Hello List!
I'm trying to set up authorization with our billing proprietary radius server, using Freeradius as a proxy. Currently I'm experiencing the following problem:
The Access-Request packet, sent by Kamailio, contains two User-Name attribute records Here is a log from the Freeradius server:
rad_recv: Access-Request packet from host 127.0.0.1 port 59294, id=112, length=298 User-Name = "2219001@example.com" Digest-Attributes = 0x0a0932323139303031 Digest-Attributes = 0x01106c696e6b2d726567696f6e2e7275 Digest-Attributes = 0x022254584452634531773045524b7368796f30684a70544f4f6a69424d386b32534a Digest-Attributes = 0x04147369703a6c696e6b2d726567696f6e2e7275 Digest-Attributes = 0x030a5245474953544552 Digest-Attributes = 0x050661757468 Digest-Attributes = 0x090a3030303030303031 Digest-Attributes = 0x080c32383034636535373032 Digest-Response = "e79b47955c02401fe52d05f7956609aa" Service-Type = Sip-Session Sip-Uri-User = "2219001" * User-Name = "call-id=domcmqmnychbwlp@koffe-work"* NAS-Identifier = "kamserv.example.com" NAS-Port = 5060 NAS-IP-Address = 127.0.0.1 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [digest] Checking for correctly formatted Digest-Attributes [digest] Digest-Attributes look OK. Converting them to something more usful. Digest-User-Name = "2219001" Digest-Realm = "example.com" Digest-Nonce = "TXDRcE1w0ERKshyo0hJpTOOjiBM8k2SJ" Digest-URI = "sip:example.com" Digest-Method = "REGISTER" Digest-QOP = "auth" Digest-Nonce-Count = "00000001" Digest-CNonce = "2804ce5702" [digest] Adding Auth-Type = DIGEST ++[digest] returns ok [suffix] Looking up realm "example.com" for User-Name = "2219001@example.com " [suffix] Found realm "example.com" [suffix] Adding Realm = "example.com" [suffix] Proxying request from user 2219001 to realm example.com [suffix] Preparing to proxy authentication request to realm "example.com" ++[suffix] returns updated [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Sending Access-Request of id 250 to 127.0.0.1 port 1822 User-Name = "2219001@example.com" Digest-Attributes = 0x0a0932323139303031 Digest-Attributes = 0x01106c696e6b2d726567696f6e2e7275 Digest-Attributes = 0x022254584452634531773045524b7368796f30684a70544f4f6a69424d386b32534a Digest-Attributes = 0x04147369703a6c696e6b2d726567696f6e2e7275 Digest-Attributes = 0x030a5245474953544552 Digest-Attributes = 0x050661757468 Digest-Attributes = 0x090a3030303030303031 Digest-Attributes = 0x080c32383034636535373032 Digest-Response = "e79b47955c02401fe52d05f7956609aa" Service-Type = Sip-Session Sip-Uri-User = "2219001" * User-Name = "call-id=domcmqmnychbwlp@koffe-work"* NAS-Identifier = "kamserv.example.com" NAS-Port = 5060 NAS-IP-Address = 127.0.0.1 Proxy-State = 0x313132 Proxying request 1 to home server 127.0.0.1 port 1822
As I understand, this second User-Name attribute has to be a call-id attribute.
Hello,
what is the value of parameter radius_extra for acc module?
Cheers, Daniel
On 3/4/11 1:06 PM, Kosilov Fedor wrote:
Hello List!
