Hi there,
This is my ser.cfg configuration
if(method=="REGISTER") { if (!radius_www_authorize("")) { www_challenge("", "0"); break; }; save("location"); break; };
And here is some sniffing done with ngrep ...
U IP_UA:11006 -> IP_SER:5060 REGISTER sip:IP_SER SIP/2.0. Via: SIP/2.0/UDP 192.168.1.178:11006;rport;branch=z9hG4bK810E80344EB24AE5B8D5FD21043E78CE . From: Lucas sip:1991006@IP_SER. To: Lucas sip:1991006@IP_SER. Contact: "Lucas" sip:1991006@192.168.1.178:11006. Call-ID: FCA6F7DD4BA94FA090F446BCE4AAE5B9@IP_SER. CSeq: 57327 REGISTER. Expires: 1800. Authorization: Digest username="1991006@IP_SER",realm="IP_SER",nonce="425b03326e0f4f0071f1a766 4c8823f1271f1212",response="8b9ec4e8e633c5dd7d4aee4aef1ffdba",uri="sip:I P_SER". Max-Forwards: 70. User-Agent: X-PRO build 1082. Content-Length: 0. .
# U IP_SER:5060 -> IP_UA:11006 SIP/2.0 401 Unauthorized. Via: SIP/2.0/UDP 192.168.1.178:11006;rport=11006;branch=z9hG4bK810E80344EB24AE5B8D5FD2104 3E78CE;received=IP_UA. From: Lucas sip:1991006@IP_SER. To: Lucas sip:1991006@IP_SER;tag=6f0d146d94c4cb042663ff3cf87e2e72.d766. Call-ID: FCA6F7DD4BA94FA090F446BCE4AAE5B9@IP_SER. CSeq: 57327 REGISTER. WWW-Authenticate: Digest realm="IP_SER", nonce="425b03326e0f4f0071f1a7664c8823f1271f1212". Content-Length: 0. Warning: 392 IP_SER:5060 "Noisy feedback tells: pid=23023 req_src_ip=IP_UA req_src_port=11006 in_uri=sip:IP_SER out_uri=sip:IP_SER via_cnt==1".
The thing is that I'm not seeing the Password Attribute at the radius output ... Well, to be honest, I do not know wich is the attribute SER uses to send password, but, the truth is no Password Attribute is sent to RADIUS.
Any ideas ?
Regards,
Lucas
Lucas, Your RADIUS server needs to implement the Digest algorithm. Attributes are non-standard and are NOT sent as vendor-encapsulated, but wrapped in the Digest-Attributes avpair. The RADIUS server thus needs to be able to read the digest-attributes, convert them to individual attributes (as below) and then implement the DIGEST authentication mechanism. Translated: There is no password attribute. g-)
ATTRIBUTE Digest-Response 206 string ATTRIBUTE Digest-Attributes 207 string ATTRIBUTE Digest-Realm 1063 string ATTRIBUTE Digest-Nonce 1064 string ATTRIBUTE Digest-Method 1065 string ATTRIBUTE Digest-URI 1066 string ATTRIBUTE Digest-QOP 1067 string ATTRIBUTE Digest-Algorithm 1068 string ATTRIBUTE Digest-Body-Digest 1069 string ATTRIBUTE Digest-CNonce 1070 string ATTRIBUTE Digest-Nonce-Count 1071 string ATTRIBUTE Digest-User-Name 1072 string
Lucas Aimaretto wrote:
Hi there,
This is my ser.cfg configuration
if(method=="REGISTER") { if (!radius_www_authorize("")) { www_challenge("", "0"); break; }; save("location"); break; };
And here is some sniffing done with ngrep ...
U IP_UA:11006 -> IP_SER:5060 REGISTER sip:IP_SER SIP/2.0. Via: SIP/2.0/UDP 192.168.1.178:11006;rport;branch=z9hG4bK810E80344EB24AE5B8D5FD21043E78CE . From: Lucas sip:1991006@IP_SER. To: Lucas sip:1991006@IP_SER. Contact: "Lucas" sip:1991006@192.168.1.178:11006. Call-ID: FCA6F7DD4BA94FA090F446BCE4AAE5B9@IP_SER. CSeq: 57327 REGISTER. Expires: 1800. Authorization: Digest username="1991006@IP_SER",realm="IP_SER",nonce="425b03326e0f4f0071f1a766 4c8823f1271f1212",response="8b9ec4e8e633c5dd7d4aee4aef1ffdba",uri="sip:I P_SER". Max-Forwards: 70. User-Agent: X-PRO build 1082. Content-Length: 0. .
