RE: [Serusers] Radius Authentication Help - sr-users

15 Jul 2004

Yes please i will take a copy of the dictionary.sip

i have however been testing different things that the list has been sending
and i'm getting a different error now the error is

 7(16599) res: -1
 7(16599) radius_authorize_sterman(): Failure

please find below some debug any help at all is always grealy appreciated

Sean 

6(16595) SIP Request:
 6(16595)  method:  <REGISTER>
 6(16595)  uri:     <sip:sip.keycom.co.uk>
 6(16595)  version: <SIP/2.0>
 6(16595) parse_headers: flags=1
 6(16595) end of header reached, state=5
 6(16595) parse_headers: Via found, flags=1
 6(16595) parse_headers: this is the first via
 6(16595) After parse_msg...
 6(16595) preparing to run routing scripts...
 6(16595) DEBUG : is_maxfwd_present: searching for max_forwards header
 6(16595) parse_headers: flags=128
 6(16595) end of header reached, state=9
 6(16595) DEBUG: get_hdr_field: <To> [34]; uri=[sip:sean@sip.keycom.co.uk] 
 6(16595) DEBUG: to body [Sean <sip:sean@sip.keycom.co.uk>
]
 6(16595) get_hdr_field: cseq <CSeq>: <131> <REGISTER>
 6(16595) DEBUG: get_hdr_body : content_length=0
 6(16595) found end of header
 6(16595) DEBUG: is_maxfwd_present: max_forwards header not found!
 6(16595) end of header reached, state=9
 6(16595) parse_headers: flags=256
 6(16595) find_first_route(): No Route headers found
 6(16595) loose_route(): There is no Route HF
 6(16595) check_self - checking if host==us: 16==9 &&  [sip.keycom.co.uk] ==
[127.0.0.1]
 6(16595) check_self - checking if port 5060 matches port 5060
 6(16595) check_self - checking if host==us: 16==12 &&  [sip.keycom.co.uk]
== [192.168.1.68]
 6(16595) check_self - checking if port 5060 matches port 5060
 6(16595) REGISTER: Authenticating user
 6(16595) parse_headers: flags=4096
 6(16595) pre_auth(): Credentials with given realm not found
 6(16595) REGISTER: challenging user
 6(16595) build_auth_hf(): 'WWW-Authenticate: Digest
realm="sip.keycom.co.uk",
nonce="40f66c016fa9044424946dfc574f83781285a9cc"
'
 6(16595) parse_headers: flags=-1
 6(16595) check_via_address(192.168.1.91, 212.9.98.1, 0)
 6(16595) receive_msg: cleaning up
 7(16599) SIP Request:
 7(16599)  method:  <REGISTER>
 7(16599)  uri:     <sip:sip.keycom.co.uk>
 7(16599)  version: <SIP/2.0>
 7(16599) parse_headers: flags=1
 7(16599) end of header reached, state=5
 7(16599) parse_headers: Via found, flags=1
 7(16599) parse_headers: this is the first via
 7(16599) After parse_msg...
 7(16599) preparing to run routing scripts...
 7(16599) DEBUG : is_maxfwd_present: searching for max_forwards header
 7(16599) parse_headers: flags=128
 7(16599) end of header reached, state=9
 7(16599) DEBUG: get_hdr_field: <To> [34]; uri=[sip:sean@sip.keycom.co.uk] 
 7(16599) DEBUG: to body [Sean <sip:sean@sip.keycom.co.uk>
]
 7(16599) get_hdr_field: cseq <CSeq>: <132> <REGISTER>
 7(16599) DEBUG: get_hdr_body : content_length=0
 7(16599) found end of header
 7(16599) DEBUG: is_maxfwd_present: max_forwards header not found!
 7(16599) end of header reached, state=9
 7(16599) parse_headers: flags=256
 7(16599) find_first_route(): No Route headers found
 7(16599) loose_route(): There is no Route HF
 7(16599) check_self - checking if host==us: 16==9 &&  [sip.keycom.co.uk] ==