I'm trying to set up authorization with our billing proprietary radius server, using Freeradius as a proxy. Currently I'm experiencing the following problem:
The Access-Request packet, sent by Kamailio, contains two User-Name attribute records Here is a log from the Freeradius server:
rad_recv: Access-Request packet from host 127.0.0.1 port 59294, id=112, length=298 User-Name = "2219001@example.com mailto:2219001@example.com" Digest-Attributes = 0x0a0932323139303031 Digest-Attributes = 0x01106c696e6b2d726567696f6e2e7275 Digest-Attributes = 0x022254584452634531773045524b7368796f30684a70544f4f6a69424d386b32534a Digest-Attributes = 0x04147369703a6c696e6b2d726567696f6e2e7275 Digest-Attributes = 0x030a5245474953544552 Digest-Attributes = 0x050661757468 Digest-Attributes = 0x090a3030303030303031 Digest-Attributes = 0x080c32383034636535373032 Digest-Response = "e79b47955c02401fe52d05f7956609aa" Service-Type = Sip-Session Sip-Uri-User = "2219001"
- User-Name = "call-id=domcmqmnychbwlp@koffe-work"* NAS-Identifier = "kamserv.example.com http://kamserv.example.com" NAS-Port = 5060 NAS-IP-Address = 127.0.0.1
# Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [digest] Checking for correctly formatted Digest-Attributes [digest] Digest-Attributes look OK. Converting them to something more usful. Digest-User-Name = "2219001" Digest-Realm = "example.com http://example.com" Digest-Nonce = "TXDRcE1w0ERKshyo0hJpTOOjiBM8k2SJ" Digest-URI = "sip:example.com http://example.com" Digest-Method = "REGISTER" Digest-QOP = "auth" Digest-Nonce-Count = "00000001" Digest-CNonce = "2804ce5702" [digest] Adding Auth-Type = DIGEST ++[digest] returns ok [suffix] Looking up realm "example.com http://example.com" for User-Name = "2219001@example.com mailto:2219001@example.com" [suffix] Found realm "example.com http://example.com" [suffix] Adding Realm = "example.com http://example.com" [suffix] Proxying request from user 2219001 to realm example.com http://example.com [suffix] Preparing to proxy authentication request to realm "example.com http://example.com" ++[suffix] returns updated [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Sending Access-Request of id 250 to 127.0.0.1 port 1822 User-Name = "2219001@example.com mailto:2219001@example.com" Digest-Attributes = 0x0a0932323139303031 Digest-Attributes = 0x01106c696e6b2d726567696f6e2e7275 Digest-Attributes = 0x022254584452634531773045524b7368796f30684a70544f4f6a69424d386b32534a Digest-Attributes = 0x04147369703a6c696e6b2d726567696f6e2e7275 Digest-Attributes = 0x030a5245474953544552 Digest-Attributes = 0x050661757468 Digest-Attributes = 0x090a3030303030303031 Digest-Attributes = 0x080c32383034636535373032 Digest-Response = "e79b47955c02401fe52d05f7956609aa" Service-Type = Sip-Session Sip-Uri-User = "2219001"
- User-Name = "call-id=domcmqmnychbwlp@koffe-work"* NAS-Identifier = "kamserv.example.com http://kamserv.example.com" NAS-Port = 5060 NAS-IP-Address = 127.0.0.1 Proxy-State = 0x313132
Proxying request 1 to home server 127.0.0.1 port 1822
As I understand, this second User-Name attribute has to be a call-id attribute.
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Hello, Daniel, thank you for your attention to my problem.
I actually don't need accounting support, I just want to implement an authorization using radius. But for testing purposes, I loaded the acc module and set "radius_extra" param. Nothing has changed.
Here is a part of my config:
... modparam("acc", "radius_config", "/etc/radiusclient-ng/radiusclient.conf") modparam("acc", "radius_extra", "User-Name=$Au") ... modparam("auth_radius", "radius_config", "/etc/radiusclient-ng/radiusclient.conf") modparam("auth_radius", "auth_extra", "NAS-Identifier=$var(ident)") ... route { #Definitions $var(ident) = "kamserv.example.com"; ... route(3); #Auth ... }
...
route[3] { if (is_method("REGISTER")) { if (is_from_local()) { if (!radius_www_authorize("$td")) { www_challenge("$sel(to.uri.host)", "1"); exit; } else {
avp_db_delete("$sel(to.uri)","$avp(s:ip)");
avp_db_delete("$sel(to.uri)","$avp(s:dpid)");
avp_db_delete("$sel(to.uri)","$avp(s:fr_timer)");
avp_db_delete("$sel(to.uri)","$avp(s:calls_limit)");
avp_db_store("$sel(to.uri)","$avp(s:ip)");
avp_db_store("$sel(to.uri)","$avp(s:dpid)");
avp_db_store("$sel(to.uri)","$avp(s:fr_timer)");
avp_db_store("$sel(to.uri)","$avp(s:calls_limit)");
if ($au!=$sel(to.uri.user))||($au!=$sel(from.uri.user)) { sl_send_reply("403","Forbidden auth ID"); exit; } else { if ($avp(s:ip)!='any' && $sel(src.ip)!=$avp(s:ip)) {
sl_send_reply("403","Forbidden"); exit; } } }
} else { sl_send_reply("403","Forbidden"); exit; } } else { if ($sel(src.ip)=="192.168.0.2") { return; } else if (is_from_local()) { if (!radius_proxy_authorize("$sel(from.uri.host)","$sel(from.uri.user)")) { proxy_challenge("$sel(from.uri.host)", "1");
exit; } if ($avp(s:ip)!='any' && $sel(src.ip)!=$avp(s:ip)) { sl_send_reply("403","Forbidden"); exit; }
if (is_method("PUBLISH")) { if ($au!=$sel(to.uri.user)) { sl_send_reply("403","Forbidden auth ID"); exit; } } else if ($au!=$sel(from.uri.user)) { sl_send_reply("403","Forbidden auth ID"); exit; } consume_credentials(); } else { sl_send_reply("403","Forbidden"); exit; } } } ...
