Hi,
I have installed openser, mysql, radiusclient-ng-0.5.2 successfully on REL3.0. openser works well with mysql. I need to send a radius authentication packet to a radius server(according to RFC2865). Packet contains base params:
User-name (attr.1) $Username
Password (attr.2) $Password
NAS-Identifier (attr.4) (auto-generated)
NAS-Port (attr.5) $uref
State (attr.24) 0
Client-Port-DNIS (attr.30) NONE
Caller-Id (attr.31) $calling
I can not find a clear sample about radius. Which module is used for this purpose?
Regards
Arda
Hi Arda,
you need to use auth_radius for this purpose. See: http://www.openser.org/docs/modules/1.1.x/auth_radius.html
regards, bogdan
Arda Tekin wrote:
Hi,
I have installed openser, mysql, radiusclient-ng-0.5.2 successfully on REL3.0. openser works well with mysql. I need to send a radius authentication packet to a radius server(according to RFC2865). Packet contains base params:
User-name (attr.1) $Username
Password (attr.2) $Password
NAS-Identifier (attr.4) (auto-generated)
NAS-Port (attr.5) $uref
State (attr.24) 0
Client-Port-DNIS (attr.30) NONE
Caller-Id (attr.31) $calling
I can not find a clear sample about radius. Which module is used for this purpose?
Regards
Arda
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
First, is there any difference between 1.0.x and 1.1.x according to radius functionality? I have checked this module but I couldn't get enough information. OpenSER starts successfully but can not send any radius packet. Is there something missing? I want to share my conf files:
------------------- radiusclient.conf ------------------- auth_order radius,local login_tries 4 login_timeout 60 nologin /etc/nologin issue /usr/local/etc/radiusclient-ng/issue
# RADIUS settings authserver 192.168.1.3 acctserver 192.168.1.3 servers /usr/local/etc/radiusclient-ng/servers
# dictionary of allowed attributes and values # just like in the normal RADIUS distributions dictionary /usr/local/etc/radiusclient-ng/dictionary dictionary /usr/local/etc/radiusclient-ng/dictionary.sip dictionary /usr/local/etc/radiusclient-ng/dictionary.ascend dictionary /usr/local/etc/radiusclient-ng/dictionary.compat dictionary /usr/local/etc/radiusclient-ng/dictionary.merit dictionary /usr/local/etc/openser/dictionary.radius
login_radius /usr/local/sbin/login.radius seqfile /var/run/radius.seq mapfile /usr/local/etc/radiusclient-ng/port-id-map default_realm radius_timeout 10 radius_retries 3 bindaddr localhost login_local /bin/login ------------------------------------ -------------- openser.cfg -------------- debug=9 # debug level (cmd line: -dddddddddd) fork=yes log_stderror=yes # (cmd line: -E)
check_via=no # (cmd. line: -v) dns=no # (cmd. line: -r) rev_dns=no # (cmd. line: -R) port=5060 children=4 fifo="/tmp/openser_fifo"
# ------------------ module loading ----------------------------------
# Uncomment this if you want to use SQL database loadmodule "/usr/local/lib/openser/modules/mysql.so" loadmodule "/usr/local/lib/openser/modules/sl.so" loadmodule "/usr/local/lib/openser/modules/tm.so" loadmodule "/usr/local/lib/openser/modules/rr.so" loadmodule "/usr/local/lib/openser/modules/maxfwd.so" loadmodule "/usr/local/lib/openser/modules/usrloc.so" loadmodule "/usr/local/lib/openser/modules/registrar.so" loadmodule "/usr/local/lib/openser/modules/textops.so" #loadmodule "/usr/local/lib/openser/modules/domain.so" #loadmodule "/usr/local/lib/openser/modules/mediaproxy.so" #loadmodule "/usr/local/lib/openser/modules/group.so"
# Uncomment this if you want digest authentication # mysql.so must be loaded ! loadmodule "/usr/local/lib/openser/modules/auth.so" loadmodule "/usr/local/lib/openser/modules/auth_db.so" loadmodule "/usr/local/lib/openser/modules/auth_radius.so"
modparam("auth_radius", "radius_config","/usr/local/etc/radiusclient-ng/radiusclient.conf") modparam("auth_radius", "service_type", 15) # ----------------- setting module-specific parameters ---------------
# -- usrloc params --
modparam("usrloc", "db_mode", 2) modparam("auth_db", "calculate_ha1", yes) #modparam("auth_db", "password_column", "password")
modparam("rr", "enable_full_lr", 1)
modparam("registrar", "nat_flag", 2) #modparam("auth_db", "use_domain", 1)
modparam("usrloc", "db_url", "mysql://openser:openserrw@localhost/openser") modparam("usrloc", "user_column", "username") modparam("usrloc", "contact_column", "contact") modparam("usrloc", "expires_column", "expires") modparam("usrloc", "q_column", "q") modparam("usrloc", "callid_column", "callid") modparam("usrloc", "cseq_column", "cseq") modparam("usrloc", "method_column", "method") modparam("usrloc", "user_agent_column", "user_agent") modparam("usrloc", "timer_interval", 30)
modparam("usrloc", "use_domain", 1) modparam("usrloc", "domain_column", "domain") modparam("registrar", "use_domain", 1)