[127.0.0.1]
 7(16599) check_self - checking if port 5060 matches port 5060
 7(16599) check_self - checking if host==us: 16==12 &&  [sip.keycom.co.uk]
== [192.168.1.68]
 7(16599) check_self - checking if port 5060 matches port 5060
 7(16599) REGISTER: Authenticating user
 7(16599) check_nonce(): comparing
[40f66c016fa9044424946dfc574f83781285a9cc] and
[40f66c016fa9044424946dfc574f83781285a9cc]
 7(16599) res: -1
 7(16599) radius_authorize_sterman(): Failure
 7(16599) REGISTER: challenging user
 7(16599) build_auth_hf(): 'WWW-Authenticate: Digest
realm="sip.keycom.co.uk",
nonce="40f66c016fa9044424946dfc574f83781285a9cc"
'
 7(16599) parse_headers: flags=-1
 7(16599) check_via_address(192.168.1.91, 212.9.98.1, 0)
 7(16599) receive_msg: cleaning up
 6(16595) SIP Request:
 6(16595)  method:  <REGISTER>
 6(16595)  uri:     <sip:sip.keycom.co.uk>
 6(16595)  version: <SIP/2.0>
 6(16595) parse_headers: flags=1
 6(16595) end of header reached, state=5
 6(16595) parse_headers: Via found, flags=1
 6(16595) parse_headers: this is the first via
 6(16595) After parse_msg...
 6(16595) preparing to run routing scripts...
 6(16595) DEBUG : is_maxfwd_present: searching for max_forwards header
 6(16595) parse_headers: flags=128
 6(16595) end of header reached, state=9
 6(16595) DEBUG: get_hdr_field: <To> [34]; uri=[sip:sean@sip.keycom.co.uk] 
 6(16595) DEBUG: to body [Sean <sip:sean@sip.keycom.co.uk>
]
 6(16595) get_hdr_field: cseq <CSeq>: <133> <REGISTER>
 6(16595) DEBUG: get_hdr_body : content_length=0
 6(16595) found end of header
 6(16595) DEBUG: is_maxfwd_present: max_forwards header not found!
 6(16595) end of header reached, state=9
 6(16595) parse_headers: flags=256
 6(16595) find_first_route(): No Route headers found
 6(16595) loose_route(): There is no Route HF
 6(16595) check_self - checking if host==us: 16==9 &&  [sip.keycom.co.uk] ==
[127.0.0.1]
 6(16595) check_self - checking if port 5060 matches port 5060
 6(16595) check_self - checking if host==us: 16==12 &&  [sip.keycom.co.uk]
== [192.168.1.68]
 6(16595) check_self - checking if port 5060 matches port 5060
 6(16595) REGISTER: Authenticating user
 6(16595) check_nonce(): comparing
[40f66c016fa9044424946dfc574f83781285a9cc] and
[40f66c016fa9044424946dfc574f83781285a9cc]
 6(16595) res: -1
 6(16595) radius_authorize_sterman(): Failure
 6(16595) REGISTER: challenging user
 6(16595) build_auth_hf(): 'WWW-Authenticate: Digest
realm="sip.keycom.co.uk",
nonce="40f66c038f1b06eb1345a6f925a274094c66039a"
'
 6(16595) parse_headers: flags=-1
 6(16595) check_via_address(192.168.1.91, 212.9.98.1, 0)
 6(16595) receive_msg: cleaning up
 7(16599) SIP Request:
 7(16599)  method:  <REGISTER>
 7(16599)  uri:     <sip:sip.keycom.co.uk>
 7(16599)  version: <SIP/2.0>
 7(16599) parse_headers: flags=1
 7(16599) end of header reached, state=5
 7(16599) parse_headers: Via found, flags=1
 7(16599) parse_headers: this is the first via
 7(16599) After parse_msg...
 7(16599) preparing to run routing scripts...
 7(16599) DEBUG : is_maxfwd_present: searching for max_forwards header
 7(16599) parse_headers: flags=128
 7(16599) end of header reached, state=9
 7(16599) DEBUG: get_hdr_field: <To> [34]; uri=[sip:sean@sip.keycom.co.uk] 
 7(16599) DEBUG: to body [Sean <sip:sean@sip.keycom.co.uk>