And again a part of the freeradius log:
rad_recv: Access-Request packet from host 127.0.0.1 port 58933, id=135, length=298 *User-Name = "2219001@example.com"* Digest-Attributes = 0x0a0932323139303031 Digest-Attributes = 0x01106c696e6b2d726567696f6e2e7275 Digest-Attributes = 0x0222545848676630317833314f7076767759512b6b73674c63554d51784f6c347634 Digest-Attributes = 0x04147369703a6c696e6b2d726567696f6e2e7275 Digest-Attributes = 0x030a5245474953544552 Digest-Attributes = 0x050661757468 Digest-Attributes = 0x090a3030303030303031 Digest-Attributes = 0x080c39636238383130616531 Digest-Response = "efdcf92b58f694b97928856614057436" Service-Type = Sip-Session Sip-Uri-User = "2219001" *User-Name = "call-id=zomdnicqsndxrnh@koffe-work"* NAS-Identifier = "kamserv.example.com" NAS-Port = 5060 NAS-IP-Address = 127.0.0.1
Regards, Fedor.
2011/3/5 Daniel-Constantin Mierla miconda@gmail.com
Hello,
what is the value of parameter radius_extra for acc module?
Cheers, Daniel
On 3/4/11 1:06 PM, Kosilov Fedor wrote:
Hello List!
I'm trying to set up authorization with our billing proprietary radius server, using Freeradius as a proxy. Currently I'm experiencing the following problem:
The Access-Request packet, sent by Kamailio, contains two User-Name attribute records Here is a log from the Freeradius server:
rad_recv: Access-Request packet from host 127.0.0.1 port 59294, id=112, length=298 User-Name = "2219001@example.com" Digest-Attributes = 0x0a0932323139303031 Digest-Attributes = 0x01106c696e6b2d726567696f6e2e7275 Digest-Attributes = 0x022254584452634531773045524b7368796f30684a70544f4f6a69424d386b32534a Digest-Attributes = 0x04147369703a6c696e6b2d726567696f6e2e7275 Digest-Attributes = 0x030a5245474953544552 Digest-Attributes = 0x050661757468 Digest-Attributes = 0x090a3030303030303031 Digest-Attributes = 0x080c32383034636535373032 Digest-Response = "e79b47955c02401fe52d05f7956609aa" Service-Type = Sip-Session Sip-Uri-User = "2219001"
- User-Name = "call-id=domcmqmnychbwlp@koffe-work"* NAS-Identifier = "kamserv.example.com" NAS-Port = 5060 NAS-IP-Address = 127.0.0.1
# Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [digest] Checking for correctly formatted Digest-Attributes [digest] Digest-Attributes look OK. Converting them to something more usful. Digest-User-Name = "2219001" Digest-Realm = "example.com" Digest-Nonce = "TXDRcE1w0ERKshyo0hJpTOOjiBM8k2SJ" Digest-URI = "sip:example.com" Digest-Method = "REGISTER" Digest-QOP = "auth" Digest-Nonce-Count = "00000001" Digest-CNonce = "2804ce5702" [digest] Adding Auth-Type = DIGEST ++[digest] returns ok [suffix] Looking up realm "example.com" for User-Name = " 2219001@example.com" [suffix] Found realm "example.com" [suffix] Adding Realm = "example.com" [suffix] Proxying request from user 2219001 to realm example.com [suffix] Preparing to proxy authentication request to realm "example.com" ++[suffix] returns updated [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Sending Access-Request of id 250 to 127.0.0.1 port 1822 User-Name = "2219001@example.com" Digest-Attributes = 0x0a0932323139303031 Digest-Attributes = 0x01106c696e6b2d726567696f6e2e7275 Digest-Attributes = 0x022254584452634531773045524b7368796f30684a70544f4f6a69424d386b32534a Digest-Attributes = 0x04147369703a6c696e6b2d726567696f6e2e7275 Digest-Attributes = 0x030a5245474953544552 Digest-Attributes = 0x050661757468 Digest-Attributes = 0x090a3030303030303031 Digest-Attributes = 0x080c32383034636535373032 Digest-Response = "e79b47955c02401fe52d05f7956609aa" Service-Type = Sip-Session Sip-Uri-User = "2219001"
- User-Name = "call-id=domcmqmnychbwlp@koffe-work"* NAS-Identifier = "kamserv.example.com" NAS-Port = 5060 NAS-IP-Address = 127.0.0.1 Proxy-State = 0x313132
Proxying request 1 to home server 127.0.0.1 port 1822
As I understand, this second User-Name attribute has to be a call-id attribute.