# ------------------------- request routing logic -------------------
# main routing logic
route{ if (!mf_process_maxfwd_header("10")) { sl_send_reply("483","Too Many Hops"); exit; };
if (msg:len >= 2048 ) { sl_send_reply("513", "Message too big"); exit; };
if (!method=="REGISTER") record_route();
if (loose_route()) { # mark routing logic in request append_hf("P-hint: rr-enforced\r\n"); route(1); };
if (!uri==myself) { # mark routing logic in request append_hf("P-hint: outbound\r\n"); route(1); };
if (uri==myself) { if (method=="REGISTER") {
if (!radius_www_authorize("")) { log(1, "REGISTER: challenging user2\n"); www_challenge("","0"); exit; };
save("location"); exit; };
lookup("aliases"); if (!uri==myself) { append_hf("P-hint: outbound alias\r\n"); route(1); };
# native SIP destinations are handled using our USRLOC DB if (!lookup("location")) { sl_send_reply("404", "Not Found"); exit; }; append_hf("P-hint: usrloc applied\r\n"); };
route(1); }
route[1] { # send it out now; use stateful forwarding as it works reliably # even for UDP2TCP if (!t_relay()) { sl_reply_error(); }; exit; } ---------------------------------------
-------------------------------------- /usr/local/etc/openser/dictionary.radius -------------------------------------- #### Attributes ### ATTRIBUTE User-Name 1 string # RFC2865, acc, auth_radius, avp_radius, group_radius, uri_radius ATTRIBUTE Service-Type 6 integer # RFC2865, acc, auth_radius, avp_radius, group_radius, uri_radius ATTRIBUTE Called-Station-Id 30 string # RFC2865, acc ATTRIBUTE Calling-Station-Id 31 string # RFC2865, acc ATTRIBUTE Acct-Status-Type 40 integer # RFC2865, acc ATTRIBUTE Acct-Session-Id 44 string # RFC2865, acc ATTRIBUTE Sip-Method 101 integer # Schulzrinne, acc ATTRIBUTE Sip-Response-Code 102 integer # Schulzrinne, acc ATTRIBUTE Sip-Cseq 103 string # Schulzrinne, acc ATTRIBUTE Sip-To-Tag 104 string # Schulzrinne, acc ATTRIBUTE Sip-From-Tag 105 string # Schulzrinne, acc ATTRIBUTE Sip-Translated-Request-URI 107 string # Proprietary, acc ATTRIBUTE Digest-Response 206 string # Sterman, auth_radius ATTRIBUTE Sip-Uri-User 208 string # Proprietary, auth_radius ATTRIBUTE Sip-Group 211 string # Proprietary, group_radius ATTRIBUTE Sip-Rpid 213 string # Proprietary, auth_radius ATTRIBUTE SIP-AVP 225 string # Proprietary, avp_radius ATTRIBUTE Digest-Realm 1063 string # Sterman, auth_radius ATTRIBUTE Digest-Nonce 1064 string # Sterman, auth_radius ATTRIBUTE Digest-Method 1065 string # Sterman, auth_radius ATTRIBUTE Digest-URI 1066 string # Sterman, auth_radius ATTRIBUTE Digest-QOP 1067 string # Sterman, auth_radius ATTRIBUTE Digest-Algorithm 1068 string # Sterman, auth_radius ATTRIBUTE Digest-Body-Digest 1069 string # Sterman, auth_radius ATTRIBUTE Digest-CNonce 1070 string # Sterman, auth_radius ATTRIBUTE Digest-Nonce-Count 1071 string # Sterman, auth_radius ATTRIBUTE Digest-User-Name 1072 string # Sterman, auth_radius ATTRIBUTE Digest-User-Password 1073 string # Arda_ADD -> http://openser.org/dokuwiki/doku.php?id=radius
### CISCO Vendor Specific Attributes ### VENDOR Cisco 9 ATTRIBUTE Cisco-AVPair 1 string Cisco # VSA, auth_radius
### Acct-Status-Type Values ### VALUE Acct-Status-Type Start 1 # RFC2866, acc VALUE Acct-Status-Type Stop 2 # RFC2866, acc VALUE Acct-Status-Type Failed 15 # RFC2866, acc
### Service-Type Values ### VALUE Service-Type Call-Check 10 # RFC2865, uri_radius VALUE Service-Type Group-Check 12 # Proprietary, group_radius VALUE Service-Type Sip-Session 15 # Schulzrinne, acc, auth_radius VALUE Service-Type SIP-Caller-AVPs 30 # Proprietary, avp_radius VALUE Service-Type SIP-Callee-AVPs 31 # Proprietary, avp_radius
-------------------------------------------------------------------------------------
Help please
Thanks in advance Arda
----- Original Message ----- From: "Bogdan-Andrei Iancu" bogdan@voice-system.ro To: "Arda Tekin" arda@nicivr.com Cc: users@openser.org Sent: Friday, November 25, 2005 5:00 PM Subject: Re: [Users] How can I send radius authentication packet with openser
Hi Arda,
you need to use auth_radius for this purpose. See: http://www.openser.org/docs/modules/1.1.x/auth_radius.html
regards, bogdan
Arda Tekin wrote:
Hi, I have installed openser, mysql, radiusclient-ng-0.5.2 successfully on REL3.0. openser works well with mysql. I need to send a radius authentication packet to a radius server(according to RFC2865). Packet contains base params:
User-name (attr.1) $Username
Password (attr.2) $Password
NAS-Identifier (attr.4) (auto-generated)
NAS-Port (attr.5) $uref
State (attr.24) 0
Client-Port-DNIS (attr.30) NONE
Caller-Id (attr.31) $calling
I can not find a clear sample about radius. Which module is used for this purpose? Regards Arda
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
I have also compiled "avp_radius" module and load it in openser.cfg. Nothing changed.