# U IP_SER:5060 -> IP_UA:11006 SIP/2.0 401 Unauthorized. Via: SIP/2.0/UDP 192.168.1.178:11006;rport=11006;branch=z9hG4bK810E80344EB24AE5B8D5FD2104 3E78CE;received=IP_UA. From: Lucas sip:1991006@IP_SER. To: Lucas sip:1991006@IP_SER;tag=6f0d146d94c4cb042663ff3cf87e2e72.d766. Call-ID: FCA6F7DD4BA94FA090F446BCE4AAE5B9@IP_SER. CSeq: 57327 REGISTER. WWW-Authenticate: Digest realm="IP_SER", nonce="425b03326e0f4f0071f1a7664c8823f1271f1212". Content-Length: 0. Warning: 392 IP_SER:5060 "Noisy feedback tells: pid=23023 req_src_ip=IP_UA req_src_port=11006 in_uri=sip:IP_SER out_uri=sip:IP_SER via_cnt==1".
The thing is that I'm not seeing the Password Attribute at the radius output ... Well, to be honest, I do not know wich is the attribute SER uses to send password, but, the truth is no Password Attribute is sent to RADIUS.
Any ideas ?
Regards,
Lucas
The thing is that I'm not seeing the Password Attribute at the radius output ...
Lucas, Your RADIUS server needs to implement the Digest algorithm. Attributes are non-standard and are NOT sent as vendor-encapsulated, but wrapped in the Digest-Attributes avpair. The RADIUS server thus needs to be able to read the digest-attributes, convert them to individual attributes (as below) and then implement the DIGEST authentication mechanism. Translated: There is no password attribute. g-)
ATTRIBUTE Digest-Response 206 string ATTRIBUTE Digest-Attributes 207 string ATTRIBUTE Digest-Realm 1063 string ATTRIBUTE Digest-Nonce 1064 string ATTRIBUTE Digest-Method 1065 string ATTRIBUTE Digest-URI 1066 string ATTRIBUTE Digest-QOP 1067 string ATTRIBUTE Digest-Algorithm 1068 string ATTRIBUTE Digest-Body-Digest 1069 string ATTRIBUTE Digest-CNonce 1070 string ATTRIBUTE Digest-Nonce-Count 1071 string ATTRIBUTE Digest-User-Name 1072 string
Ok, thanx for the answer. Anyways, I think I'll need a little help with this. I already loaded those attributes into my dictionary, both dictionary.ser and dictionary.sip. Now, If I have no password assigned to my user, Users can authenticate with no problems at all. Now, if I assign password, I see the following ...
RADIUS OUTPUT:
radrecv: Access Request from host c0a801fd code=1, id=158, length=271 User-Name = "1991006@192.168.1.253" Digest-Attributes = "\012\0111991006" Digest-Attributes = "\001\017192.168.1.253" Digest-Attributes = "\002*425bde0ae10d15c59c4e3a5c45288ed4175a8a2a" Digest-Attributes = "\004\023sip:192.168.1.253" Digest-Attributes = "\003\012REGISTER" Digest-Response = "a341b3fdbacc4747b82e0718b31e627c" Service-Type = Sip-Session Sip-URI-User = "1991006" Unknown-Attr-327681 = "call-id=EAED054A3CA3478184AA441574592609@192.168.1.253" NAS-IP-Address = 192.168.1.253 NAS-Port-Id = 5060 SQL: Attempting to reserve socket SQL: Reserved socket 0 Username is now 1991006 Calling station Id is now 1991006 Calling station Id is now (null) Sending Access Reject of id 158 to c0a801fd (nas linux) Se envio Auth Reject SQL: Socket 0 used for 0.61 seconds SQL: Released socket 0
SER OUTPUT:
0(17666) get_hdr_field: cseq <CSeq>: <27392> <REGISTER> 0(17666) DEBUG: is_maxfwd_present: value = 70 0(17666) end of header reached, state=9 0(17666) parse_headers: flags=256 0(17666) DEBUG: get_hdr_body : content_length=0 0(17666) found end of header 0(17666) find_first_route(): No Route headers found 0(17666) loose_route(): There is no Route HF 0(17666) check_self - checking if host==us: 13==13 && [192.168.1.253] == [192.168.1.253] 0(17666) check_self - checking if port 5060 matches port 5060 0(17666) check_nonce(): comparing [425bde0ae10d15c59c4e3a5c45288ed4175a8a2a] and [425bde0ae10d15c59c4e3a5c45288ed4175a8a2a] 0(17666) res: -2 0(17666) radius_authorize_sterman(): Failure 0(17666) build_auth_hf(): 'WWW-Authenticate: Digest realm="192.168.1.253", nonce="425bde0ae10d15c59c4e3a5c45288ed4175a8a2a"' 0(17666) parse_headers: flags=-1 0(17666) check_via_address(192.168.1.178, 192.168.1.178, 0) 0(17666) DEBUG:destroy_avp_list: destroing list (nil) 0(17666) receive_msg: cleaning up