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-- Daniel-Constantin Mierla http://www.asipto.com
Again for testing, I pointed Kamailio directly to my billing radius, bypassing Freeradius. The situation is the same, so the problem is definitely not with the Freeradius server.
2011/3/5 Kosilov Fedor dangerkoffe@gmail.com
Hello, Daniel, thank you for your attention to my problem.
I actually don't need accounting support, I just want to implement an authorization using radius. But for testing purposes, I loaded the acc module and set "radius_extra" param. Nothing has changed.
Here is a part of my config:
... modparam("acc", "radius_config", "/etc/radiusclient-ng/radiusclient.conf") modparam("acc", "radius_extra", "User-Name=$Au") ... modparam("auth_radius", "radius_config", "/etc/radiusclient-ng/radiusclient.conf") modparam("auth_radius", "auth_extra", "NAS-Identifier=$var(ident)") ... route { #Definitions $var(ident) = "kamserv.example.com"; ... route(3); #Auth ... }
...
route[3] { if (is_method("REGISTER")) { if (is_from_local()) { if (!radius_www_authorize("$td")) { www_challenge("$sel(to.uri.host)", "1"); exit; } else {
avp_db_delete("$sel(to.uri)","$avp(s:ip)");
avp_db_delete("$sel(to.uri)","$avp(s:dpid)");
avp_db_delete("$sel(to.uri)","$avp(s:fr_timer)");
avp_db_delete("$sel(to.uri)","$avp(s:calls_limit)");
avp_db_store("$sel(to.uri)","$avp(s:ip)");
avp_db_store("$sel(to.uri)","$avp(s:dpid)");
avp_db_store("$sel(to.uri)","$avp(s:fr_timer)");
avp_db_store("$sel(to.uri)","$avp(s:calls_limit)");
if($au!=$sel(to.uri.user))||($au!=$sel(from.uri.user)) { sl_send_reply("403","Forbidden auth ID"); exit; } else { if ($avp(s:ip)!='any' && $sel(src.ip)!=$avp(s:ip)) {
sl_send_reply("403","Forbidden"); exit; } } }
} else { sl_send_reply("403","Forbidden"); exit; } } else { if ($sel(src.ip)=="192.168.0.2") { return; } else if (is_from_local()) { if(!radius_proxy_authorize("$sel(from.uri.host)","$sel(from.uri.user)")) { proxy_challenge("$sel(from.uri.host)", "1"); exit; } if ($avp(s:ip)!='any' && $sel(src.ip)!=$avp(s:ip)) { sl_send_reply("403","Forbidden"); exit; }
if (is_method("PUBLISH")) { if ($au!=$sel(to.uri.user)) { sl_send_reply("403","Forbidden authID"); exit; } } else if ($au!=$sel(from.uri.user)) { sl_send_reply("403","Forbidden auth ID"); exit; } consume_credentials(); } else { sl_send_reply("403","Forbidden"); exit; } } } ...
And again a part of the freeradius log:
rad_recv: Access-Request packet from host 127.0.0.1 port 58933, id=135, length=298
*User-Name = "2219001@example.com"* Digest-Attributes = 0x0a0932323139303031 Digest-Attributes = 0x01106c696e6b2d726567696f6e2e7275 Digest-Attributes =0x0222545848676630317833314f7076767759512b6b73674c63554d51784f6c347634
Digest-Attributes = 0x04147369703a6c696e6b2d726567696f6e2e7275 Digest-Attributes = 0x030a5245474953544552 Digest-Attributes = 0x050661757468 Digest-Attributes = 0x090a3030303030303031 Digest-Attributes = 0x080c39636238383130616531 Digest-Response = "efdcf92b58f694b97928856614057436" Service-Type = Sip-Session Sip-Uri-User = "2219001" *User-Name = "call-id=zomdnicqsndxrnh@koffe-work"* NAS-Identifier = "kamserv.example.com" NAS-Port = 5060 NAS-IP-Address = 127.0.0.1Regards, Fedor.
2011/3/5 Daniel-Constantin Mierla miconda@gmail.com
Hello,
what is the value of parameter radius_extra for acc module?
Cheers, Daniel
On 3/4/11 1:06 PM, Kosilov Fedor wrote:
Hello List!