Sip Client IP: 192.168.1.2 OpenSER: 192.168.1.5 Radius Server: 192.168.1.3
Here is the openser debug log: ------------------------------------ [root@localhost openser]# 6(2884) SIP Request: 6(2884) method: <REGISTER> 6(2884) uri: sip:192.168.1.5 6(2884) version: <SIP/2.0> 6(2884) parse_headers: flags=2 6(2884) DEBUG:parse_to:end of header reached, state=9 6(2884) DEBUG: get_hdr_field: <To> [36]; uri=[sip:arda@192.168.1.5] 6(2884) DEBUG: to body [arda_eyebeamsip:arda@192.168.1.5 ] 6(2884) Found param type 232, <branch> = <z9hG4bK-d87543-622802375-1--d87543->; state=6 6(2884) Found param type 235, <rport> = <n/a>; state=17 6(2884) end of header reached, state=5 6(2884) parse_headers: Via found, flags=2 6(2884) parse_headers: this is the first via 6(2884) After parse_msg... 6(2884) preparing to run routing scripts... 6(2884) parse_headers: flags=100 6(2884) get_hdr_field: cseq <CSeq>: <1> <REGISTER> 6(2884) DEBUG:maxfwd:is_maxfwd_present: value = 70 6(2884) parse_headers: flags=200 6(2884) DEBUG: get_hdr_body : content_length=0 6(2884) found end of header 6(2884) find_first_route: No Route headers found 6(2884) loose_route: There is no Route HF 6(2884) grep_sock_info - checking if host==us: 11==9 && [192.168.1.5] == [127.0.0.1] 6(2884) grep_sock_info - checking if port 5060 matches port 5060 6(2884) grep_sock_info - checking if host==us: 11==11 && [192.168.1.5] == [192.168.1.5] 6(2884) grep_sock_info - checking if port 5060 matches port 5060 6(2884) grep_sock_info - checking if host==us: 11==9 && [192.168.1.5] == [127.0.0.1] 6(2884) grep_sock_info - checking if port 5060 matches port 5060 6(2884) grep_sock_info - checking if host==us: 11==11 && [192.168.1.5] == [192.168.1.5] 6(2884) grep_sock_info - checking if port 5060 matches port 5060 6(2884) parse_headers: flags=2000 6(2884) pre_auth(): Credentials with given realm not found 6(2884) REGISTER: challenging user2 6(2884) build_auth_hf(): 'WWW-Authenticate: Digest realm="192.168.1.5", nonce="438222d8c7aac499351c46bad60c32a2c03eb751" ' 6(2884) parse_headers: flags=ffffffffffffffff 6(2884) check_via_address(192.168.1.2, 192.168.1.2, 0) 6(2884) DEBUG:destroy_avp_list: destroying list (nil) 6(2884) receive_msg: cleaning up 6(2884) SIP Request: 6(2884) method: <REGISTER> 6(2884) uri: sip:192.168.1.5 6(2884) version: <SIP/2.0> 6(2884) parse_headers: flags=2 6(2884) DEBUG:parse_to:end of header reached, state=9 6(2884) DEBUG: get_hdr_field: <To> [36]; uri=[sip:arda@192.168.1.5] 6(2884) DEBUG: to body [arda_eyebeamsip:arda@192.168.1.5 ] 6(2884) Found param type 232, <branch> = <z9hG4bK-d87543-907902613-1--d87543->; state=6 6(2884) Found param type 235, <rport> = <n/a>; state=17 6(2884) end of header reached, state=5 6(2884) parse_headers: Via found, flags=2 6(2884) parse_headers: this is the first via 6(2884) After parse_msg... 6(2884) preparing to run routing scripts... 