Now, these are the questions:
1) What my radius is receiving, looks fine ? 2) What must my radius be capable of doing to authenticate users with password ? I know you said it must resolve digest attributes, but, what does it mean ? ( or please give me some place where to read something ). 3) I know my radius supports CHAP-MD5. Isn't it enough ?
The thing is I've using this radius for some time now, and have modified it to help my needs. I know it's a bit old already (2002). Its ic-radius and, according to its web page it does support digest. I think ...
Please, help me out with this one. Thanx very much
Regards,
Lucas
See inline. Lucas Aimaretto wrote:
The thing is that I'm not seeing the Password Attribute at the radius output ...
Lucas, Your RADIUS server needs to implement the Digest algorithm. Attributes are non-standard and are NOT sent as vendor-encapsulated, but wrapped in the Digest-Attributes avpair. The RADIUS server thus needs to be able to read the digest-attributes, convert them to individual attributes (as below) and then implement the DIGEST authentication mechanism. Translated: There is no password attribute. g-)
ATTRIBUTE Digest-Response 206 string ATTRIBUTE Digest-Attributes 207 string ATTRIBUTE Digest-Realm 1063 string ATTRIBUTE Digest-Nonce 1064 string ATTRIBUTE Digest-Method 1065 string ATTRIBUTE Digest-URI 1066 string ATTRIBUTE Digest-QOP 1067 string ATTRIBUTE Digest-Algorithm 1068 string ATTRIBUTE Digest-Body-Digest 1069 string ATTRIBUTE Digest-CNonce 1070 string ATTRIBUTE Digest-Nonce-Count 1071 string ATTRIBUTE Digest-User-Name 1072 string
Ok, thanx for the answer. Anyways, I think I'll need a little help with this. I already loaded those attributes into my dictionary, both dictionary.ser and dictionary.sip. Now, If I have no password assigned to my user, Users can authenticate with no problems at all. Now, if I assign password, I see the following ...
RADIUS OUTPUT:
radrecv: Access Request from host c0a801fd code=1, id=158, length=271 User-Name = "1991006@192.168.1.253" Digest-Attributes = "\012\0111991006" Digest-Attributes = "\001\017192.168.1.253" Digest-Attributes = "\002*425bde0ae10d15c59c4e3a5c45288ed4175a8a2a" Digest-Attributes = "\004\023sip:192.168.1.253" Digest-Attributes = "\003\012REGISTER" Digest-Response = "a341b3fdbacc4747b82e0718b31e627c" Service-Type = Sip-Session Sip-URI-User = "1991006" Unknown-Attr-327681 = "call-id=EAED054A3CA3478184AA441574592609@192.168.1.253" NAS-IP-Address = 192.168.1.253 NAS-Port-Id = 5060 SQL: Attempting to reserve socket SQL: Reserved socket 0 Username is now 1991006 Calling station Id is now 1991006 Calling station Id is now (null) Sending Access Reject of id 158 to c0a801fd (nas linux) Se envio Auth Reject SQL: Socket 0 used for 0.61 seconds SQL: Released socket 0
SER OUTPUT:
0(17666) get_hdr_field: cseq <CSeq>: <27392> <REGISTER> 0(17666) DEBUG: is_maxfwd_present: value = 70 0(17666) end of header reached, state=9 0(17666) parse_headers: flags=256 0(17666) DEBUG: get_hdr_body : content_length=0 0(17666) found end of header 0(17666) find_first_route(): No Route headers found 0(17666) loose_route(): There is no Route HF 0(17666) check_self - checking if host==us: 13==13 && [192.168.1.253] == [192.168.1.253] 0(17666) check_self - checking if port 5060 matches port 5060 0(17666) check_nonce(): comparing [425bde0ae10d15c59c4e3a5c45288ed4175a8a2a] and [425bde0ae10d15c59c4e3a5c45288ed4175a8a2a] 0(17666) res: -2 0(17666) radius_authorize_sterman(): Failure 0(17666) build_auth_hf(): 'WWW-Authenticate: Digest realm="192.168.1.253", nonce="425bde0ae10d15c59c4e3a5c45288ed4175a8a2a"' 0(17666) parse_headers: flags=-1 0(17666) check_via_address(192.168.1.178, 192.168.1.178, 0) 0(17666) DEBUG:destroy_avp_list: destroing list (nil) 0(17666) receive_msg: cleaning up
Now, these are the questions:
- What my radius is receiving, looks fine ?