I'm trying to set up authorization with our billing proprietary radius server, using Freeradius as a proxy. Currently I'm experiencing the following problem:
The Access-Request packet, sent by Kamailio, contains two User-Name attribute records Here is a log from the Freeradius server:
rad_recv: Access-Request packet from host 127.0.0.1 port 59294, id=112, length=298 User-Name = "2219001@example.com" Digest-Attributes = 0x0a0932323139303031 Digest-Attributes = 0x01106c696e6b2d726567696f6e2e7275 Digest-Attributes = 0x022254584452634531773045524b7368796f30684a70544f4f6a69424d386b32534a Digest-Attributes = 0x04147369703a6c696e6b2d726567696f6e2e7275 Digest-Attributes = 0x030a5245474953544552 Digest-Attributes = 0x050661757468 Digest-Attributes = 0x090a3030303030303031 Digest-Attributes = 0x080c32383034636535373032 Digest-Response = "e79b47955c02401fe52d05f7956609aa" Service-Type = Sip-Session Sip-Uri-User = "2219001"
- User-Name = "call-id=domcmqmnychbwlp@koffe-work"* NAS-Identifier = "kamserv.example.com" NAS-Port = 5060 NAS-IP-Address = 127.0.0.1
# Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [digest] Checking for correctly formatted Digest-Attributes [digest] Digest-Attributes look OK. Converting them to something more usful. Digest-User-Name = "2219001" Digest-Realm = "example.com" Digest-Nonce = "TXDRcE1w0ERKshyo0hJpTOOjiBM8k2SJ" Digest-URI = "sip:example.com" Digest-Method = "REGISTER" Digest-QOP = "auth" Digest-Nonce-Count = "00000001" Digest-CNonce = "2804ce5702" [digest] Adding Auth-Type = DIGEST ++[digest] returns ok [suffix] Looking up realm "example.com" for User-Name = " 2219001@example.com" [suffix] Found realm "example.com" [suffix] Adding Realm = "example.com" [suffix] Proxying request from user 2219001 to realm example.com [suffix] Preparing to proxy authentication request to realm "example.com"
++[suffix] returns updated [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Sending Access-Request of id 250 to 127.0.0.1 port 1822 User-Name = "2219001@example.com" Digest-Attributes = 0x0a0932323139303031 Digest-Attributes = 0x01106c696e6b2d726567696f6e2e7275 Digest-Attributes = 0x022254584452634531773045524b7368796f30684a70544f4f6a69424d386b32534a Digest-Attributes = 0x04147369703a6c696e6b2d726567696f6e2e7275 Digest-Attributes = 0x030a5245474953544552 Digest-Attributes = 0x050661757468 Digest-Attributes = 0x090a3030303030303031 Digest-Attributes = 0x080c32383034636535373032 Digest-Response = "e79b47955c02401fe52d05f7956609aa" Service-Type = Sip-Session Sip-Uri-User = "2219001"
- User-Name = "call-id=domcmqmnychbwlp@koffe-work"* NAS-Identifier = "kamserv.example.com" NAS-Port = 5060 NAS-IP-Address = 127.0.0.1 Proxy-State = 0x313132
Proxying request 1 to home server 127.0.0.1 port 1822
As I understand, this second User-Name attribute has to be a call-id attribute.
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-- Daniel-Constantin Mierla http://www.asipto.com
You need to check the dictionaries on your kamailio server. Mos likely something is miss configured there. Check what value do you have for "User-Name" and see if you have any duplicates for that value.
Regards, Ovidiu Sas
On Sat, Mar 5, 2011 at 2:32 AM, Kosilov Fedor dangerkoffe@gmail.com wrote:
Again for testing, I pointed Kamailio directly to my billing radius, bypassing Freeradius. The situation is the same, so the problem is definitely not with the Freeradius server.
2011/3/5 Kosilov Fedor dangerkoffe@gmail.com
Hello, Daniel, thank you for your attention to my problem.
I actually don't need accounting support, I just want to implement an authorization using radius. But for testing purposes, I loaded the acc module and set "radius_extra" param. Nothing has changed.
Here is a part of my config:
... modparam("acc", "radius_config", "/etc/radiusclient-ng/radiusclient.conf") modparam("acc", "radius_extra", "User-Name=$Au") ... modparam("auth_radius", "radius_config", "/etc/radiusclient-ng/radiusclient.conf") modparam("auth_radius", "auth_extra", "NAS-Identifier=$var(ident)") ... route { #Definitions $var(ident) = "kamserv.example.com"; ... route(3); #Auth ... }
...