6(2884) parse_headers: flags=100 6(2884) get_hdr_field: cseq <CSeq>: <2> <REGISTER> 6(2884) DEBUG:maxfwd:is_maxfwd_present: value = 70 6(2884) parse_headers: flags=200 6(2884) DEBUG: get_hdr_body : content_length=0 6(2884) found end of header 6(2884) find_first_route: No Route headers found 6(2884) loose_route: There is no Route HF 6(2884) grep_sock_info - checking if host==us: 11==9 && [192.168.1.5] == [127.0.0.1] 6(2884) grep_sock_info - checking if port 5060 matches port 5060 6(2884) grep_sock_info - checking if host==us: 11==11 && [192.168.1.5] == [192.168.1.5] 6(2884) grep_sock_info - checking if port 5060 matches port 5060 6(2884) grep_sock_info - checking if host==us: 11==9 && [192.168.1.5] == [127.0.0.1] 6(2884) grep_sock_info - checking if port 5060 matches port 5060 6(2884) grep_sock_info - checking if host==us: 11==11 && [192.168.1.5] == [192.168.1.5] 6(2884) grep_sock_info - checking if port 5060 matches port 5060 6(2884) check_nonce(): comparing [438222d8c7aac499351c46bad60c32a2c03eb751] and [438222d8c7aac499351c46bad60c32a2c03eb751] 6(2884) ERROR:auth_radius:radius_authorize_sterman: rc_auth failed 6(2884) REGISTER: challenging user2 6(2884) build_auth_hf(): 'WWW-Authenticate: Digest realm="192.168.1.5", nonce="438222d8c7aac499351c46bad60c32a2c03eb751" ' 6(2884) parse_headers: flags=ffffffffffffffff 6(2884) check_via_address(192.168.1.2, 192.168.1.2, 0) 6(2884) DEBUG:destroy_avp_list: destroying list (nil) 6(2884) receive_msg: cleaning up -------------------------------------------
As I see in the sterman.c source rc_auth fails:
/* Send request */ if ((i = rc_auth(rh, SIP_PORT, send, &received, msg)) == OK_RC) { DBG("DEBUG:auth_radius:radius_authorize_sterman: Success\n"); rc_avpair_free(send); send = 0;
generate_avps(received);
rc_avpair_free(received); return 1; } else { LOG(L_ERR,"ERROR:auth_radius:radius_authorize_sterman: " "rc_auth failed\n"); goto err; }
Any opinion?
Thanks in advance
Arda
----- Original Message ----- From: "Bogdan-Andrei Iancu" bogdan@voice-system.ro To: "Arda Tekin" arda@nicivr.com Cc: users@openser.org Sent: Friday, November 25, 2005 5:00 PM Subject: Re: [Users] How can I send radius authentication packet with openser
Hi Arda,
you need to use auth_radius for this purpose. See: http://www.openser.org/docs/modules/1.1.x/auth_radius.html
regards, bogdan
Arda Tekin wrote:
Hi, I have installed openser, mysql, radiusclient-ng-0.5.2 successfully on REL3.0. openser works well with mysql. I need to send a radius authentication packet to a radius server(according to RFC2865). Packet contains base params:
User-name (attr.1) $Username
Password (attr.2) $Password
NAS-Identifier (attr.4) (auto-generated)
NAS-Port (attr.5) $uref
State (attr.24) 0
Client-Port-DNIS (attr.30) NONE
Caller-Id (attr.31) $calling
I can not find a clear sample about radius. Which module is used for this purpose? Regards Arda
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
OK. I have found the problem:
First I made some modifiacations: in the radiusclient.conf auth_order radius authserver 192.168.1.3:1812 acctserver 192.168.1.3:1813 dictionary /usr/local/etc/radiusclient-ng/dictionary (this files is the modified. dictionary.radius+dictionary = dictionary)
in the openser.cfg if (!radius_www_authorize("")) { www_challenge("", "1"); exit; }; http://www.iptel.org/ser/doc/ser_radius/ser_radius.html --> good reference
But there is still the same problem. rc_auth fails. Because when I check radiusclient-ng.0.5.2 release notes, I see that "Change default bindaddr from localhost to *, this is better default choice; " When I replaced "bindaddr *" with "bindaddr localhost" then openser could send the radius authentication packet successfully.
But I have a new problem. I get access-reject from radius server. Because Radius server does not like the authentication packet parameters.