...
  -----Original Message-----
 From:	Zeus Ng [SMTP:zeus.ng@isquare.com.au]
 Sent:	15 July 2004 12:10
 To:	'Sean Lowry'
 Cc:	serusers(a)lists.iptel.org
 Subject:	RE: [Serusers] Radius Authentication Help

 I do remember that I need both dictionary.ser and dictionary.sip to work.
 Can't remember where I get the dictionary.sip from. I can email you a copy
 of you want.

 Zeus

 > -----Original Message-----
 > From: Sean Lowry [mailto:Sean.Lowry@keycom.co.uk] 
 > Sent: Thursday, 15 July 2004 8:25 PM
 > To: 'Zeus Ng'
 > Subject: RE: [Serusers] Radius Authentication Help
 > 
 > 
 > it's inside the dictionary.ser that i had to go and download 
 > (wasn't included in the module). it contains
 > 
 > i put an include statment into the dictionary to include 
 > dictionary.ser
 > 
 > this then gets me a different attribute error
 > 
 > 
 > Maxfwd module- initializing
 > .
 > sip:/etc/radiusclient# acc - initializing
 > exec - initializing
 > print - initializing
 > textops - initializing
 > voicemail - initializing
 >  7(15981) REGISTER: Authenticating user
 >  7(15981) REGISTER: challenging user
 >  5(15976) REGISTER: Authenticating user
 >  5(15976) sterman(): Unable to add PW_DIGEST_USER_NAME attribute
 >  5(15976) REGISTER: challenging user
 >  7(15981) REGISTER: Authenticating user
 >  7(15981) sterman(): Unable to add PW_DIGEST_USER_NAME attribute
 >  7(15981) REGISTER: challenging user
 >  5(15976) REGISTER: Authenticating user
 >  5(15976) sterman(): Unable to add PW_DIGEST_USER_NAME attribute
 > 
 > 
 > normally it's PW_USER_NAME attribute
 > 
 > Sean
 > 
 > 
 > 
 > > -----Original Message-----
 > > From:	Zeus Ng [SMTP:zeus.ng@isquare.com.au]
 > > Sent:	15 July 2004 11:25
 > > To:	'Sean Lowry'
 > > Cc:	serusers(a)lists.iptel.org
 > > Subject:	RE: [Serusers] Radius Authentication Help
 > > 
 > > Look at your /etc/radiusclient/dictionary* files and see if the 
 > > following line exist.
 > > 
 > > ATTRIBUTE        Digest-User-Name        1072    string
 > > 
 > > If not, your are missing the attributes for SIP specific dictionary 
 > > translation. There are more attributes for sip. The above 
 > is just one 
 > > of them.
 > > 
 > > Zeus
 > > 
 > > > -----Original Message-----
 > > > From: serusers-bounces(a)lists.iptel.org
 > > > [mailto:serusers-bounces@lists.iptel.org] On Behalf Of Sean Lowry
 > > > Sent: Thursday, 15 July 2004 7:26 PM
 > > > To: serusers(a)lists.iptel.org
 > > > Subject: [Serusers] Radius Authentication Help
 > > > 
 > > > 
 > > > running on debian
 > > > ser verion = 0.8.12
 > > > ser-radius-module = 0.8.12
 > > > 
 > > > 
 > > > Ser.cfg
 > > > 
 > > > #
 > > > # $Id: ser.cfg,v 1.21.4.1 2003/11/10 15:35:15 andrei Exp $ #
 > > > # simple quick-start config script
 > > > #
 > > > 
 > > > # ----------- global configuration parameters 
 > > > ------------------------
 > > > 
 > > > 
 > > > #debug=4         # debug level (cmd line: -dddddddddd)
 > > > #fork=yes
 > > > log_stderror=yes # (cmd line: -E)
 > > > 
 > > > /* Uncomment these lines to enter debugging mode
 > > > #debug=7
 > > > fork=no
 > > > log_stderror=yes
 > > > */
 > > > 
 > > > 
 > > > 
 > > > 
 > > > # ----------------- setting module-specific parameters 
 > > > ---------------
 > > > 
 > > > # -- usrloc params --
 > > > 
 > > > #modparam("usrloc", "db_url",
"mysql://ser:heslo@hosthost/ser")
 > > > modparam("usrloc", "db_mode",   1)
 > > > 
 > > > # Uncomment this if you want to use SQL database