route[3] { if (is_method("REGISTER")) { if (is_from_local()) { if (!radius_www_authorize("$td")) { www_challenge("$sel(to.uri.host)", "1"); exit; } else {
avp_db_delete("$sel(to.uri)","$avp(s:ip)");
avp_db_delete("$sel(to.uri)","$avp(s:dpid)");
avp_db_delete("$sel(to.uri)","$avp(s:fr_timer)");
avp_db_delete("$sel(to.uri)","$avp(s:calls_limit)");
avp_db_store("$sel(to.uri)","$avp(s:ip)");
avp_db_store("$sel(to.uri)","$avp(s:dpid)");
avp_db_store("$sel(to.uri)","$avp(s:fr_timer)");
avp_db_store("$sel(to.uri)","$avp(s:calls_limit)");
if ($au!=$sel(to.uri.user))||($au!=$sel(from.uri.user)) { sl_send_reply("403","Forbidden auth ID"); exit; } else { if ($avp(s:ip)!='any' && $sel(src.ip)!=$avp(s:ip)) {
sl_send_reply("403","Forbidden"); exit; } } }
} else { sl_send_reply("403","Forbidden"); exit; } } else { if ($sel(src.ip)=="192.168.0.2") { return; } else if (is_from_local()) { if (!radius_proxy_authorize("$sel(from.uri.host)","$sel(from.uri.user)")) { proxy_challenge("$sel(from.uri.host)", "1"); exit; } if ($avp(s:ip)!='any' && $sel(src.ip)!=$avp(s:ip)) { sl_send_reply("403","Forbidden"); exit; }
if (is_method("PUBLISH")) { if ($au!=$sel(to.uri.user)) { sl_send_reply("403","Forbidden auth ID"); exit; } } else if ($au!=$sel(from.uri.user)) { sl_send_reply("403","Forbidden auth ID"); exit; } consume_credentials(); } else { sl_send_reply("403","Forbidden"); exit; } } } ...
And again a part of the freeradius log:
rad_recv: Access-Request packet from host 127.0.0.1 port 58933, id=135, length=298 User-Name = "2219001@example.com" Digest-Attributes = 0x0a0932323139303031 Digest-Attributes = 0x01106c696e6b2d726567696f6e2e7275 Digest-Attributes = 0x0222545848676630317833314f7076767759512b6b73674c63554d51784f6c347634 Digest-Attributes = 0x04147369703a6c696e6b2d726567696f6e2e7275 Digest-Attributes = 0x030a5245474953544552 Digest-Attributes = 0x050661757468 Digest-Attributes = 0x090a3030303030303031 Digest-Attributes = 0x080c39636238383130616531 Digest-Response = "efdcf92b58f694b97928856614057436" Service-Type = Sip-Session Sip-Uri-User = "2219001" User-Name = "call-id=zomdnicqsndxrnh@koffe-work" NAS-Identifier = "kamserv.example.com" NAS-Port = 5060 NAS-IP-Address = 127.0.0.1
Regards, Fedor.
2011/3/5 Daniel-Constantin Mierla miconda@gmail.com
Hello,
what is the value of parameter radius_extra for acc module?
Cheers, Daniel
On 3/4/11 1:06 PM, Kosilov Fedor wrote:
Hello List!
I'm trying to set up authorization with our billing proprietary radius server, using Freeradius as a proxy. Currently I'm experiencing the following problem:
The Access-Request packet, sent by Kamailio, contains two User-Name attribute records Here is a log from the Freeradius server:
rad_recv: Access-Request packet from host 127.0.0.1 port 59294, id=112, length=298 User-Name = "2219001@example.com" Digest-Attributes = 0x0a0932323139303031 Digest-Attributes = 0x01106c696e6b2d726567696f6e2e7275 Digest-Attributes = 0x022254584452634531773045524b7368796f30684a70544f4f6a69424d386b32534a Digest-Attributes = 0x04147369703a6c696e6b2d726567696f6e2e7275 Digest-Attributes = 0x030a5245474953544552 Digest-Attributes = 0x050661757468 Digest-Attributes = 0x090a3030303030303031 Digest-Attributes = 0x080c32383034636535373032 Digest-Response = "e79b47955c02401fe52d05f7956609aa" Service-Type = Sip-Session Sip-Uri-User = "2219001" User-Name = "call-id=domcmqmnychbwlp@koffe-work" NAS-Identifier = "kamserv.example.com" NAS-Port = 5060 NAS-IP-Address = 127.0.0.1 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [digest] Checking for correctly formatted Digest-Attributes [digest] Digest-Attributes look OK. Converting them to something more usful. Digest-User-Name = "2219001" Digest-Realm = "example.com" Digest-Nonce = "TXDRcE1w0ERKshyo0hJpTOOjiBM8k2SJ" Digest-URI = "sip:example.com" Digest-Method = "REGISTER" Digest-QOP = "auth" Digest-Nonce-Count = "00000001" Digest-CNonce = "2804ce5702" [digest] Adding Auth-Type = DIGEST ++[digest] returns ok [suffix] Looking up realm "example.com" for User-Name = "2219001@example.com" [suffix] Found realm "example.com" [suffix] Adding Realm = "example.com" [suffix] Proxying request from user 2219001 to realm example.com [suffix] Preparing to proxy authentication request to realm "example.com" ++[suffix] returns updated [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Sending Access-Request of id 250 to 127.0.0.1 port 1822 User-Name = "2219001@example.com" Digest-Attributes = 0x0a0932323139303031 Digest-Attributes = 0x01106c696e6b2d726567696f6e2e7275 Digest-Attributes = 0x022254584452634531773045524b7368796f30684a70544f4f6a69424d386b32534a Digest-Attributes = 0x04147369703a6c696e6b2d726567696f6e2e7275 Digest-Attributes = 0x030a5245474953544552 Digest-Attributes = 0x050661757468 Digest-Attributes = 0x090a3030303030303031 Digest-Attributes = 0x080c32383034636535373032 Digest-Response = "e79b47955c02401fe52d05f7956609aa" Service-Type = Sip-Session Sip-Uri-User = "2219001" User-Name = "call-id=domcmqmnychbwlp@koffe-work" NAS-Identifier = "kamserv.example.com" NAS-Port = 5060 NAS-IP-Address = 127.0.0.1 Proxy-State = 0x313132 Proxying request 1 to home server 127.0.0.1 port 1822
As I understand, this second User-Name attribute has to be a call-id attribute.
