users must exists in the users file of the freeradius?
Thanks,
Klaus Darilion wrote:
Greger V. Teigre wrote:
Ryan, Only if it supports the http digest authentication mechanism. g-)
This means, you need the user passwords in clear text.
regards, klaus
Ryan Pagquil wrote:
Hi,
Can I use my existing radius server as my login authentication for ser? The existing radius uses the system to read the user accounts, but explained on the radius howto i must create the user accounts on users file of the freeradius. Please help.
Thanks,
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
What is "System" authentication? Does it use the unix user accounts (passwd)? If yes, it can't work, as the sytem does not store the passwords in clear text.
regards, klaus
Ryan Pagquil wrote:
Ah ok. BTW I'm testing radius authentication now, and i can't get authenticated. I use ser-0.9.3 and freeradius. Here are the information about my test and setup:
On Users file of freeradius i have these:
rpagquil@server4all Auth-Type := Digest, User-Password == "test123" Reply-Message = "Authenticated"
rpagquil@server4all Auth-Type := Accept Reply-Message = "Authorized"
On ser.cfg i have these:
modparam("auth_radius", "radius_config", "/usr/local/etc/radiusclient/radiusclient.conf") modparam("auth_radius", "service_type", 15)
if (!radius_www_authorize("server4all")){ www_challenge("", "1"); break; };
save("location"); break;and this is my radius log with radiusd -X:
rad_recv: Access-Request packet from host 127.0.0.1:1733, id=95, length=318 User-Name = "rpagquil@server4all" Digest-Attributes = "\n\nrpagquil" Digest-Attributes = "\001\014server4all" Digest-Attributes = "\002*42ee018773f7ef0ca37028652e16deef71bdc6e9" Digest-Attributes = "\004\020sip:server4all" Digest-Attributes = "\003\nREGISTER" Digest-Attributes = "\005\006auth" Digest-Attributes = "\t\n00000002" Digest-Attributes = "\010"D845A10802BC11DABFB500E04CAB4AB4" Digest-Response = "67c537d0fb13d95416e2bb973b3caa4a" Service-Type = Sip-Session Sip-URI-User = "rpagquil" Cisco-AVPair = "call-id=D845A10302BC11DABFB500E04CAB4AB4@server4all" NAS-IP-Address = 127.0.0.1 NAS-Port = 5060 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 Invalid operator for item Suffix: reverting to '==' Invalid operator for item Suffix: reverting to '==' Invalid operator for item Suffix: reverting to '==' modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 rlm_realm: Looking up realm "server4all" for User-Name = "rpagquil@server4all" rlm_realm: Found realm "DEFAULT" rlm_realm: Adding Stripped-User-Name = "rpagquil" rlm_realm: Proxying request from user rpagquil to realm DEFAULT rlm_realm: Adding Realm = "DEFAULT" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 0 users: Matched DEFAULT at 162 modcall[authorize]: module "files" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_unix: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "unix" returns invalid for request 0 modcall: group authenticate returns invalid for request 0 auth: Failed to validate the user. Login incorrect: [rpagquil@server4all] (from client server port 5060) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Request packet from host 127.0.0.1:1734, id=96, length=318 User-Name = "rpagquil@server4all" Digest-Attributes = "\n\nrpagquil" Digest-Attributes = "\001\014server4all" Digest-Attributes = "\002*42ee018773f7ef0ca37028652e16deef71bdc6e9" Digest-Attributes = "\004\020sip:server4all" Digest-Attributes = "\003\nREGISTER" Digest-Attributes = "\005\006auth" Digest-Attributes = "\t\n00000002" Digest-Attributes = "\010"D845A10902BC11DABFB500E04CAB4AB4" Digest-Response = "4c7a54f5710a95dc6c7620ac04271c28" Service-Type = Sip-Session Sip-URI-User = "rpagquil" Cisco-AVPair = "call-id=D845A10302BC11DABFB500E04CAB4AB4@server4all" NAS-IP-Address = 127.0.0.1 NAS-Port = 5060 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 Invalid operator for item Suffix: reverting to '==' Invalid operator for item Suffix: reverting to '==' Invalid operator for item Suffix: reverting to '==' modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 1 rlm_realm: Looking up realm "server4all" for User-Name = "rpagquil@server4all" rlm_realm: Found realm "DEFAULT" rlm_realm: Adding Stripped-User-Name = "rpagquil" rlm_realm: Proxying request from user rpagquil to realm DEFAULT rlm_realm: Adding Realm = "DEFAULT" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 1 users: Matched DEFAULT at 162 modcall[authorize]: module "files" returns ok for request 1 modcall[authorize]: module "mschap" returns noop for request 1 modcall: group authorize returns ok for request 1 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_unix: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "unix" returns invalid for request 1 modcall: group authenticate returns invalid for request 1 auth: Failed to validate the user. Login incorrect: [rpagquil@server4all] (from client server port 5060) Delaying request 1 for 1 seconds Finished request 1 Going to the next request Sending Access-Reject of id 95 to 127.0.0.1:1733 Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 96 to 127.0.0.1:1734 Waking up in 3 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 95 with timestamp 42ee005c Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 96 with timestamp 42ee005d Nothing to do. Sleeping until we see a request.
Please help.
Thanks,
Klaus Darilion wrote:
The users need not to be in the users file. You can store your users anywhere (file, database, ...). The imporating thing however is: the radius server has to support digest authentication. Thus, the passwords must be stored in cleartext.
regards klaus
Ryan Pagquil wrote:
So it means that the System authentication that we are using now for radius will be ignored? Every users must exists in the users file of the freeradius?