Radius Access-Request packet --------------------------------- Frame 4 (285 bytes on wire, 285 bytes captured) Ethernet II, Src: 00:0c:29:66:be:30, Dst: 00:0f:66:bf:e3:26 Internet Protocol, Src Addr: 192.168.1.5 (192.168.1.5), Dst Addr: 192.168.1.3 (192.168.1.3) User Datagram Protocol, Src Port: 33029 (33029), Dst Port: radius (1812) Radius Protocol Code: Access Request (1) Packet identifier: 0x82 (130) Length: 243 Authenticator: 0xD111DF9D4AB93482DDFE5494DA739935 Attribute value pairs t:User Name(1) l:21, Value:"openser@192.168.1.5" User-Name: openser@192.168.1.5 t:Unknown Type(207) l:11, Value:Unknown Value Type t:Unknown Type(207) l:15, Value:Unknown Value Type t:Unknown Type(207) l:44, Value:Unknown Value Type t:Unknown Type(207) l:19, Value:Unknown Value Type t:Unknown Type(207) l:12, Value:Unknown Value Type t:Unknown Type(207) l:8, Value:Unknown Value Type t:Unknown Type(207) l:12, Value:Unknown Value Type t:Unknown Type(207) l:20, Value:Unknown Value Type t:Unknown Type(206) l:34, Value:Unknown Value Type t:Service Type(6) l:6, Value:IAPP-Register(15) Service-Type: IAPP-Register (15) t:Unknown Type(208) l:9, Value:Unknown Value Type t:NAS Port(5) l:6, Value:5060 t:NAS IP Address(4) l:6, Value:192.168.1.5 Nas IP Address: 192.168.1.5 (192.168.1.5) ---------------------------------
Radius Access-Reject packet --------------------------------- Frame 5 (62 bytes on wire, 62 bytes captured) Ethernet II, Src: 00:0f:66:bf:e3:26, Dst: 00:0c:29:66:be:30 Internet Protocol, Src Addr: 192.168.1.3 (192.168.1.3), Dst Addr: 192.168.1.5 (192.168.1.5) User Datagram Protocol, Src Port: radius (1812), Dst Port: 33029 (33029) Radius Protocol Code: Access Reject (3) Packet identifier: 0x82 (130) Length: 20 Authenticator: 0xD0427CE5ECB9E77369587E30B48D0B99 -------------------------------------
So I need to modify the outgoing packet params. Is it possible? And Can I also send additional "Vendor Specific Attribute" parameters?
Regards
Arda
----- Original Message ----- From: "Arda Tekin" arda@nicivr.com To: "Bogdan-Andrei Iancu" bogdan@voice-system.ro Cc: users@openser.org Sent: Saturday, November 26, 2005 2:40 PM Subject: Re: [Users] How can I send radius authentication packet with openser
I have also compiled "avp_radius" module and load it in openser.cfg. Nothing changed.
Sip Client IP: 192.168.1.2 OpenSER: 192.168.1.5 Radius Server: 192.168.1.3
Here is the openser debug log:
[root@localhost openser]# 6(2884) SIP Request: 6(2884) method: <REGISTER> 6(2884) uri: sip:192.168.1.5 6(2884) version: <SIP/2.0> 6(2884) parse_headers: flags=2 6(2884) DEBUG:parse_to:end of header reached, state=9 6(2884) DEBUG: get_hdr_field: <To> [36]; uri=[sip:arda@192.168.1.5] 6(2884) DEBUG: to body [arda_eyebeamsip:arda@192.168.1.5 ] 6(2884) Found param type 232, <branch> = <z9hG4bK-d87543-622802375-1--d87543->; state=6 6(2884) Found param type 235, <rport> = <n/a>; state=17 6(2884) end of header reached, state=5 6(2884) parse_headers: Via found, flags=2 6(2884) parse_headers: this is the first via 6(2884) After parse_msg... 6(2884) preparing to run routing scripts... 6(2884) parse_headers: flags=100 6(2884) get_hdr_field: cseq <CSeq>: <1> <REGISTER> 6(2884) DEBUG:maxfwd:is_maxfwd_present: value = 70 6(2884) parse_headers: flags=200 6(2884) DEBUG: get_hdr_body : content_length=0 6(2884) found end of header 6(2884) find_first_route: No Route headers found 6(2884) loose_route: There is no Route HF 6(2884) grep_sock_info - checking if host==us: 11==9 && [192.168.1.5] == [127.0.0.1] 6(2884) grep_sock_info - checking if port 5060 matches port 5060 6(2884) grep_sock_info - checking if host==us: 11==11 && [192.168.1.5] == [192.168.1.5] 6(2884) grep_sock_info - checking if port 5060 matches port 5060 6(2884) grep_sock_info - checking if host==us: 11==9 && [192.168.1.5] == [127.0.0.1] 6(2884) grep_sock_info - checking if port 5060 matches port 5060 6(2884) grep_sock_info - checking if host==us: 11==11 && [192.168.1.5] == [192.168.1.5] 6(2884) grep_sock_info - checking if port 5060 matches port 5060 6(2884) parse_headers: flags=2000 6(2884) pre_auth(): Credentials with given realm not found 6(2884) REGISTER: challenging user2 6(2884) build_auth_hf(): 'WWW-Authenticate: Digest realm="192.168.1.5", nonce="438222d8c7aac499351c46bad60c32a2c03eb751" ' 6(2884) parse_headers: flags=ffffffffffffffff 6(2884) check_via_address(192.168.1.2, 192.168.1.2, 0) 6(2884) DEBUG:destroy_avp_list: destroying list (nil) 6(2884) receive_msg: cleaning up 6(2884) SIP Request: 6(2884) method: <REGISTER> 6(2884) uri: sip:192.168.1.5 6(2884) version: <SIP/2.0> 6(2884) parse_headers: flags=2 6(2884) DEBUG:parse_to:end of header reached, state=9 6(2884) DEBUG: get_hdr_field: <To> [36]; uri=[sip:arda@192.168.1.5] 6(2884) DEBUG: to body [arda_eyebeamsip:arda@192.168.1.5 ] 6(2884) Found param type 232, <branch> = <z9hG4bK-d87543-907902613-1--d87543->; state=6 6(2884) Found param type 235, <rport> = <n/a>; state=17 6(2884) end of header reached, state=5 6(2884) parse_headers: Via found, flags=2 6(2884) parse_headers: this is the first via 6(2884) After parse_msg... 6(2884) preparing to run routing scripts... 