This might confuse the radius server. Except from that, it looks ok. Unknown-Attr-327681 = "call-id=EAED054A3CA3478184AA441574592609@192.168.1.253"
- What must my radius be capable of doing to authenticate users with
password ? I know you said it must resolve digest attributes, but, what does it mean ? ( or please give me some place where to read something ).
Well, do you want the RFC? ;-) (search for http digest) It's more an implementation issue.
3) I know my radius supports CHAP-MD5. Isn't it enough ? Nope. Digest as another algorithm than CHAP that can use MD5 too
The thing is I've using this radius for some time now, and have modified it to help my needs. I know it's a bit old already (2002). Its ic-radius and, according to its web page it does support digest. I think ...
Well, it must both support digest and the bit special way the *-digest-attritbutes are wrapped into the Digest-Attributes attribute. I don't know ic-radius. We have implemented digest for our own (commercial) RADIUS server. freeRADIUS is your best bet, or the support forum for ic-radius.
g-)
- I know my radius supports CHAP-MD5. Isn't it enough ?
Nope. Digest as another algorithm than CHAP that can use MD5 too
So you say I need to support Digest with MD5, or just Digest alone ?
The thing is I've using this radius for some time now, and have modified it to help my needs. I know it's a bit old already (2002). Its ic-radius and, according to its web page it does support digest.
Well, it must both support digest and the bit special way the *-digest-attritbutes are wrapped into the Digest-Attributes attribute. I don't know ic-radius. We have implemented digest for our own (commercial) RADIUS server. freeRADIUS is your best bet, or the support forum for ic-radius.
I think I'll have to implement Digest in my own radius. Any help ? I do not understand how " ... the bit special way the *-digest-attritbutes are wrapped into the Digest-Attributes attribute... " is implemented. Any hint here ?
Thanx
Regards,
Lucas
See inline.
- I know my radius supports CHAP-MD5. Isn't it enough ?
Nope. Digest as another algorithm than CHAP that can use MD5 too
So you say I need to support Digest with MD5, or just Digest alone ?
You need to support the HTTP Digest mechanism, read the RFC.
The thing is I've using this radius for some time now, and have modified it to help my needs. I know it's a bit old already (2002). Its ic-radius and, according to its web page it does support digest.
Well, it must both support digest and the bit special way the *-digest-attritbutes are wrapped into the Digest-Attributes attribute. I don't know ic-radius. We have implemented digest for our own (commercial) RADIUS server. freeRADIUS is your best bet, or the support forum for ic-radius.
I think I'll have to implement Digest in my own radius. Any help ?
Well, not really, but freeradius has an implementation of it that you could probably look at. You need to check out the licenses though.
I do not understand how " ... the bit special way the *-digest-attritbutes are wrapped into the Digest-Attributes attribute... " is implemented. Any hint here ?
Well, if you are to implement this, you need to understand RADIUS (another RFC...). All the digest attributes are wrapped with length markers into one single attribute (Digest-Attributes). You need to read that attribute and decode it before you can use the digest attribute/value pairs for implementing Digest. g-)
-
Greger V. Teigre -
Lucas Aimaretto