 > > > # for persistent storage and comment the previous line
 > > > 
 > > > # -- auth params --
 > > > # Uncomment if you are using auth module
 > > > #
 > > > #modparam("auth_db", "calculate_ha1", yes)
 > > > #
 > > > # If you set "calculate_ha1" parameter to yes (which true in
 > > > this config), 
 > > > # uncomment also the following parameter)
 > > > #
 > > > #modparam("auth_db", "password_column",
"password")
 > > > 
 > > > modparam("auth_radius", "radius_config",
 > > > "/etc/radiusclient/radiusclient.conf")
 > > > #modparam("auth_radius", "service_type", 15)
 > > > 
 > > > 
 > > > #group radius
 > > > modparam("group_radius", "radius_config",
 > > > "/etc/radiusclient/radiusclient.conf")
 > > > modparam("group_radius", "use_domain", 1)
 > > > 
 > > > 
 > > > # -- rr params --
 > > > # add value to ;lr param to make some broken UAs happy
 > > > modparam("rr", "enable_full_lr", 1)
modparam("registrar", 
 > > > "default_expires", 120) #sets default for expiry if 
 > > > registrant doesn't specify modparam("registrar",
"default_q", 
 > > > 1000)# sets default q value in registration
 > > > 
 > > > 
 > > > # -------------------------  request routing logic 
 > > > -------------------
 > > > 
 > > > # main routing logic
 > > > 
 > > > 
 > > > 
 > > > route{
 > > > 
 > > >         # initial sanity checks -- messages with
 > > >         # max_forwards==0, or excessively long requests
 > > >         if (!mf_process_maxfwd_header("10")) {
 > > >                 sl_send_reply("483","Too Many Hops");
 > > >                 break;
 > > >         };
 > > >         if ( msg:len > max_len ) {
 > > >                 sl_send_reply("513", "Message too
big");
 > > >                 break;
 > > >         };
 > > > 
 > > >         # we record-route all messages -- to make sure that
 > > >         # subsequent messages will go through our proxy; that's
 > > >         # particularly good if upstream and downstream entities
 > > >         # use different transport protocol
 > > >         record_route(); 
 > > >         # loose-route processing
 > > >         if (loose_route()) {
 > > >                 t_relay();
 > > >                 break;
 > > >         };
 > > > 
 > > >         # if the request is for other domain use UsrLoc
 > > >         # (in case, it does not work, use the following command
 > > >         # with proper names and addresses in it)
 > > >         if (uri==myself) {
 > > > 
 > > >                 if (method=="REGISTER") {
 > > > 
 > > >                       if (search("^(Contact|m):
 > > > .*@(--private--information)")) {
 > > >                       log("LOG: alert: someone trying to set
 > > > aor==contact\n");
 > > >                       sl_send_reply("476", "No Server
Address 
 > > > in Contacts Allowed" );
 > > >                       break;
 > > >                       };
 > > > 
 > > >                 # Uncomment this if you want to use digest
 > > > authentication
 > > >                 
 > > >                       log(1, "REGISTER: Authenticating
user\n");
 > > > 
 > > >                         if (!radius_www_authorize("")) {
 > > >                          log(1, "REGISTER: challenging
user\n");
 > > >                          www_challenge("", "1");
 > > >                          break;
 > > >                         };
 > > >                         
 > > >                         save("location");
 > > >                         break;
 > > >                 };