6(2884) parse_headers: flags=100 6(2884) get_hdr_field: cseq <CSeq>: <2> <REGISTER> 6(2884) DEBUG:maxfwd:is_maxfwd_present: value = 70 6(2884) parse_headers: flags=200 6(2884) DEBUG: get_hdr_body : content_length=0 6(2884) found end of header 6(2884) find_first_route: No Route headers found 6(2884) loose_route: There is no Route HF 6(2884) grep_sock_info - checking if host==us: 11==9 && [192.168.1.5] == [127.0.0.1] 6(2884) grep_sock_info - checking if port 5060 matches port 5060 6(2884) grep_sock_info - checking if host==us: 11==11 && [192.168.1.5] == [192.168.1.5] 6(2884) grep_sock_info - checking if port 5060 matches port 5060 6(2884) grep_sock_info - checking if host==us: 11==9 && [192.168.1.5] == [127.0.0.1] 6(2884) grep_sock_info - checking if port 5060 matches port 5060 6(2884) grep_sock_info - checking if host==us: 11==11 && [192.168.1.5] == [192.168.1.5] 6(2884) grep_sock_info - checking if port 5060 matches port 5060 6(2884) check_nonce(): comparing [438222d8c7aac499351c46bad60c32a2c03eb751] and [438222d8c7aac499351c46bad60c32a2c03eb751] 6(2884) ERROR:auth_radius:radius_authorize_sterman: rc_auth failed 6(2884) REGISTER: challenging user2 6(2884) build_auth_hf(): 'WWW-Authenticate: Digest realm="192.168.1.5", nonce="438222d8c7aac499351c46bad60c32a2c03eb751" ' 6(2884) parse_headers: flags=ffffffffffffffff 6(2884) check_via_address(192.168.1.2, 192.168.1.2, 0) 6(2884) DEBUG:destroy_avp_list: destroying list (nil) 6(2884) receive_msg: cleaning up
As I see in the sterman.c source rc_auth fails:
/* Send request */ if ((i = rc_auth(rh, SIP_PORT, send, &received, msg)) == OK_RC) { DBG("DEBUG:auth_radius:radius_authorize_sterman: Success\n"); rc_avpair_free(send); send = 0;
generate_avps(received);
rc_avpair_free(received); return 1; } else { LOG(L_ERR,"ERROR:auth_radius:radius_authorize_sterman: " "rc_auth failed\n"); goto err; }
Any opinion?
Thanks in advance
Arda
----- Original Message ----- From: "Bogdan-Andrei Iancu" bogdan@voice-system.ro To: "Arda Tekin" arda@nicivr.com Cc: users@openser.org Sent: Friday, November 25, 2005 5:00 PM Subject: Re: [Users] How can I send radius authentication packet with openser
Hi Arda,
you need to use auth_radius for this purpose. See: http://www.openser.org/docs/modules/1.1.x/auth_radius.html
regards, bogdan
Arda Tekin wrote:
Hi, I have installed openser, mysql, radiusclient-ng-0.5.2 successfully on REL3.0. openser works well with mysql. I need to send a radius authentication packet to a radius server(according to RFC2865). Packet contains base params:
User-name (attr.1) $Username
Password (attr.2) $Password
NAS-Identifier (attr.4) (auto-generated)
NAS-Port (attr.5) $uref
State (attr.24) 0
Client-Port-DNIS (attr.30) NONE
Caller-Id (attr.31) $calling
I can not find a clear sample about radius. Which module is used for this purpose? Regards Arda
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
Hi,
you cannot alter the content of the radius auth request only if you get into sources. Are you sure you need to do this? isn't it just a matter of configuration on your RADIUS server? what server are you using? and what is the logged error from server?
regards, bogdan
Arda Tekin wrote:
OK. I have found the problem:
First I made some modifiacations: in the radiusclient.conf auth_order radius authserver 192.168.1.3:1812 acctserver 192.168.1.3:1813 dictionary /usr/local/etc/radiusclient-ng/dictionary (this files is the modified. dictionary.radius+dictionary = dictionary)
in the openser.cfg if (!radius_www_authorize("")) { www_challenge("", "1"); exit; }; http://www.iptel.org/ser/doc/ser_radius/ser_radius.html --> good reference
But there is still the same problem. rc_auth fails. Because when I check radiusclient-ng.0.5.2 release notes, I see that "Change default bindaddr from localhost to *, this is better default choice; " When I replaced "bindaddr *" with "bindaddr localhost" then openser could send the radius authentication packet successfully.