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-- Daniel-Constantin Mierla http://www.asipto.com
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Thank you for the tip, Ovidiu! The problem was with my dictionary indeed. There were two attributes with duplicate values of "1". I've fixed the dictionary, and now everything works fine. Thanks again!
Regards, Fedor.
2011/3/5 Ovidiu Sas osas@voipembedded.com
You need to check the dictionaries on your kamailio server. Mos likely something is miss configured there. Check what value do you have for "User-Name" and see if you have any duplicates for that value.
Regards, Ovidiu Sas
On Sat, Mar 5, 2011 at 2:32 AM, Kosilov Fedor dangerkoffe@gmail.com wrote:
Again for testing, I pointed Kamailio directly to my billing radius, bypassing Freeradius. The situation is the same, so the problem is definitely not with the Freeradius server.
2011/3/5 Kosilov Fedor dangerkoffe@gmail.com
Hello, Daniel, thank you for your attention to my problem.
I actually don't need accounting support, I just want to implement an authorization using radius. But for testing purposes, I loaded the acc module and set "radius_extra" param. Nothing has changed.
Here is a part of my config:
... modparam("acc", "radius_config",
"/etc/radiusclient-ng/radiusclient.conf")
modparam("acc", "radius_extra", "User-Name=$Au") ... modparam("auth_radius", "radius_config", "/etc/radiusclient-ng/radiusclient.conf") modparam("auth_radius", "auth_extra", "NAS-Identifier=$var(ident)") ... route { #Definitions $var(ident) = "kamserv.example.com"; ... route(3); #Auth ... }
...
route[3] { if (is_method("REGISTER")) { if (is_from_local()) { if (!radius_www_authorize("$td")) { www_challenge("$sel(to.uri.host)", "1"); exit; } else {
avp_db_delete("$sel(to.uri)","$avp(s:ip)");
avp_db_delete("$sel(to.uri)","$avp(s:dpid)");
avp_db_delete("$sel(to.uri)","$avp(s:fr_timer)");
avp_db_delete("$sel(to.uri)","$avp(s:calls_limit)");
avp_db_store("$sel(to.uri)","$avp(s:ip)");
avp_db_store("$sel(to.uri)","$avp(s:dpid)");
avp_db_store("$sel(to.uri)","$avp(s:fr_timer)");
avp_db_store("$sel(to.uri)","$avp(s:calls_limit)");
if($au!=$sel(to.uri.user))||($au!=$sel(from.uri.user)) { sl_send_reply("403","Forbidden auth ID"); exit; } else { if ($avp(s:ip)!='any' && $sel(src.ip)!=$avp(s:ip)) {
sl_send_reply("403","Forbidden"); exit; } } }
} else { sl_send_reply("403","Forbidden"); exit; } } else { if ($sel(src.ip)=="192.168.0.2") { return; } else if (is_from_local()) { if(!radius_proxy_authorize("$sel(from.uri.host)","$sel(from.uri.user)")) { proxy_challenge("$sel(from.uri.host)", "1"); exit; } if ($avp(s:ip)!='any' &&
$sel(src.ip)!=$avp(s:ip))
{ sl_send_reply("403","Forbidden"); exit; }
if (is_method("PUBLISH")) { if ($au!=$sel(to.uri.user)) { sl_send_reply("403","Forbiddenauth ID"); exit; } } else if ($au!=$sel(from.uri.user)) { sl_send_reply("403","Forbidden auth
ID");
exit; } consume_credentials(); } else { sl_send_reply("403","Forbidden"); exit; } }} ...