 > > >                 
 > > >                  if (uri=~"^sip:71[0-9]{2}@.*")
 > > >                  {
 > > >                  #xlog("L_ERR", "LOG - method<%rm>
uri<%ru>
 > > > from<%fu> to<%tu>\n");
 > > >                  rewritehostport("192.168.1.252");
 > > >                  forward(uri:host, uri:port);
 > > >                  xlog("L_ERR", "LOG - method<%rm>
uri<%ru> 
 > > > from<%fu> to<%tu>\n");
 > > >                  break;
 > > >                  };
 > > > 
 > > >                 
 > > >                 # native SIP destinations are handled using
 > > > our USRLOC DB
 > > >                 if (!lookup("location")) {
 > > >                         sl_send_reply("404", "Not
Found");
 > > >                         break;
 > > >                 };
 > > >         };
 > > >         # forward to current uri now; use stateful 
 > forwarding; that
 > > >         # works reliably even if we forward from TCP to UDP
 > > >         if (!t_relay()) {
 > > >                 sl_reply_error();
 > > >         };
 > > > 
 > > > }
 > > > 
 > > > 
 > > > 
 > > > 
 > > > Error when running this configuration
 > > > 
 > > > stateless - initializing
 > > > Maxfwd module- initializing
 > > > .
 > > > sip:/etc/ser# acc - initializing
 > > > exec - initializing
 > > > print - initializing
 > > > textops - initializing
 > > > voicemail - initializing
 > > >  5(14802) REGISTER: Authenticating user
 > > >  5(14802) REGISTER: challenging user
 > > >  6(14806) REGISTER: Authenticating user
 > > >  6(14806) sterman(): Unable to add PW_DIGEST_USER_NAME attribute
 > > >  6(14806) REGISTER: challenging user
 > > >  5(14802) REGISTER: Authenticating user
 > > >  5(14802) sterman(): Unable to add PW_DIGEST_USER_NAME attribute
 > > >  5(14802) REGISTER: challenging user
 > > >  6(14806) REGISTER: Authenticating user
 > > >  6(14806) sterman(): Unable to add PW_DIGEST_USER_NAME attribute
 > > >  6(14806) REGISTER: challenging user
 > > > 
 > > > 
 > > > now if i uncomment out the radius service type
 > > > 
 > > > #modparam("auth_radius", "service_type", 15)
 > > > 
 > > > 
 > > > sip:/etc/ser# stateless - initializing
 > > > Maxfwd module- initializing
 > > > acc - initializing
 > > > exec - initializing
 > > > print - initializing
 > > > textops - initializing
 > > > voicemail - initializing
 > > >  7(14958) REGISTER: Authenticating user
 > > >  7(14958) REGISTER: challenging user
 > > >  8(14959) REGISTER: Authenticating user
 > > >  8(14959) sterman(): Unable to add PW_USER_NAME attribute
 > > >  8(14959) REGISTER: challenging user
 > > >  7(14958) REGISTER: Authenticating user
 > > >  7(14958) sterman(): Unable to add PW_USER_NAME attribute
 > > >  7(14958) REGISTER: challenging user
 > > >  8(14959) REGISTER: Authenticating user
 > > >  8(14959) sterman(): Unable to add PW_USER_NAME attribute
 > > >  8(14959) REGISTER: challenging user
 > > >  7(14958) REGISTER: Authenticating user
 > > >  7(14958) sterman(): Unable to add PW_USER_NAME attribute
 > > >  7(14958) REGISTER: challenging user
 > > >  8(14959) REGISTER: Authenticating user
 > > >  8(14959) sterman(): Unable to add PW_USER_NAME attribute
 > > >  8(14959) REGISTER: challenging user
 > > > 
 > > > 
 > > > 
 > > > now i have freeradius running in debug so i can see if
 > > > anything it talking to it and i see nothing at all from 
 > freeradius.
 > > > 
 > > > sip:/home/sean# freeradius -x
 > > > Starting - reading configuration files ...