But I have a new problem. I get access-reject from radius server. Because Radius server does not like the authentication packet parameters.
Radius Access-Request packet
Frame 4 (285 bytes on wire, 285 bytes captured) Ethernet II, Src: 00:0c:29:66:be:30, Dst: 00:0f:66:bf:e3:26 Internet Protocol, Src Addr: 192.168.1.5 (192.168.1.5), Dst Addr: 192.168.1.3 (192.168.1.3) User Datagram Protocol, Src Port: 33029 (33029), Dst Port: radius (1812) Radius Protocol Code: Access Request (1) Packet identifier: 0x82 (130) Length: 243 Authenticator: 0xD111DF9D4AB93482DDFE5494DA739935 Attribute value pairs t:User Name(1) l:21, Value:"openser@192.168.1.5" User-Name: openser@192.168.1.5 t:Unknown Type(207) l:11, Value:Unknown Value Type t:Unknown Type(207) l:15, Value:Unknown Value Type t:Unknown Type(207) l:44, Value:Unknown Value Type t:Unknown Type(207) l:19, Value:Unknown Value Type t:Unknown Type(207) l:12, Value:Unknown Value Type t:Unknown Type(207) l:8, Value:Unknown Value Type t:Unknown Type(207) l:12, Value:Unknown Value Type t:Unknown Type(207) l:20, Value:Unknown Value Type t:Unknown Type(206) l:34, Value:Unknown Value Type t:Service Type(6) l:6, Value:IAPP-Register(15) Service-Type: IAPP-Register (15) t:Unknown Type(208) l:9, Value:Unknown Value Type t:NAS Port(5) l:6, Value:5060 t:NAS IP Address(4) l:6, Value:192.168.1.5 Nas IP Address: 192.168.1.5 (192.168.1.5)
Radius Access-Reject packet
Frame 5 (62 bytes on wire, 62 bytes captured) Ethernet II, Src: 00:0f:66:bf:e3:26, Dst: 00:0c:29:66:be:30 Internet Protocol, Src Addr: 192.168.1.3 (192.168.1.3), Dst Addr: 192.168.1.5 (192.168.1.5) User Datagram Protocol, Src Port: radius (1812), Dst Port: 33029 (33029) Radius Protocol Code: Access Reject (3) Packet identifier: 0x82 (130) Length: 20 Authenticator: 0xD0427CE5ECB9E77369587E30B48D0B99
So I need to modify the outgoing packet params. Is it possible? And Can I also send additional "Vendor Specific Attribute" parameters?
Regards
Arda
----- Original Message ----- From: "Arda Tekin" arda@nicivr.com To: "Bogdan-Andrei Iancu" bogdan@voice-system.ro Cc: users@openser.org Sent: Saturday, November 26, 2005 2:40 PM Subject: Re: [Users] How can I send radius authentication packet with openser
I have also compiled "avp_radius" module and load it in openser.cfg. Nothing changed.
Sip Client IP: 192.168.1.2 OpenSER: 192.168.1.5 Radius Server: 192.168.1.3
Here is the openser debug log:
[root@localhost openser]# 6(2884) SIP Request: 6(2884) method: <REGISTER> 6(2884) uri: sip:192.168.1.5 6(2884) version: <SIP/2.0> 6(2884) parse_headers: flags=2 6(2884) DEBUG:parse_to:end of header reached, state=9 6(2884) DEBUG: get_hdr_field: <To> [36]; uri=[sip:arda@192.168.1.5] 6(2884) DEBUG: to body [arda_eyebeamsip:arda@192.168.1.5 ] 6(2884) Found param type 232, <branch> = <z9hG4bK-d87543-622802375-1--d87543->; state=6 6(2884) Found param type 235, <rport> = <n/a>; state=17 6(2884) end of header reached, state=5 6(2884) parse_headers: Via found, flags=2 6(2884) parse_headers: this is the first via 6(2884) After parse_msg... 6(2884) preparing to run routing scripts... 6(2884) parse_headers: flags=100 6(2884) get_hdr_field: cseq <CSeq>: <1> <REGISTER> 6(2884) DEBUG:maxfwd:is_maxfwd_present: value = 70 6(2884) parse_headers: flags=200 6(2884) DEBUG: get_hdr_body : content_length=0 6(2884) found end of header 6(2884) find_first_route: No Route headers found 6(2884) loose_route: There is no Route HF 6(2884) grep_sock_info - checking if host==us: 11==9 && [192.168.1.5] == [127.0.0.1] 6(2884) grep_sock_info - checking if port 5060 matches port 5060 6(2884) grep_sock_info - checking if host==us: 11==11 && [192.168.1.5] == [192.168.1.5] 6(2884) grep_sock_info - checking if port 5060 matches port 5060 6(2884) grep_sock_info - checking if host==us: 11==9 && [192.168.1.5] == [127.0.0.1] 6(2884) grep_sock_info - checking if port 5060 matches port 5060 6(2884) grep_sock_info - checking if host==us: 11==11 && [192.168.1.5] == [192.168.1.5] 6(2884) grep_sock_info - checking if port 5060 matches port 