Hello list,
I've been trying my hardest today to get group_radius to work, and its function radius_is_user_in(). I'm running ser0.9.4 and freeradius 1.0.4 with the mysql backend and digest authentication.
Radius authentication works fine. The problem is that when radius_is_user_in() function gets called, it sends a radius message but without the User-Password field and freeradius complains that it requires it since we are using Digest. I've seen a couple of posts here, but they were never answered: http://mail.iptel.org/pipermail/serusers/2005-March/017342.html http://mail.iptel.org/pipermail/serusers/2005-March/017075.html
----- I have a small test in my ser.cfg file: if (!radius_www_authorize("")) { xlog("L_I","%ci - %fu - User not authenticated, Radius Authenticating...\n"); www_challenge("","0"); break; } else { xlog("L_I","%ci - %fu - User authenticated...\n"); };
if (radius_is_user_in("From", "Dialin")){ xlog("L_I","From: User is in Radius Group Dialin!!!!\n"); } else { xlog("L_I","From: User *IS NOT* Group Dialin!!!!!\n"); };
if (radius_is_user_in("Credentials", "Dialin2")){ xlog("L_I","From: User is in Radius Group Dialin2!!!!\n"); } else { xlog("L_I","From: User *IS NOT* Group Dialin2!!!!!\n"); };
----- In /etc/raddb/users file I have the following at line 152: DEFAULT Auth-Type = System Fall-Through = 1
DEFAULT Service-Type == Group-Check, Auth-Type := None
DEFAULT Service-Type == SIP-Callee-AVPs, Auth-Type := None
-----
These are mysql tables:
+----+----------+-----------+----+----------+ | id | UserName | Attribute | op | Value | +----+----------+-----------+----+----------+ | 1 | Jhassell | Password | == | changeme | | 2 | Rneis | Password | == | changeme | | 3 | 1000 | Password | == | 1000 | | 4 | 2000 | Password | == | 2000 | | 5 | 3000 | Password | == | 3000 | | 8 | 1000 | Auth-Type | := | Digest | +----+----------+-----------+----+----------+
+----+-----------+-----------+----+--------+ | id | GroupName | Attribute | op | Value | +----+-----------+-----------+----+--------+ | 6 | Dialin | Auth-Type | := | Accept | +----+-----------+-----------+----+--------+
+----+-----------+---------------+----+----------------------------------+-- ----+ | id | GroupName | Attribute | op | Value | prio | +----+-----------+---------------+----+----------------------------------+-- ----+ | 1 | Dialin | Reply-Message | = | "Authenticated by group Dialin" | 0 | | 2 | Dialin2 | Reply-Message | = | "Authenticated by group Dialin2" | 0 | +----+-----------+---------------+----+----------------------------------+-- ----+
+----+----------+---------------+----+------------------+ | id | UserName | Attribute | op | Value | +----+----------+---------------+----+------------------+ | 1 | 1000 | Reply-Message | = | "Authenticated" | | 2 | 1000 | Sip-Group | = | Dialin | | 3 | 1000 | SIP-AVP | = | Sip-Group:Dialin | +----+----------+---------------+----+------------------+
+----+----------+------------+ | id | UserName | GroupName | +----+----------+------------+ | 1 | Jhassell | Dialin | | 2 | Rneis | Staticdial | | 3 | 1000 | Dialin | | 4 | 2000 | Dialin | | 5 | 3000 | Dialin | | 6 | 3000 | Dialin2 | +----+----------+------------+
------
This is the debug I get from freeradius for the group check:
rad_recv: Access-Request packet from host xx.xx.xx.xx:33025, id=15, length=67 User-Name = "1000@xx.xx.xx.xx" Sip-Group = "Dialin2" Service-Type = Group-Check NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 74 modcall[authorize]: module "preprocess" returns ok for request 74 modcall[authorize]: module "chap" returns noop for request 74 modcall[authorize]: module "mschap" returns noop for request 74 modcall[authorize]: module "digest" returns noop for request 74 rlm_realm: Looking up realm "xx.xx.xx.xx" for User-Name = "1000@xx.xx.xx.xx" rlm_realm: Found realm "xx.xx.xx.xx" rlm_realm: Adding Stripped-User-Name = "1000" rlm_realm: Proxying request from user 1000 to realm xx.xx.xx.xx rlm_realm: Adding Realm = "xx.xx.xx.xx" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 74 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 74 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 158 modcall[authorize]: module "files" returns ok for request 74 radius_xlat: '1000' rlm_sql (sql): sql_set_user escaped user --> '1000' rlm_sql (sql): Released sql socket id: 0 modcall[authorize]: module "sql" returns ok for request 74 modcall: group authorize returns ok for request 74 rad_check_password: Found Auth-Type Digest auth: type "digest" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 74 ERROR: No Digest-Nonce: Cannot perform Digest authentication modcall[authenticate]: module "digest" returns invalid for request 74 modcall: group authenticate returns invalid for request 74 auth: Failed to validate the user. Delaying request 74 for 1 seconds Finished request 74 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 15 to xx.xx.xx.xx:33025 Reply-Message = "Authenticated" Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 74 ID 15 with timestamp 434f1121 Nothing to do. Sleeping until we see a request.
Any help in this matter would be deeply appreciated,
Lenir
-
lenirsantiagoï¼ yahoo.com