And again a part of the freeradius log:
rad_recv: Access-Request packet from host 127.0.0.1 port 58933, id=135, length=298 User-Name = "2219001@example.com" Digest-Attributes = 0x0a0932323139303031 Digest-Attributes = 0x01106c696e6b2d726567696f6e2e7275 Digest-Attributes = 0x0222545848676630317833314f7076767759512b6b73674c63554d51784f6c347634 Digest-Attributes = 0x04147369703a6c696e6b2d726567696f6e2e7275 Digest-Attributes = 0x030a5245474953544552 Digest-Attributes = 0x050661757468 Digest-Attributes = 0x090a3030303030303031 Digest-Attributes = 0x080c39636238383130616531 Digest-Response = "efdcf92b58f694b97928856614057436" Service-Type = Sip-Session Sip-Uri-User = "2219001" User-Name = "call-id=zomdnicqsndxrnh@koffe-work" NAS-Identifier = "kamserv.example.com" NAS-Port = 5060 NAS-IP-Address = 127.0.0.1
Regards, Fedor.
2011/3/5 Daniel-Constantin Mierla miconda@gmail.com
Hello,
what is the value of parameter radius_extra for acc module?
Cheers, Daniel
On 3/4/11 1:06 PM, Kosilov Fedor wrote:
Hello List!
I'm trying to set up authorization with our billing proprietary radius server, using Freeradius as a proxy. Currently I'm experiencing the following problem:
The Access-Request packet, sent by Kamailio, contains two User-Name attribute records Here is a log from the Freeradius server:
rad_recv: Access-Request packet from host 127.0.0.1 port 59294, id=112, length=298 User-Name = "2219001@example.com" Digest-Attributes = 0x0a0932323139303031 Digest-Attributes = 0x01106c696e6b2d726567696f6e2e7275 Digest-Attributes = 0x022254584452634531773045524b7368796f30684a70544f4f6a69424d386b32534a Digest-Attributes = 0x04147369703a6c696e6b2d726567696f6e2e7275 Digest-Attributes = 0x030a5245474953544552 Digest-Attributes = 0x050661757468 Digest-Attributes = 0x090a3030303030303031 Digest-Attributes = 0x080c32383034636535373032 Digest-Response = "e79b47955c02401fe52d05f7956609aa" Service-Type = Sip-Session Sip-Uri-User = "2219001" User-Name = "call-id=domcmqmnychbwlp@koffe-work" NAS-Identifier = "kamserv.example.com" NAS-Port = 5060 NAS-IP-Address = 127.0.0.1 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [digest] Checking for correctly formatted Digest-Attributes [digest] Digest-Attributes look OK. Converting them to something more usful. Digest-User-Name = "2219001" Digest-Realm = "example.com" Digest-Nonce = "TXDRcE1w0ERKshyo0hJpTOOjiBM8k2SJ" Digest-URI = "sip:example.com" Digest-Method = "REGISTER" Digest-QOP = "auth" Digest-Nonce-Count = "00000001" Digest-CNonce = "2804ce5702" [digest] Adding Auth-Type = DIGEST ++[digest] returns ok [suffix] Looking up realm "example.com" for User-Name = "2219001@example.com" [suffix] Found realm "example.com" [suffix] Adding Realm = "example.com" [suffix] Proxying request from user 2219001 to realm example.com [suffix] Preparing to proxy authentication request to realm "
example.com"
++[suffix] returns updated [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Sending Access-Request of id 250 to 127.0.0.1 port 1822 User-Name = "2219001@example.com" Digest-Attributes = 0x0a0932323139303031 Digest-Attributes = 0x01106c696e6b2d726567696f6e2e7275 Digest-Attributes = 0x022254584452634531773045524b7368796f30684a70544f4f6a69424d386b32534a Digest-Attributes = 0x04147369703a6c696e6b2d726567696f6e2e7275 Digest-Attributes = 0x030a5245474953544552 Digest-Attributes = 0x050661757468 Digest-Attributes = 0x090a3030303030303031 Digest-Attributes = 0x080c32383034636535373032 Digest-Response = "e79b47955c02401fe52d05f7956609aa" Service-Type = Sip-Session Sip-Uri-User = "2219001" User-Name = "call-id=domcmqmnychbwlp@koffe-work" NAS-Identifier = "kamserv.example.com" NAS-Port = 5060 NAS-IP-Address = 127.0.0.1 Proxy-State = 0x313132 Proxying request 1 to home server 127.0.0.1 port 1822
As I understand, this second User-Name attribute has to be a call-id attribute.
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-- Daniel-Constantin Mierla http://www.asipto.com
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-
Daniel-Constantin Mierla -
Kosilov Fedor -
Ovidiu Sas