5060 6(2884) parse_headers: flags=2000 6(2884) pre_auth(): Credentials with given realm not found 6(2884) REGISTER: challenging user2 6(2884) build_auth_hf(): 'WWW-Authenticate: Digest realm="192.168.1.5", nonce="438222d8c7aac499351c46bad60c32a2c03eb751" ' 6(2884) parse_headers: flags=ffffffffffffffff 6(2884) check_via_address(192.168.1.2, 192.168.1.2, 0) 6(2884) DEBUG:destroy_avp_list: destroying list (nil) 6(2884) receive_msg: cleaning up 6(2884) SIP Request: 6(2884) method: <REGISTER> 6(2884) uri: sip:192.168.1.5 6(2884) version: <SIP/2.0> 6(2884) parse_headers: flags=2 6(2884) DEBUG:parse_to:end of header reached, state=9 6(2884) DEBUG: get_hdr_field: <To> [36]; uri=[sip:arda@192.168.1.5] 6(2884) DEBUG: to body [arda_eyebeamsip:arda@192.168.1.5 ] 6(2884) Found param type 232, <branch> = <z9hG4bK-d87543-907902613-1--d87543->; state=6 6(2884) Found param type 235, <rport> = <n/a>; state=17 6(2884) end of header reached, state=5 6(2884) parse_headers: Via found, flags=2 6(2884) parse_headers: this is the first via 6(2884) After parse_msg... 6(2884) preparing to run routing scripts... 6(2884) parse_headers: flags=100 6(2884) get_hdr_field: cseq <CSeq>: <2> <REGISTER> 6(2884) DEBUG:maxfwd:is_maxfwd_present: value = 70 6(2884) parse_headers: flags=200 6(2884) DEBUG: get_hdr_body : content_length=0 6(2884) found end of header 6(2884) find_first_route: No Route headers found 6(2884) loose_route: There is no Route HF 6(2884) grep_sock_info - checking if host==us: 11==9 && [192.168.1.5] == [127.0.0.1] 6(2884) grep_sock_info - checking if port 5060 matches port 5060 6(2884) grep_sock_info - checking if host==us: 11==11 && [192.168.1.5] == [192.168.1.5] 6(2884) grep_sock_info - checking if port 5060 matches port 5060 6(2884) grep_sock_info - checking if host==us: 11==9 && [192.168.1.5] == [127.0.0.1] 6(2884) grep_sock_info - checking if port 5060 matches port 5060 6(2884) grep_sock_info - checking if host==us: 11==11 && [192.168.1.5] == [192.168.1.5] 6(2884) grep_sock_info - checking if port 5060 matches port 5060 6(2884) check_nonce(): comparing [438222d8c7aac499351c46bad60c32a2c03eb751] and [438222d8c7aac499351c46bad60c32a2c03eb751] 6(2884) ERROR:auth_radius:radius_authorize_sterman: rc_auth failed 6(2884) REGISTER: challenging user2 6(2884) build_auth_hf(): 'WWW-Authenticate: Digest realm="192.168.1.5", nonce="438222d8c7aac499351c46bad60c32a2c03eb751" ' 6(2884) parse_headers: flags=ffffffffffffffff 6(2884) check_via_address(192.168.1.2, 192.168.1.2, 0) 6(2884) DEBUG:destroy_avp_list: destroying list (nil) 6(2884) receive_msg: cleaning up
As I see in the sterman.c source rc_auth fails:
/* Send request */ if ((i = rc_auth(rh, SIP_PORT, send, &received, msg)) == OK_RC) { DBG("DEBUG:auth_radius:radius_authorize_sterman: Success\n"); rc_avpair_free(send); send = 0;
generate_avps(received);
rc_avpair_free(received); return 1; } else { LOG(L_ERR,"ERROR:auth_radius:radius_authorize_sterman: " "rc_auth failed\n"); goto err; }
Any opinion?
Thanks in advance
Arda
----- Original Message ----- From: "Bogdan-Andrei Iancu" bogdan@voice-system.ro To: "Arda Tekin" arda@nicivr.com Cc: users@openser.org Sent: Friday, November 25, 2005 5:00 PM Subject: Re: [Users] How can I send radius authentication packet with openser
Hi Arda,
you need to use auth_radius for this purpose. See: http://www.openser.org/docs/modules/1.1.x/auth_radius.html
regards, bogdan
Arda Tekin wrote:
Hi, I have installed openser, mysql, radiusclient-ng-0.5.2 successfully on REL3.0. openser works well with mysql. I need to send a radius authentication packet to a radius server(according to RFC2865). Packet contains base params:
User-name (attr.1) $Username
Password (attr.2) $Password
NAS-Identifier (attr.4) (auto-generated)
NAS-Port (attr.5) $uref
State (attr.24) 0
Client-Port-DNIS (attr.30) NONE
Caller-Id (attr.31) $calling
I can not find a clear sample about radius. Which module is used for this purpose? Regards Arda
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
-
Arda Tekin -
Bogdan-Andrei Iancu