 > > > Using deprecated naslist file.  Support for this will go away
 > > > soon. Using deprecated clients file.  Support for this will 
 > > > go away soon. Using deprecated realms file.  Support for this 
 > > > will go away soon.
 > > > Module: Loaded expr 
 > > > Module: Instantiated expr (expr) 
 > > > Module: Loaded PAP 
 > > > Module: Instantiated pap (pap) 
 > > > Module: Loaded CHAP 
 > > > Module: Instantiated chap (chap) 
 > > > Module: Loaded MS-CHAP 
 > > > Module: Instantiated mschap (mschap) 
 > > > Module: Loaded DIGEST 
 > > > Module: Instantiated digest (digest) 
 > > > Module: Loaded System 
 > > > Module: Instantiated unix (unix) 
 > > > Module: Loaded eap 
 > > > rlm_eap: Loaded and initialized the type md5
 > > > rlm_eap: Loaded and initialized the type leap
 > > > Module: Instantiated eap (eap) 
 > > > Module: Loaded preprocess 
 > > > Module: Instantiated preprocess (preprocess) 
 > > > Module: Loaded realm 
 > > > Module: Instantiated realm (suffix) 
 > > > Module: Loaded SQL 
 > > > rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) 
 > > > loaded and linked rlm_sql (sql): Attempting to connect to 
 > > > radius@localhost:/radius rlm_sql (sql): starting 0 rlm_sql 
 > > > (sql): Attempting to connect rlm_sql_mysql #0
 > > > rlm_sql_mysql: Starting connect to MySQL server for #0
 > > > rlm_sql (sql): Connected new DB handle, #0
 > > > rlm_sql (sql): starting 1
 > > > rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
 > > > rlm_sql_mysql: Starting connect to MySQL server for #1
 > > > rlm_sql (sql): Connected new DB handle, #1
 > > > rlm_sql (sql): starting 2
 > > > rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
 > > > rlm_sql_mysql: Starting connect to MySQL server for #2
 > > > rlm_sql (sql): Connected new DB handle, #2
 > > > rlm_sql (sql): starting 3
 > > > rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
 > > > rlm_sql_mysql: Starting connect to MySQL server for #3
 > > > rlm_sql (sql): Connected new DB handle, #3
 > > > rlm_sql (sql): starting 4
 > > > rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
 > > > rlm_sql_mysql: Starting connect to MySQL server for #4
 > > > rlm_sql (sql): Connected new DB handle, #4
 > > > Module: Instantiated sql (sql) 
 > > > Module: Loaded Acct-Unique-Session-Id 
 > > > Module: Instantiated acct_unique (acct_unique) 
 > > > Module: Loaded detail 
 > > > Module: Instantiated detail (detail) 
 > > > Module: Loaded radutmp 
 > > > Module: Instantiated radutmp (radutmp) 
 > > > Initializing the thread pool...
 > > > Listening on IP address *, ports 1812/udp and 1813/udp, with 
 > > > proxy on 1814/udp. Ready to process requests.
 > > > 
 > > > 
 > > > 
 > > > 
 > > > i have tested the raidus server to see if it's authenticating.
 > > > 
 > > > 
 > > > Sending Access-Request of id 7 to 127.0.0.1:1812
 > > >         User-Name = "bob"
 > > >         User-Password = "bob"
 > > >         NAS-IP-Address = ~~~changed private~~~
 > > >         NAS-Port = 1814
 > > > rad_recv: Access-Accept packet from host 127.0.0.1:1812,
 > > > id=7, length=20
 > > > 
 > > > 
 > > > everything is working as you would expect does anyone have
 > > > any ideas at all as to where i'm going wrong.
 > > > 
 > > > 
 > > > Thanks in advance
 > > > 
 > > > Sean
 > > > 
 > > > _______________________________________________
 > > > Serusers mailing list
 > > > serusers(a)lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
 > > > 
 >  