Thanks,
Klaus Darilion wrote:
Greger V. Teigre wrote:
Ryan, Only if it supports the http digest authentication mechanism. g-)
This means, you need the user passwords in clear text.
regards, klaus
Ryan Pagquil wrote:
Hi,
Can I use my existing radius server as my login authentication for ser? The existing radius uses the system to read the user accounts, but explained on the radius howto i must create the user accounts on users file of the freeradius. Please help.
Thanks,
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
I replaced System with digest authentication and the result is this:
rad_recv: Access-Request packet from host 127.0.0.1:1758, id=145, length=318 User-Name = "rpagquil@server4all" Digest-Attributes = "\n\nrpagquil" Digest-Attributes = "\001\014server4all" Digest-Attributes = "\002*42ee08a5a74a8d5a8e2028edd9f31ce75d40d551" Digest-Attributes = "\004\020sip:server4all" Digest-Attributes = "\003\nREGISTER" Digest-Attributes = "\005\006auth" Digest-Attributes = "\t\n00000002" Digest-Attributes = "\010"142A216802C111DABFB500E04CAB4AB4" Digest-Response = "da8032e6eb15381a0cbad43e6b981458" Service-Type = Sip-Session Sip-URI-User = "rpagquil" Cisco-AVPair = "call-id=142A216302C111DABFB500E04CAB4AB4@server4all" NAS-IP-Address = 127.0.0.1 NAS-Port = 5060 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 Invalid operator for item Suffix: reverting to '==' Invalid operator for item Suffix: reverting to '==' Invalid operator for item Suffix: reverting to '==' modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 rlm_digest: Converting Digest-Attributes to something sane... Digest-User-Name = "rpagquil" Digest-Realm = "server4all" Digest-Nonce = "42ee08a5a74a8d5a8e2028edd9f31ce75d40d551" Digest-URI = "sip:server4all" Digest-Method = "REGISTER" Digest-QOP = "auth" Digest-Nonce-Count = "00000002" Digest-CNonce = "142A216802C111DABFB500E04CAB4AB4" rlm_digest: Adding Auth-Type = DIGEST modcall[authorize]: module "digest" returns ok for request 0 rlm_realm: Looking up realm "server4all" for User-Name = "rpagquil@server4all" rlm_realm: Found realm "DEFAULT" rlm_realm: Adding Stripped-User-Name = "rpagquil" rlm_realm: Proxying request from user rpagquil to realm DEFAULT rlm_realm: Adding Realm = "DEFAULT" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 0 users: Matched DEFAULT at 162 modcall[authorize]: module "files" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type DIGEST auth: type "Digest" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_digest: Configuration item "User-Password" is required for authentication. modcall[authenticate]: module "digest" returns invalid for request 0 modcall: group Auth-Type returns invalid for request 0 auth: Failed to validate the user. Login incorrect: [rpagquil@server4all] (from client server port 5060) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Request packet from host 127.0.0.1:1759, id=146, length=318 User-Name = "rpagquil@server4all" Digest-Attributes = "\n\nrpagquil" Digest-Attributes = "\001\014server4all" Digest-Attributes = "\002*42ee08a5a74a8d5a8e2028edd9f31ce75d40d551" Digest-Attributes = "\004\020sip:server4all" Digest-Attributes = "\003\nREGISTER" Digest-Attributes = "\005\006auth" Digest-Attributes = "\t\n00000002" Digest-Attributes = "\010"142A216902C111DABFB500E04CAB4AB4" Digest-Response = "9d27c6e00fb5490e25c6166a2ce5c149" Service-Type = Sip-Session Sip-URI-User = "rpagquil" Cisco-AVPair = "call-id=142A216302C111DABFB500E04CAB4AB4@server4all" NAS-IP-Address = 127.0.0.1 NAS-Port = 5060 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 Invalid operator for item Suffix: reverting to '==' Invalid operator for item Suffix: reverting to '==' Invalid operator for item Suffix: reverting to '==' modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 1 rlm_digest: Converting Digest-Attributes to something sane... Digest-User-Name = "rpagquil" Digest-Realm = "server4all" Digest-Nonce = "42ee08a5a74a8d5a8e2028edd9f31ce75d40d551" Digest-URI = "sip:server4all" Digest-Method = "REGISTER" Digest-QOP = "auth" Digest-Nonce-Count = "00000002" Digest-CNonce = "142A216902C111DABFB500E04CAB4AB4" rlm_digest: Adding Auth-Type = DIGEST modcall[authorize]: module "digest" returns ok for request 1 rlm_realm: Looking up realm "server4all" for User-Name = "rpagquil@server4all" rlm_realm: Found realm "DEFAULT" rlm_realm: Adding Stripped-User-Name = "rpagquil" rlm_realm: Proxying request from user rpagquil to realm DEFAULT rlm_realm: Adding Realm = "DEFAULT" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 1 users: Matched DEFAULT at 162 modcall[authorize]: module "files" returns ok for request 1 modcall[authorize]: module "mschap" returns noop for request 1 modcall: group authorize returns ok for request 1 rad_check_password: Found Auth-Type DIGEST auth: type "Digest" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 1 rlm_digest: Configuration item "User-Password" is required for authentication. modcall[authenticate]: module "digest" returns invalid for request 1 modcall: group Auth-Type returns invalid for request 1 auth: Failed to validate the user. Login incorrect: [rpagquil@server4all] (from client server port 5060) Delaying request 1 for 1 seconds Finished request 1 Going to the next request --- Walking the entire request list --- Sending Access-Reject of id 145 to 127.0.0.1:1758 Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 146 to 127.0.0.1:1759 Waking up in 2 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 145 with timestamp 42ee0779 Waking up in 2 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 146 with timestamp 42ee077b Nothing to do. Sleeping until we see a request.
-
Greger V. Teigre -
Klaus Darilion -
Ryan Pagquil